.

Address Space Layout Randomization

<<

TheXero

User avatar

Full Member
Full Member

Posts: 112

Joined: Tue Dec 07, 2010 12:24 pm

Post Sun Apr 15, 2012 8:18 am

Address Space Layout Randomization

Hey

A previously unpublished Article I wrote about ASLR can be found at ASLR.pdf tell me what you guys think :)

Regards,
TheXero
Last edited by TheXero on Tue Apr 17, 2012 8:06 am, edited 1 time in total.
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Mon Apr 16, 2012 5:10 pm

Re: Address Space Layout Randomization

TheXero,

I think the article gives a good overview of ASLR on Windows. 

In the introduction, you describe a basic overflow as overwriting EIP with a return address to a JMP instruction.  I'm not sure what the current state of the art is, but the old technique was to overwrite EIP with an address that pointed inside of a NOP sled that leads to the shellcode.  You could also create a sled out of a series of relative JMP instructions.  Unless something has changed, you would not (in ordinary circumstances) return to an absolute JMP.

Your paper has no references but you've obviously pulled information from several sources.  Ideally, you would cite these throughout the paper, but you should at least have a bibliography at the end.  Not only does this provide credit where appropriate, but it tells readers where they can go to get more information.  There are several published papers on ASLR that readers could use to learn more about various aspects.

You mention Linux in passing, but there are some differences on Linux (and OpenBSD) as opposed to Windows.  In particular, I think OpenBSD and some Linux distributions have full ASLR which would prevent your method #2 from working.  I can't say that with full confidence since I haven't studied their implementations recently, but it would be worth looking in to.

I thank you for writing and distributing this paper.  Too few people take the time to share their knowledge and discoveries with the community.
BS in IT, CISSP, MS in IS Management (in progress)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Apr 17, 2012 7:43 am

Re: Address Space Layout Randomization

Good suggestions.

unicityd wrote:I thank you for writing and distributing this paper.  Too few people take the time to share their knowledge and discoveries with the community.


Exploit-DB hosts a decent amount of papers, including this one.
The day you stop learning is the day you start becoming obsolete.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Thu Apr 19, 2012 4:03 pm

Re: Address Space Layout Randomization

I agree, but nice job TheXero  ;D
I'm an InterN0T'er

Return to General Certification

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software