ASLR: How Robust Is the Randomness? Quantifying Security

Quantifying Security to Advance Resilience

ASLR: How Robust is the Randomness?

Jonathan Ganz What is Address Space Layout Randomization?

● Provides System-Level Control-Flow Integrity ● Adds Random Memory Offsets to Binaries ● Makes Buffer Overflows Harder to Exploit

⚫ Does Not Completely Remove Vulnerability ● Strength of ASLR Depends on Entropy of Offsets

2 What are Buffer Overflows?

3 https://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/ Why Attackers Perform Buffer Overflows

AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAA AAAAAAAAAA AAAAA AAAAAAA AAAAAAAAAA AAAAA AAAAAAA AAAAAAAAAA AAAAA AAAQRST

4 Why We Use ASLR

● Organizations Often Rely on Third-Party Software ● This Software May Be Vulnerable & Closed-Source ● Extra Hardening Features May Not Be Available

⚫ CPU Power

⚫ Thermal Design Power

⚫ Licensing / Cost

⚫ Architecture Compatibility

5 Motivation

● We Rely on Certain Security Features ● How Reliable are these Features? ● How Much Defense Does ASLR Provide? ● Remote Security Evaluation

6 ASLR Experiment

● Measure Entropy of ASLR Implementations

● Develop Buffer-Overflow-Vulnerable Program ● Develop Attack Program (Inspired by Blind-ROP) ● Evaluate Multiple Operating Systems

⚫ Debian, OpenBSD, HardenedBSD

⚫ 32-bit and 64-bit Architectures ● Perform Hundreds of Measurements

7 ASLR Assumption

● 64-bit Operating Systems Represent Memory with More Bits than their 32-bit Variants ● The 64-bit Versions Have More Bits Available to Manipulate Through ASLR ● 64-bit Implementations of ASLR Should Provide More Entropy than 32-bit Implementations

8 Claims of Entropy Provided by ASLR

Entropy Claimed 64-bit HardenedBSD 30 bits 64-bit Debian 28 bits 64-bit OpenBSD 25 bits 32-bit Debian 24 bits 32-bit OpenBSD 16 bits 32-bit HardenedBSD 14 bits

9 Vulnerable Network Service

fork()

Request Server

Client

Child

10 Attacking the Vulnerable Service

AtkStr

Running? Crashed? Target Function? 11 Attack Strategy

[0]

12 Attack Strategy

[0]

13 Attack Strategy ✔ [0]

Running

14 Attack Strategy

[0] ✔ [0][0]

15 Attack Strategy

[0] ✔ [0][0]

16 Attack Strategy ✔ [0] ✔ [0][0]

Running

17 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0]

18 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ .

19 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔

20 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔

21 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘

22 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘

23 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘

24 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘

25 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] ✔

26 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] ✔ [0][0][0]....[0][137][0] ✘

27 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] ✔ [0][0][0]....[0][137][0] ✘ [0][0][0]....[0][137][1] ✘

28 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] ✔ [0][0][0]....[0][137][0] ✘ [0][0][0]....[0][137][1] ✘ ✘ . ✘ . 29 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] ✔ [0][0][0]....[0][137][0] ✘ [0][0][0]....[0][137][1] ✘ . ✘ . ✘ [0][0][0]....[0][137][14][213][57] ✔ 30 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] [137][14][213][57] ✔ [0][0][0]....[0][137][0] ✘ [0][0][0]....[0][137][1] ✘ . ✘ . ✘ [0][0][0]....[0][137][14][213][57] ✔ 31 ASLR Results - 32-bit HardenedBSD

32 ASLR Results - 32-bit OpenBSD

33 ASLR Results - 64-bit OpenBSD

34 ASLR Results - 32-bit Debian Linux

35 ASLR Results - 64-bit HardenedBSD

36 ASLR Results - 64-bit Debian Linux

37 ASLR Results - 32-bit HardenedBSD

38 ASLR Results - 32-bit OpenBSD

39 ASLR Results - 64-bit OpenBSD

40 ASLR Results - 32-bit Debian Linux

41 ASLR Results - 64-bit HardenedBSD

42 ASLR Results - 64-bit Debian Linux

43 ASLR Results - Effective Entropy

Claimed Measured 64-bit Debian 28 bits 28 bits 64-bit HardenedBSD 30 bits 25 bits 32-bit Debian 24 bits 20 bits 64-bit OpenBSD 25 bits 15 bits 32-bit OpenBSD 16 bits 15 bits 32-bit HardenedBSD 14 bits 8 bits

44 Evaluation

● Debian (32-bit & 64-bit) ASLR Has Most Entropy ● 32-bit HardenedBSD ASLR Has Least Entropy ● Operating Systems Often Provide

Less Entropy than Claimed

● We Must Perform Independent Tests of Security ● Evaluation Can Be Performed on More OSes

45 Limitations

● Small Set of Operating Systems Tested ❌ Windows ❌ macOS ❌ Android ❌ iOS ● Source Code Was Not Examined

46 Related Work

● “A Study of MAC Address Randomization in Mobile Devices and When it Fails” - Martin et al. ● “Techniques for the Dynamic Randomization of Network Attributes” - Chavez et al.

47 Conclusion

● Strength of Security Features Should Be Verified ● More Analysis Reveals Existing Limitations ● This Work Looks at Only One Defense Mechanism ● We Need More Quantitative Security Metrics

48 Questions?

www.jonganz.com Security Research

● Malicious Media Sanitization ● Performance Analysis of Network Monitors ● Electronic Voting System Security Evaluation ● Multipath Routing Recovery Delay