Abstract

Address Space Layout Randomization (ASLR) is de-facto standard exploit mitigation in our daily life software. The simplest idea of unpredictably randomizing memory layout significantly raises the bar for memory exploitation due to the additionally required attack primitives such as information leakage. Ironically, although exceptional, there are rare edge cases where ASLR becomes handy for memory exploitation. In this paper, we dig into such theoretical set of cases and name it as BadASLR. Based on our study, we introduce four categories of BadASLR: (i) aiding free chunk reclamation in heap spraying attack, (ii) aiding stack pivoting in frame-pointer null poisoning attack, (iii) reviving the exploitability of invalid pointer referencing bug, and (iv) introducing wild-card ROP gadgets in x86/x64 position independent code environment. To evaluate if BadASLR can be an actual plausible scenario, we look into real-world bug bounty cases, CTF/wargame challenges. Surprisingly, we found multiple vulnerabilities in commercial software where ASLR becomes handy for attacker. With BadASLR cases, we succeeded in exploiting peculiar vulnerabilities, and received total 10,000 USD as bug bounty reward including one CVE assignment.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Similar Papers

Paper Title
Journal
Date
Author
BadASLR: Exceptional Cases of ASLR Aiding Exploitation
Daehee Jang
-
Daehee JangDaehee Jang
01 Jan 2020
ASLR: How Robust Is the Randomness?
Jonathan Ganz ... Sean Peisert
-
Jonathan Ganz, et. al.Jonathan Ganz ... Sean Peisert
04 Aug 2017
Effect of ASLR on Memory Duplicate Ratio in Cache-based Virtual Machine Live Migration
Guangyong Piao ... Chanik Park
IEMEK Journal of Embedded Systems and Applications | VOL. 9
Guangyong Piao, et. al.Guangyong Piao ... Chanik Park
31 Aug 2014
Address Space Layout Randomization Next Generation
Hector Marco-Gisbert ... Ismael Ripoll Ripoll
Applied Sciences | VOL. 9
Hector Marco-Gisbert, et. al.Hector Marco-Gisbert ... Ismael Ripoll Ripoll
22 Jul 2019
View more papers

More From: Computers & Security

Paper Title
Journal
Date
Author
An innovative practical roadmap for optimal control strategies in malware propagation through the integration of RL with MPC
Mousa Tayseer Jafar ... Gang Li
Computers & Security | VOL. -
Mousa Tayseer Jafar, et. al.Mousa Tayseer Jafar ... Gang Li
01 Nov 2024
SecKG2vec: A Novel Security Knowledge Graph Relational Reasoning Method based on Semantic and Structural Fusion Embedding
Xiaojian Liu ... Wen Gu
Computers & Security | VOL. -
Xiaojian Liu, et. al.Xiaojian Liu ... Wen Gu
01 Nov 2024
Hierarchical Perception for Encrypted Traffic Classification via Class Incremental Learning
Zhiyuan Li ... Fanliang Bu
Computers & Security | VOL. -
Zhiyuan Li, et. al.Zhiyuan Li ... Fanliang Bu
01 Nov 2024
Privacy protection against user profiling through optimal data generalization
César Gil ... Jordi Forné
Computers & Security | VOL. -
César Gil, et. al.César Gil ... Jordi Forné
01 Nov 2024
View more papers

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.