8

A particular article from arstechnica.com stated this.

One of these protective measures is called Address Space Layout Randomization, ASLR, and it works by moving DLLs and application memory into unpredictable locations within the 4GB that each 32-bit application has available to it. This makes exploitation harder, but on 32-bit systems the protection is limited. With only 4GB of space, there aren't that many random locations to choose. DLLs, for example, still need to be packed relatively close together, to ensure that there are large tracts of free space open for applications to store their own data in.

Does this have any technical merit or should I file this away as the usual nonsense non security-focused sites come up with?

  • At least traditional 32 bit systems(non PAE) didn't enforce the memory executable flag. But I'm not sure if DEP requires 64 bit applications of just a 64 bit OS. – CodesInChaos Dec 02 '12 at 12:29

1 Answers1

11

ASLR is a hide-and-seek game: in case the attacker succeeds in overflowing a buffer and overwriting pointers, the OS loads the application code (the main executable and its DLL) in randomized locations, so as to make it harder for the attacker to actually hit a meaningful location. By construction, it works better when the playground is larger. The extended address space in 64-bit mode is a larger playground.

To quantify things: in 32-bit mode, the address space is, at most, 32-bit wide (actually 31-bit when the kernel is not aware of 64-bit mode). The DLL loader must respect page alignment, and a page is 4 kB on x86. This gives, at most, 20 bits of entropy in the randomization of ASLR, but in practice lower than that because spreading the DLL throughout the whole address space can induce higher fragmentation (preventing the application from allocating, e.g., a 1 GB continuous buffer, something which is commonplace when editing pictures or movies). This is what the text you quote alludes to. Let's assume, for instance, that the DLL loading will occur only within one eighth of the address space, i.e. 29 bits; with alignment, this means 17 bits of entropy, aka 131072 possible locations for any given DLL. In any case, an industrious attacker could rely on luck, by simply repeating the attack (with a script) a few dozen thousand times until it works.

With 64-bit mode, the address space is extended to 48 bits, lowered to 44 bits on Windows, because they did not bother to go beyond. This adds 12 bits of entropy; in other words, it multiplies by 4096 the attacker's effort (in case the attackers relies on luck).

Therefore, it is true that, in some way, the extended address space of 64-bit mode increases security. Of course, ASLR has any effect only when a buffer overflow has occurred, in which case you are already in big trouble.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Many IT shops are installing 32 bit Office Professional on a 64 bit Windows 7. Do you know how it would apply in this case? – makerofthings7 Dec 02 '12 at 14:11
  • 4
    Address space is per process. A 32-bit Office lives in a 32-bit address space. When the OS is 64-bit, it _may_ offer a full 32-bit address space to 32-bit process (instead of 31-bit) but this is an opt-in thing because it may break sloppily written software (software which uses _signed_ 32-bit integers for offsets). Therefore, you _might_ get 1 extra bit of entropy (compared to a full 32-bit setup), but no more. – Thomas Pornin Dec 02 '12 at 14:59