2 questions regarding ASLR

2018-06-22 03:55:02

I've been reading about ASLR and I have a couple of questions. I have little programming experience but I am interested in the theory behind it.

I understand that it randomizes where DLLs, stacks and heaps are in the virtual address space so that malicious code doesn't know their location, but how does the actual program know their location when it needs them?

If the legitimate process can locate them, what stops the malicious code doing the same?

and finally, is the malicious code that ASLR tries to prevent running in the user space of the process it is attacking?

Thanks

As background, ASLR is intended to complicate code injection attacks where the attacker tries to utilize your overflow bug to trick your application into running the attacker's code. For example, in a successful stack buffer overflow attack the attacker pushes their code onto the stack and modifies the call frame's return pointer to point to the on-stack code.

Most code injection attacks require the attacker to know the absolute address of some part of your process's memory layout. For stack buffer overflow attacks, they need to know the address of the stack frame of the vulnerable function call so they can set the functions return pointer to point to the stack. For other attacks this could be the address of heap variables, exception tables, etc...

One more important background fact: unlike programming languages, machine code has absolute addresses in it. While your program may call function foo() , the machine code will call address 0x12345678 .

but how does the actual program know their location when it needs them?

This is established by the dynamic linker and other operating system features that are responsible for converting your on-disk executable into an in-memory process. This involves replacing references to foo with references to 0x12345678 .

If the legitimate process can locate them, what stops the malicious code doing the same?

The legitimate process knows where the addresses are because the dynamic linker creates the process such that the actual addresses are hard-wired into the process. So the process isn't locating them, per se. By the time the process is started, the addresses are all calculated and inserted into the code. An attacker can't utilize this because their code is not modified by the dynamic linker.

Consider the scenario where an attacker has a copy of the same executable that they are trying to attack. They can run the executable on their machine, examine it, and find all of the relevant addresses. Without ASLR, these addresses have a good chance of being the same on your machine when you're running the executable. ASLR randomizes these addresses meaning that the attacker can't (easily) find the addresses.

and finally, is the malicious code that ASLR tries to prevent running in the user space of the process it is attacking?

Unless there's a kernel injection vulnerability (which would likely be very bad and result in patches by your OS vendpr), yes, it's running in the user space. More specifically, it will likely be located on the stack or the heap as this is where user input is stored. Using data execution prevention will also help to prevent successful injection attacks.

链接地址: http://www.djcxy.com/p/62202.html

上一篇: 在Linux上堆栈的ASLR熵位

下一篇: 有关ASLR的2个问题