ASLR, short for “address space layout randomization,” is a computer security technique that helps prevent the exploitation of memory corruption vulnerabilities. How? Suppose an attacker wants to effectively jump to a specific exploitable function in memory. In that case, ASLR randomly arranges the address space positions of key data areas of a process to prevent the threat actor from doing so.
You can compare ASLR to rearranging the order of paintings in a gallery according to how likely they will get stolen. The technique would place the most expensive works of art in the most inaccessible place and move on down the line, placing the least likely to get stolen in the most accessible room.
Read More about ASLR
Did you know that the term “ASLR” was coined by the Linux PaX project team members who published a report on its first design and implementation in July 2001? It was created as a patch for the Linux kernel. The first mainstream operating system (OS) with built-in ASLR support was OpenBSD version 3.4, released in 2003, followed by Linux in 2005.
What Benefit Does ASLR Provide?
As mentioned, users can benefit most from ASLR in terms of cybersecurity. Simply put, the technique makes it harder for attackers to locate target addresses. They would have to guess, giving system administrators time to tighten security should they find anomalies.
Why Aren’t There Many ASLR Users?
Despite the added security ASLR provides, not many employ it due to the following disadvantages:
- ASLR is heavily dependent on load times. If the device has a slow load time, attackers can exploit vulnerabilities before ASLR gets implemented.
- It doesn’t support many executables and libraries.
- ASLR also has low entropy, which makes it vulnerable to animal power and similar assaults. An example would be when animals chew on cables, causing a power interruption that disrupts ASLR.
- It doesn’t give any alarms about assault endeavors.
- ASLR doesn’t notify users about attacks.
- ASLR remains vulnerable to side-channel attacks.
What Is a Side-Channel Attack, and How Does It Sidestep ASLR?
A side-channel attack uses extra information about the fundamental way a computer protocol or algorithm is implemented to work. The data that can be exploited to instigate a side-channel attack includes timing information, power consumption, electromagnetic leaks, and sound.
ASLR, as we said, depends on load times and is vulnerable to power fluctuations. So, if the attackers know that it takes 10 minutes after the target system is turned on for ASLR to take effect, they can execute their assault before that time lapses.
What Are the Different Kinds of Side-Channel Attacks?
These side-channel attacks may be able to bypass ASLR:
- Cache attack: Relies on an attacker’s ability to monitor cache accesses a victim makes on a shared physical system or a cloud service.
- Timing attack: Requires an attacker to measure how much time various computations, like comparing a password with the victim’s unknown one, take to perform.
- Power-monitoring attack: Uses varying hardware power consumptions during computation.
- Electromagnetic attack: Utilizes leaked electromagnetic radiation that can directly provide plaintext and other information.
- Acoustic cryptanalysis: Exploits the sound produced during a computation.
- Differential fault analysis: Involves discovering secrets by introducing faults in a computation.
- Data remanence: Also known as a “cold boot attack,” requires reading sensitive data that has been supposedly deleted.
Here’s how a data remanence or cold boot side-channel attack works against ASLR.
- Software-initiated fault attack: Enables changing off-limits memory by accessing adjacent memory.
- Allowlist: May be used to track Bluetooth Media Access Control (MAC) addresses.
- Optical: Allows an attacker to read secrets and sensitive data via visual recording using a high-resolution camera or other devices with such capabilities.
In 2017, a side-channel attack dubbed “ASLR⊕Cache” defeated ASLR in a web browser using JavaScript.
What Widely Used OSs Implement ASLR?
Many OSs use ASLR, including:
- Android 4.0 Ice Cream Sandwich: Uses ASLR to help protect devices and third-party apps from exploitation due to memory management issues.
- DragonFly BSD: Implements ASLR since 2010.
- FreeBSD: Supports ASLR since FreeBSD 13.0.
- iOS: Introduced by Apple in iOS 4.3, which was released in March 2011.
- Linux: Available by default since kernel version 2.6.12, which was released in June 2005.
- Microsoft Windows: Available since Windows Vista, which was released in January 2007.
- NetBSD: Supports ASLR since NetBSD 5.0, which was released in April 2009 and enabled by default in versions made available since April 2016.
- OpenBSD: In 2003, it became the first mainstream OS to support a potent form of ASLR that was activated by default.
- macOS: Came with Mac OS X Leopard 10.5 in October 2007 to randomize system libraries. Mac OS X Lion 10.7, released in July 2011, covered all applications. By OS X Mountain Lion 10.8, released in July 2012, and later, ASLR randomly relocated addresses in the entire device during system boot.
- Solaris: Available since Solaris 11.1 that was released in October 2012.
—
Despite the limitations that ASLR has, it remains in use due to its capability to circumvent attacks.
Key Takeaways
- ASLR is a computer security technique that helps prevent the exploitation of memory corruption vulnerabilities.
- ASLR makes it harder for attackers to locate target addresses.
- ASLR limitations include heavy dependence on load times, lack of support for many executables and libraries, and low entropy.
- Android 4.0 Ice Cream Sandwich, DragonFly BSD, FreeBSD 13.0, iOS 4.3, Linux 2.6.12, Microsoft Windows Vista, NetBSD 5.0, OpenBSD, Mac OS X Leopard 10.5, and Solaris 11.1 and later have ASLR capability.