Address Space Layout Randomisation (ASLR) is a technology used to help prevent shellcode from being successful. It does this by randomly offsetting the location of modules and certain in-memory structures.
Questions tagged [aslr]
93 questions
127
votes
2 answers
How do ASLR and DEP work?
How do Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) work, in terms of preventing vulnerabilities from being exploited? Can they be bypassed?
Polynomial
- 132,208
- 43
- 298
- 379
32
votes
3 answers
Why doesn't Linux randomize the address of the executable code segment?
I've recently been learning about how ASLR (address space randomization) works on Linux. At least on Fedora and Red Hat Enterprise Linux, there are two kinds of executable programs:
Position Independent Executables (PIEs) receive strong address…
D.W.
- 98,420
- 30
- 267
- 572
19
votes
2 answers
How "leaking pointers" to bypass DEP/ASLR works
I was wondering if anyone could give me some clues on how "leaking pointers" to bypass DEP/ASLR work. I read here:
The only way to reliably bypass DEP and ASLR is through an pointer
leak. This is a situation where a value on the stack, at a…
John Smith
- 509
- 1
- 5
- 8
15
votes
3 answers
Compiling a buffer overflow example in modern Linux?
I'm trying to compile a simple buffer overflow example on a Debian i386 VM. The executable builds ok, but EIP does not get overwritten correctly despite being supplied a sufficiently large input to overflow the buffer and overwrite the pushed EIP…
B-MO
- 313
- 2
- 6
13
votes
1 answer
Does KASLR really provide more security against exploits?
I know all about how ASLR works, and how it has been implemented on both Linux and Windows systems. It provides an extra layer of protection that malware has to take into account. But nowadays with computers being left on for long periods of time…
RoraΖ
- 12,317
- 4
- 51
- 83
12
votes
1 answer
Why are some DLLs not randomized? What makes it hard to deploy full ASLR for all DLLs?
One of the challenges with deploying ASLR for everything is that, at least on Windows, some DLLs (libraries) are not compiled in a way that's compatible with ASLR. (They're not compiled as position-independent code, and so the place where they are…
D.W.
- 98,420
- 30
- 267
- 572
10
votes
1 answer
What attacks does a W^X policy prevent against?
Write xor Execute (W^X) is a policy that a block (page) of memory cannot be marked as both writeable and executable at the same time.
What attacks does W^X prevent, with and without the following:
Address Space Layout Randomization (ASLR)
Data…
Polynomial
- 132,208
- 43
- 298
- 379
9
votes
1 answer
What is HiASLR?
I have been hearing this word the whole day long. Can any one give me a brief intro? How does it differ from ASLR?
kiran
- 193
- 6
9
votes
1 answer
Importance of ASLR Mode 2
From what I understand, ASLR has 3 Modes:
0 - turned off
1 - randomizes stack, heap, shared libraries, vDSO, mmap memory area and text area (if built with -fPIE -pie)
2 - additionally randomizes brk()-allocated memory, which comes, to my…
Mr_Mango
- 93
- 6
8
votes
1 answer
Limited Buffer Size for shellcode on 64 bits machine
I have a code snippet which has the classic strcpy vulnerability
int main(int argc, char argv[][]){
char buffer[8];
strcpy(buffer, argv[1]);
}
By disassembling the binary file, we can see rsp is decreased by 0x10 bytes (=16)
So we can…
user50312
8
votes
2 answers
When is memory allocation/layout deterministic?
I'm trying to learn about buffer overflow attacks, both on the stack and on the heap. However, I'm confused about when it's possible to determine the address of the buffer.
The classic "Smashing the Stack for Fun and Profit" mentions the need to…
Lily Chung
- 968
- 1
- 9
- 13
8
votes
1 answer
Information disclosure attack, using a heap overflow
A typical strategy for defeating ASLR is to find both a buffer overflow bug and an information disclosure bug. But when attacking servers that are automatically restarted whenever they crash/die, is a buffer overflow bug enough? Can we use that…
D.W.
- 98,420
- 30
- 267
- 572
8
votes
1 answer
Do 64-bit applications have any security merits over 32-bit applications?
A particular article from arstechnica.com stated this.
One of these protective measures is called Address Space Layout Randomization, ASLR, and it works by moving DLLs and application memory into unpredictable locations within the 4GB that each…
user10211
8
votes
1 answer
ASLR bypass with info leak
Working through the Modern Binary Exploitation course from RPI here. I'm having trouble with an example on exploiting ASLR which is supposed to use a memory leak to gain information about the stack to then calculate the offset for a system call.…
Praet
- 101
- 1
- 5
8
votes
2 answers
Trouble building a ROP chain
I am trying to exploit a small program. The program looks somewhat like this:
int func(void) {
char text[100];
scanf("%s", text);
return 0;
}
int foo(unsigned short rand) {
char RandomBuffer[rand];
return func();
}
int…
alive-and-well
- 163
- 1
- 10