Quantifying Security to Advance Resilience
ASLR: How Robust is the Randomness?
Jonathan Ganz What is Address Space Layout Randomization?
● Provides System-Level Control-Flow Integrity ● Adds Random Memory Offsets to Binaries ● Makes Buffer Overflows Harder to Exploit
⚫ Does Not Completely Remove Vulnerability ● Strength of ASLR Depends on Entropy of Offsets
2 What are Buffer Overflows?
3 https://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/ Why Attackers Perform Buffer Overflows
AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAA AAAAAAAAAA AAAAA AAAAAAA AAAAAAAAAA AAAAA AAAAAAA AAAAAAAAAA AAAAA AAAQRST
4 Why We Use ASLR
● Organizations Often Rely on Third-Party Software ● This Software May Be Vulnerable & Closed-Source ● Extra Hardening Features May Not Be Available
⚫ CPU Power
⚫ Thermal Design Power
⚫ Licensing / Cost
⚫ Architecture Compatibility
5 Motivation
● We Rely on Certain Security Features ● How Reliable are these Features? ● How Much Defense Does ASLR Provide? ● Remote Security Evaluation
6 ASLR Experiment
● Measure Entropy of ASLR Implementations
● Develop Buffer-Overflow-Vulnerable Program ● Develop Attack Program (Inspired by Blind-ROP) ● Evaluate Multiple Operating Systems
⚫ Debian, OpenBSD, HardenedBSD
⚫ 32-bit and 64-bit Architectures ● Perform Hundreds of Measurements
7 ASLR Assumption
● 64-bit Operating Systems Represent Memory with More Bits than their 32-bit Variants ● The 64-bit Versions Have More Bits Available to Manipulate Through ASLR ● 64-bit Implementations of ASLR Should Provide More Entropy than 32-bit Implementations
8 Claims of Entropy Provided by ASLR
Entropy Claimed 64-bit HardenedBSD 30 bits 64-bit Debian 28 bits 64-bit OpenBSD 25 bits 32-bit Debian 24 bits 32-bit OpenBSD 16 bits 32-bit HardenedBSD 14 bits
9 Vulnerable Network Service
fork()
Request Server
Client
Child
10 Attacking the Vulnerable Service
AtkStr
Running? Crashed? Target Function? 11 Attack Strategy
[0]
12 Attack Strategy
[0]
13 Attack Strategy ✔ [0]
Running
14 Attack Strategy
[0] ✔ [0][0]
15 Attack Strategy
[0] ✔ [0][0]
16 Attack Strategy ✔ [0] ✔ [0][0]
Running
17 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0]
18 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ .
19 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔
20 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔
21 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘
22 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘
23 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘
24 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘
25 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] ✔
26 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] ✔ [0][0][0]....[0][137][0] ✘
27 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] ✔ [0][0][0]....[0][137][0] ✘ [0][0][0]....[0][137][1] ✘
28 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] ✔ [0][0][0]....[0][137][0] ✘ [0][0][0]....[0][137][1] ✘ ✘ . ✘ . 29 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] ✔ [0][0][0]....[0][137][0] ✘ [0][0][0]....[0][137][1] ✘ . ✘ . ✘ [0][0][0]....[0][137][14][213][57] ✔ 30 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] [137][14][213][57] ✔ [0][0][0]....[0][137][0] ✘ [0][0][0]....[0][137][1] ✘ . ✘ . ✘ [0][0][0]....[0][137][14][213][57] ✔ 31 ASLR Results - 32-bit HardenedBSD
32 ASLR Results - 32-bit OpenBSD
33 ASLR Results - 64-bit OpenBSD
34 ASLR Results - 32-bit Debian Linux
35 ASLR Results - 64-bit HardenedBSD
36 ASLR Results - 64-bit Debian Linux
37 ASLR Results - 32-bit HardenedBSD
38 ASLR Results - 32-bit OpenBSD
39 ASLR Results - 64-bit OpenBSD
40 ASLR Results - 32-bit Debian Linux
41 ASLR Results - 64-bit HardenedBSD
42 ASLR Results - 64-bit Debian Linux
43 ASLR Results - Effective Entropy
Claimed Measured 64-bit Debian 28 bits 28 bits 64-bit HardenedBSD 30 bits 25 bits 32-bit Debian 24 bits 20 bits 64-bit OpenBSD 25 bits 15 bits 32-bit OpenBSD 16 bits 15 bits 32-bit HardenedBSD 14 bits 8 bits
44 Evaluation
● Debian (32-bit & 64-bit) ASLR Has Most Entropy ● 32-bit HardenedBSD ASLR Has Least Entropy ● Operating Systems Often Provide
Less Entropy than Claimed
● We Must Perform Independent Tests of Security ● Evaluation Can Be Performed on More OSes
45 Limitations
● Small Set of Operating Systems Tested ❌ Windows ❌ macOS ❌ Android ❌ iOS ● Source Code Was Not Examined
46 Related Work
● “A Study of MAC Address Randomization in Mobile Devices and When it Fails” - Martin et al. ● “Techniques for the Dynamic Randomization of Network Attributes” - Chavez et al.
47 Conclusion
● Strength of Security Features Should Be Verified ● More Analysis Reveals Existing Limitations ● This Work Looks at Only One Defense Mechanism ● We Need More Quantitative Security Metrics
48 Questions?
www.jonganz.com Security Research
● Malicious Media Sanitization ● Performance Analysis of Network Monitors ● Electronic Voting System Security Evaluation ● Multipath Routing Recovery Delay
www.jonganz.com