Address space randomization

First, on the subject of administrivia: it's been awhile since this blog has been updated. It's been a busy few months, and I've managed to draft a number of entries, so expect a barrage of updates in the next few weeks.

I've recently completed a paper discussing an effective implementation of address-space randomization. In short, randomizing the location of critical objects in memory has been proposed as a means to counter arbitrary code execution. The PaX and GRSecurity groups have implemented this in the form of a Linux kernel patch, along with a number of other protections. This has been criticized as ineffective by Shacham, et al., amongst others. My solution proposes a simple watcher process that addresses the shortcomings brought forward by this paper. The abstract is pasted below:

The true protection offered by randomization of the memory address space has been widely debated, most notably by Shacham, et al[1]. The limited entropy afforded by memory addresses of 32-bit architectures, specifically, allows for brute-force discovery of the randomized locations of critical system objects. In this paper, it is shown that a watcher process can successfully stymie attempts to remotely discover randomized memory address offsets. In this implementation, address-space randomization becomes an effective protection measure against arbitrary code execution.

No comments: