Didier Stevens

Tuesday 16 August 2011

So How Good is Pseudo-ASLR?

Filed under: Vulnerabilities,Windows 7,Windows Vista — Didier Stevens @ 0:29

Let me first define what I mean with pseudo-ASLR. Address Space Layout Randomization (introduced in Windows Vista) loads executable files at different memory addresses. Studies have shown that ASLR uses 256 different base addresses and that the distribution is pretty uniform.

Pseudo-ASLR is what EMET and my tool SE_ASLR enforce. When a DLL does not support ASLR, memory at the base address of this DLL is allocated right before the DLL is loaded into the process. Since the address is not free, the image loader will load the DLL at a different address, thereby « randomizing » the base address. But how good is this randomization?

As I pointed out in my article on EMET, this base address is different each time a new process is started (unlike ASLR which needs a reboot for the base address to change). So maybe this is better ?

I developed a test program that loads a DLL but pre-allocates memory at the address of the DLL before loading. Then I ran that program thousands of times on a Windows 7 32-bit machine.

Running this program about 50.000 times gives me 68 different addresses. That’s by far not as good as 256 with ASLR. But what’s more important, is that the distribution of these addresses is not uniform at all:

There’s one address (0x000E0000 in my test) that is used 30% of the time. 2 other addresses are used 10% of the time. Rebooting the machine does not change this distribution.

When I do the same test, but enforce ASLR with EMET, I get a similar result:

Again there’s an address that is selected 30% of the time, but it’s different from my previous test. Rebooting the Windows 7 machine doesn’t change the address.

In this test, EMET uses only 15 different addresses, compared to the 68 addresses in the first test. I’ll have to research this difference, I’ve no explanation for it.

Conclusion from this simple test: pseudo-ASLR is rather weak, because I can predict the base address and I will be right one time out of three, which is not bad at all when I can launch my attack several times.

10 Comments »

  1. Can you tell us how this test was made? Maybe the script?

    Thank your your great work.

    Comment by sherkhan — Friday 26 August 2011 @ 7:09

  2. @sherkan For the first test I used my tool SE_ASLR, and for EMET I wrote a very simple program (with ASLR) that just loads a DLL (without ASLR) and prints the address where the DLL was loaded. That’s all. Then I used a simple BAT file that runs this program in a loop.

    Comment by Didier Stevens — Saturday 27 August 2011 @ 13:28

  3. What would happen if you allocate memory blocks at each of those 15 or 68 base addresses?

    Comment by Anonymous — Wednesday 31 August 2011 @ 1:24

  4. @Anonymous Other addresses would be used. More details in an upcoming blogpost.

    Comment by Didier Stevens — Wednesday 31 August 2011 @ 18:20

  5. […] recently found out that pseudo-ASLR (or mandatory ASLR in EMET) has a lower entropy than real ASLR. While real ASLR has a 8-bit entropy for base addresses, mandatory ASLR turned out only to have […]

    Pingback by Bottom Up Randomization Saves Mandatory ASLR « Didier Stevens — Thursday 1 September 2011 @ 17:32

  6. Hola amigo,

    in other words, it means that if you improve the PNRG, the ASLR will be improved as well, isn’t it ?

    Comment by Anonymous — Friday 9 September 2011 @ 8:02

  7. No, it isn’t. The charts I produced are not for ASLR, but for EMET’s Mandatory ASLR, which is different. AFAIK, the image loader does not use a PRNG.

    Comment by Didier Stevens — Friday 9 September 2011 @ 9:14

  8. If there is only 16 addresses being used, you would have to repeat your attempt to exploit something on average 8 times. But this assumes an equal distribution, where each address would show up 1 time in 16 attempts (a chance of 1/16) . With this knowledge you would prefer to try the address showing up more frequently giving you a chance of 30% or 1/3. So you would have to try the exploit only 1.5 times on average instead of 8 times to succeed.

    Comment by NXAndy — Wednesday 11 June 2014 @ 0:59

  9. Oh, what I previously wrote is wrong. Basically instead of the expected 1/16=16.6% chance to hit the jackpot it would be a 30%. The problem with my previous posting is that the address won’t remain the same and would change each time (hopefully). However, it is still twice as likely as expected. It is very late – LOL

    Comment by NXAndy — Wednesday 11 June 2014 @ 1:15

  10. lol i got up from bed for one more thing…..1/16=6,25% expected chance, ~1/3=30% real chance to hit. so 5 times less than expected.

    Comment by NXAndy — Wednesday 11 June 2014 @ 4:43


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.