Friday, 3 January 2014

Address Space Layout Randomisation (ASLR) and Data Execution Protection (DEP) Part 2

The effectiveness of ASLR depends upon entropy of the address space of the process, that is is to say, the probability of finding a random local variable. The entropy of a program can be calculated with the following equation, whereby you will need to know the entropy of each individual element of your program, for example the top of your stack (ESP).

I've only recently started learning my Algebra and Calculus again, otherwise I would have attempted to explain the other mathematical equations.

ASLR was only implemented to reduce the likelihood of existing vulnerabilities of being exploited, it wasn't a attempt to fix these memory manipulation vulnerabilities as they are described by Symantec. The effectiveness of ASLR, does not just depend upon the entropy, but it also depends upon the attacker's code and the number of attempts they have made. Again, this can be expressed mathematically.

After, some research created by Symantec on ASLR in Windows Vista, there have been significant changes with ASLR in Windows 8 (or Windows 8.1).

One example, is providing higher entropy for address space layouts, and this can be given as a option called HiASLR. The larger address space for 64-bit processes, also increases the entropy of the ASLR for a process.

Another example, is forcing ASLR on non-ASLR libraries, which was a technique depended upon by attackers. This is also able with Windows 7. A library will need to have the DYNAMIC_BASE flag set to be randomised.

Windows 8 has added ramdomisation for all BottomUp and TopDown memory allocations, which increases the effectiveness of ASLR, which wasn't able in Windows 7.

Some of the exploits or bypasses for ASLR include Information Leaks, Heap Sprays and NOP Slides. I'll briefly explain each of these potential bypasses.

NOP Slides

The NOP instruction means No Operation, and is designed to cause the CPU to eventually slide or move to the malicious instruction, whereby a branch may be performed to the malicious code. NOP Slides are typically used when the return address of a function is unknown.

Heap Sprays

Heap Sprays are usually used in conjunction with NOP Slides. Since the Heap is deterministic, and uses set allocation sizes, attackers are able to easily predict certain addresses. The aim is to create heap allocations, which would lead to a predictable address, which is also called the Address of Interest, since this is the address they wish to gain control of. The program then will read the sprayed heap address, and the malicious code will be executed.

My next blog post will most likely take a look at heap in more detail, and I may create some posts which are more in-depth in regards to the above security exploits.

Additional Reading:

Security Research Papers - SkyDrive (My Account)

Bypassing Stack Cookies, SafeSEH, SEHOP, HW

1 comment: