Didier Stevens

Tuesday 16 August 2011

So How Good is Pseudo-ASLR?

Filed under: Vulnerabilities,Windows 7,Windows Vista — Didier Stevens @ 0:29

Let me first define what I mean with pseudo-ASLR. Address Space Layout Randomization (introduced in Windows Vista) loads executable files at different memory addresses. Studies have shown that ASLR uses 256 different base addresses and that the distribution is pretty uniform.

Pseudo-ASLR is what EMET and my tool SE_ASLR enforce. When a DLL does not support ASLR, memory at the base address of this DLL is allocated right before the DLL is loaded into the process. Since the address is not free, the image loader will load the DLL at a different address, thereby « randomizing » the base address. But how good is this randomization?

As I pointed out in my article on EMET, this base address is different each time a new process is started (unlike ASLR which needs a reboot for the base address to change). So maybe this is better ?

I developed a test program that loads a DLL but pre-allocates memory at the address of the DLL before loading. Then I ran that program thousands of times on a Windows 7 32-bit machine.

Running this program about 50.000 times gives me 68 different addresses. That’s by far not as good as 256 with ASLR. But what’s more important, is that the distribution of these addresses is not uniform at all:

There’s one address (0x000E0000 in my test) that is used 30% of the time. 2 other addresses are used 10% of the time. Rebooting the machine does not change this distribution.

When I do the same test, but enforce ASLR with EMET, I get a similar result:

Again there’s an address that is selected 30% of the time, but it’s different from my previous test. Rebooting the Windows 7 machine doesn’t change the address.

In this test, EMET uses only 15 different addresses, compared to the 68 addresses in the first test. I’ll have to research this difference, I’ve no explanation for it.

Conclusion from this simple test: pseudo-ASLR is rather weak, because I can predict the base address and I will be right one time out of three, which is not bad at all when I can launch my attack several times.


  1. Can you tell us how this test was made? Maybe the script?

    Thank your your great work.

    Comment by sherkhan — Friday 26 August 2011 @ 7:09

  2. @sherkan For the first test I used my tool SE_ASLR, and for EMET I wrote a very simple program (with ASLR) that just loads a DLL (without ASLR) and prints the address where the DLL was loaded. That’s all. Then I used a simple BAT file that runs this program in a loop.

    Comment by Didier Stevens — Saturday 27 August 2011 @ 13:28

  3. What would happen if you allocate memory blocks at each of those 15 or 68 base addresses?

    Comment by Anonymous — Wednesday 31 August 2011 @ 1:24

  4. @Anonymous Other addresses would be used. More details in an upcoming blogpost.

    Comment by Didier Stevens — Wednesday 31 August 2011 @ 18:20

  5. [...] recently found out that pseudo-ASLR (or mandatory ASLR in EMET) has a lower entropy than real ASLR. While real ASLR has a 8-bit entropy for base addresses, mandatory ASLR turned out only to have [...]

    Pingback by Bottom Up Randomization Saves Mandatory ASLR « Didier Stevens — Thursday 1 September 2011 @ 17:32

  6. Hola amigo,

    in other words, it means that if you improve the PNRG, the ASLR will be improved as well, isn’t it ?

    Comment by Anonymous — Friday 9 September 2011 @ 8:02

  7. No, it isn’t. The charts I produced are not for ASLR, but for EMET’s Mandatory ASLR, which is different. AFAIK, the image loader does not use a PRNG.

    Comment by Didier Stevens — Friday 9 September 2011 @ 9:14

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.


Get every new post delivered to your Inbox.

Join 199 other followers

%d bloggers like this: