Quantifying Security to Advance Resilience ASLR: How Robust is the Randomness? Jonathan Ganz What is Address Space Layout Randomization? ● Provides System-Level Control-Flow Integrity ● Adds Random Memory Offsets to Binaries ● Makes Buffer Overflows Harder to Exploit ⚫ Does Not Completely Remove Vulnerability ● Strength of ASLR Depends on Entropy of Offsets 2 What are Buffer Overflows? 3 https://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/ Why Attackers Perform Buffer Overflows AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAA AAAAAAAAAA AAAAA AAAAAAA AAAAAAAAAA AAAAA AAAAAAA AAAAAAAAAA AAAAA AAAQRST 4 Why We Use ASLR ● Organizations Often Rely on Third-Party Software ● This Software May Be Vulnerable & Closed-Source ● Extra Hardening Features May Not Be Available ⚫ CPU Power ⚫ Thermal Design Power ⚫ Licensing / Cost ⚫ Architecture Compatibility 5 Motivation ● We Rely on Certain Security Features ● How Reliable are these Features? ● How Much Defense Does ASLR Provide? ● Remote Security Evaluation 6 ASLR Experiment ● Measure Entropy of ASLR Implementations ● Develop Buffer-Overflow-Vulnerable Program ● Develop Attack Program (Inspired by Blind-ROP) ● Evaluate Multiple Operating Systems ⚫ Debian, OpenBSD, HardenedBSD ⚫ 32-bit and 64-bit Architectures ● Perform Hundreds of Measurements 7 ASLR Assumption ● 64-bit Operating Systems Represent Memory with More Bits than their 32-bit Variants ● The 64-bit Versions Have More Bits Available to Manipulate Through ASLR ● 64-bit Implementations of ASLR Should Provide More Entropy than 32-bit Implementations 8 Claims of Entropy Provided by ASLR Entropy Claimed 64-bit HardenedBSD 30 bits 64-bit Debian 28 bits 64-bit OpenBSD 25 bits 32-bit Debian 24 bits 32-bit OpenBSD 16 bits 32-bit HardenedBSD 14 bits 9 Vulnerable Network Service fork() Request Server Client Child 10 Attacking the Vulnerable Service AtkStr Running? Crashed? Target Function? 11 Attack Strategy [0] 12 Attack Strategy [0] 13 Attack Strategy [0] ✔ Running 14 Attack Strategy [0] ✔ [0][0] 15 Attack Strategy [0] ✔ [0][0] 16 Attack Strategy [0] ✔ [0][0] ✔ Running 17 Attack Strategy [0] ✔ [0][0] ✔ [0][0][0] ✔ 18 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . 19 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ 20 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ 21 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ 22 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ 23 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ 24 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ 25 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] ✔ 26 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] ✔ [0][0][0]....[0][137][0] ✘ 27 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] ✔ [0][0][0]....[0][137][0] ✘ [0][0][0]....[0][137][1] ✘ 28 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] ✔ [0][0][0]....[0][137][0] ✘ [0][0][0]....[0][137][1] ✘ . ✘ . ✘ 29 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] ✔ [0][0][0]....[0][137][0] ✘ [0][0][0]....[0][137][1] ✘ . ✘ . ✘ [0][0][0]....[0][137][14][213][57] ✔ 30 Attack Strategy ✔ [0] ✔ [0][0] ✔ [0][0][0] . ✔ . ✔ [0][0][0]....[0] ✔ [0][0][0]....[0][0] ✘ [0][0][0]....[0][1] ✘ [0][0][0]....[0][2] ✘ . ✘ . ✘ [0][0][0]....[0][137] [137][14][213][57] ✔ [0][0][0]....[0][137][0] ✘ [0][0][0]....[0][137][1] ✘ . ✘ . ✘ [0][0][0]....[0][137][14][213][57] ✔ 31 ASLR Results - 32-bit HardenedBSD 32 ASLR Results - 32-bit OpenBSD 33 ASLR Results - 64-bit OpenBSD 34 ASLR Results - 32-bit Debian Linux 35 ASLR Results - 64-bit HardenedBSD 36 ASLR Results - 64-bit Debian Linux 37 ASLR Results - 32-bit HardenedBSD 38 ASLR Results - 32-bit OpenBSD 39 ASLR Results - 64-bit OpenBSD 40 ASLR Results - 32-bit Debian Linux 41 ASLR Results - 64-bit HardenedBSD 42 ASLR Results - 64-bit Debian Linux 43 ASLR Results - Effective Entropy Claimed Measured 64-bit Debian 28 bits 28 bits 64-bit HardenedBSD 30 bits 25 bits 32-bit Debian 24 bits 20 bits 64-bit OpenBSD 25 bits 15 bits 32-bit OpenBSD 16 bits 15 bits 32-bit HardenedBSD 14 bits 8 bits 44 Evaluation ● Debian (32-bit & 64-bit) ASLR Has Most Entropy ● 32-bit HardenedBSD ASLR Has Least Entropy ● Operating Systems Often Provide Less Entropy than Claimed ● We Must Perform Independent Tests of Security ● Evaluation Can Be Performed on More OSes 45 Limitations ● Small Set of Operating Systems Tested ❌ Windows ❌ macOS ❌ Android ❌ iOS ● Source Code Was Not Examined 46 Related Work ● “A Study of MAC Address Randomization in Mobile Devices and When it Fails” - Martin et al. ● “Techniques for the Dynamic Randomization of Network Attributes” - Chavez et al. 47 Conclusion ● Strength of Security Features Should Be Verified ● More Analysis Reveals Existing Limitations ● This Work Looks at Only One Defense Mechanism ● We Need More Quantitative Security Metrics 48 Questions? www.jonganz.com Security Research ● Malicious Media Sanitization ● Performance Analysis of Network Monitors ● Electronic Voting System Security Evaluation ● Multipath Routing Recovery Delay www.jonganz.com.