Didier Stevens

Thursday 1 September 2011

Bottom Up Randomization Saves Mandatory ASLR

Filed under: Vulnerabilities,Windows 7,Windows Vista — Didier Stevens @ 17:32

I recently found out that pseudo-ASLR (or mandatory ASLR in EMET) has a lower entropy than real ASLR. While real ASLR has a 8-bit entropy for base addresses, mandatory ASLR turned out only to have about 4 bits of entropy, and the distribution was far from uniform. What I forgot to tell you in that post, is that I just enabled Mandatory ASLR as mitigation in EMET, and nothing else:

Matt Miller told me that a new feature of EMET version 2.1, Bottom Up Randomization, would greatly improve the entropy of mandatory ASLR.

The results are spectacular. When I let my test program run around 500,000 times, I get almost 200 different base addresses. And the distribution is more uniform too, no address appears more frequently than 3% of the time.

To get decent protection from mandatory ASLR, be sure to use the latest version of EMET (2.1) and enable Bottom Up Randomization. This gives you the same entropy than real ASLR, with the added bonus that the base address will change each time the application is started, compared to real ASLR which requires a reboot.


  1. If I understand correctly, the mandatory ASLR feature works by pre allocating the preferred base address of a DLL to force it to load elsewhere, but how does bottom up randomization work?

    Comment by Géal — Thursday 1 September 2011 @ 17:44

  2. @Géal Here’s what Matt Miller told me:

    It works by reserving a random number (between [0,256]) of 64K regions via VirtualAlloc. This has the effect of consuming a small portion of the bottom part of the address space. Since the Windows kernel assigns base addresses for collided DLLs by searching for a free region starting at the bottom of the address space, bottom up randomization ensures that a random base address will be assigned. Without bottom up randomization the bottom part of the address space remains fairly static (with some exceptions, such as due to heap, stack, and EXE randomization).

    Comment by Didier Stevens — Thursday 1 September 2011 @ 18:13

  3. […] programma’s tegen aanvallen moet beschermen, blijkt belangrijke verbeteringen bevatten. Dat ontdekte de Belgische beveiligingsonderzoeker Didier Stevens. Versie 2.1 van de gratis Enhanced Mitigation […]

    Pingback by Microsoft security-tool maakt hackers het leven zuur | SFIX – Advanced Security Services & ICT Solutions — Friday 2 September 2011 @ 10:42

  4. […] new Bottom Up Randomization spectacularly increased the entropy of DLL’s base addresses loaded into my test program. Instead of 15 different addresses, I had more than […]

    Pingback by Add Bottom Up Randomization To (Your Own) Source Code « Didier Stevens — Thursday 29 September 2011 @ 19:15

  5. […] profile. For a great overview of EMET, please see Didier Steven's article here (pages 10-13) or this article on enabling bottom-up ASLR for applications like Adobe Reader (also recommended).Make sure all […]

    Pingback by Is Windows 7 Firewall good enough for home use? — Saturday 28 April 2012 @ 13:25

  6. […] work off-the-shelf.  Detailed analysis of the ASLR used shows it to be pretty darned good when configured properly.  This means that a bad guy trying to exploit a buffer overflow on your system is probably going […]

    Pingback by EMET v3 Introduces Group Policy and Logging — Thursday 17 May 2012 @ 14:59

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.