Didier Stevens

Thursday 29 September 2011

Add Bottom Up Randomization To (Your Own) Source Code

Filed under: Vulnerabilities,Windows 7,Windows Vista — Didier Stevens @ 19:14

EMET’s new Bottom Up Randomization spectacularly increased the entropy of DLL’s base addresses loaded into my test program. Instead of 15 different addresses, I had more than 200.

Matt Miller told me how he implemented Bottom Up Randomization:

“It works by reserving a random number (between [0,256]) of 64K regions via VirtualAlloc. This has the effect of consuming a small portion of the bottom part of the address space. Since the Windows kernel assigns base addresses for collided DLLs by searching for a free region starting at the bottom of the address space, bottom up randomization ensures that a random base address will be assigned. Without bottom up randomization the bottom part of the address space remains fairly static (with some exceptions, such as due to heap, stack, and EXE randomization).”

So I decided to add this algorithm at the start of my test program:

int iIter;
int iRand;

srand(time(NULL));
iRand = rand() % 256 + 1;
for (iIter = 0; iIter < iRand; iIter++)
 VirtualAlloc(NULL, 64*1024, MEM_COMMIT | MEM_RESERVE, PAGE_NOACCESS);

Again, the result is spectacular. In stead of 15 base addresses, with the most frequent address being using 30% of the time, my Bottom Up Randomization implementation gives me more than 300 addresses after 150.000 runs. And there’s no single address being used more than 0,5% of the time.

From now on, I’m going to include this in my programs, and I advise you to do the same with your programs. Or to open source programs you use.

5 Comments »

  1. best to use only MEM_RESERVE and not MEM_COMMITfor VirtualAlloc so you don’t actually back the memory as this is an unnecessary waste 🙂

    Comment by Anonymous — Friday 30 September 2011 @ 6:44

  2. Good point, although we’re not wasting much 😉

    Comment by Didier Stevens — Friday 30 September 2011 @ 6:58

  3. […] there is a new feature: Bottom Up Randomization. To enable it, create a DWORD registry value with name BottomUpRandomization and value […]

    Pingback by HeapLocker 64-bit « Didier Stevens — Sunday 23 October 2011 @ 19:40

  4. […] added Bottom Up Randomization to my SE_ASLR […]

    Pingback by Update: SE_ASLR Version 0.0.0.2 « Didier Stevens — Thursday 29 March 2012 @ 9:15

  5. memory used : from 64 kb to max 16 mb ?

    using max 1 mb, how effective is the benefit ?

    Comment by Massimo Sala — Sunday 16 April 2017 @ 19:20


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.