Title: On the Effectiveness of AddressSpace Randomization Authors: Hovav Shacham, Matthew Page, Ben Pfaff, EuJin Goh, Nagendra Modadugu,Dan Boneh Published in: CCS'04, October 2529, 2004, Washington, DC, USA http://www.stanford.edu/~blp/papers/asrandom.pdf Address-space randomization is a technique used to fortify systems against buffer overflow attacks. The idea is to introduce artificial diversity by randomizing the memory location of certain system components. Thus, many buffer flow attacks, such as "return-to-libc" attack, can not get the virtual address of the function pointer or return address for injected code. This paper demonstrates a new buffer overflow attack, named de-randomization attack. This attack converts any standard buffer-overflow exploit into an exploit that works against systems protected by address-space randomization. Address-space randomization only randomizes the base address of code segment, the layout of the function is fixed and the base address is not changed during process time, so as long as the attack gets the base address offset, it can get the address of other functions address as well. This attack uses brute force attack to get the fixed base address offset of the C library code and then gets the control of the victim. Because the space for the randomization is only 16 bits in 32-bit architecture, the brute force attack is feasible. The paper also explores various ways of strengthening address-space randomization. It concludes that increasing the frequency of re-randomizations adds at most 1 bit of security. It also mentions randomization granularity and concludes compile-time randomization appears to be more effective than runtime randomization. At last the paper discusses the crash detection and reaction mechanism and concludes that it is not practical for large website economically and technically. The paper suggests that 64-bit architecture is a good way to make Address-space randomization more effective to resist the de-randomization attack. But it also admits that overflow mitigation systems that protect the stack also can defeats many of these attacks. Pro. - showed a flaw in a technique that was previously thought secure - explained the attack well and how hard it was to fix - didn't just show how the fixes may not work, but also showed how detection may mess stuff up Cons. - The paper did not discuss compile time randomization in enough detail or compare it in the context of their attack. - The attack model is restricted to the PaX ASLR system i.e. Linux as OS. They say the results on OpenBSD would be similar but they do not have actual results. - Paper emphasizes more on their attack than on methods to improve address randomization. Also alternate schemes are more a literature survey than any original contribution which is not impressive. Questions - In the attack example, the attack gets the address of the libc and then invoke the system() call to execute some shell command. Is it possible that the operating system protects some critical function call in libc code or other similar code and only allows some particular process for particular user to execute these functions? - The way that attacker determine whether it has got the right address for the code or not is to invoke some function at guessed address and to see whether it works as expected. Is it possible to monitor the crash on these functions to detect the de-randomization attack.