Address Space Layout Permutation: Increasing Resistance to Memory Corruption Attacks

Show full item record

Title: Address Space Layout Permutation: Increasing Resistance to Memory Corruption Attacks
Author: Bookholt, Christopher Glen
Advisors: Jun Xu, Committee Chair
Peng Ning, Committee Member
Laurie Williams, Committee Member
Abstract: A key problem with current address obfuscation techniques is their use of randomly sized pads to shift the location of critical memory regions. Padding limits the potential of existing techniques because pads are unused space. To increase protection, the pad size need be increased, thereby wasting additional address space. The relationship between protection and pad size forces system designers to choose between security and conservation of address space. This thesis improves upon existing address randomization techniques by proposing and implementing a novel approach to increase the probabilistic protection provided by address obfuscation with performance overhead comparable to contemporary techniques and without the use of large pads. Our approach is to randomly permute the user stack, heap, and mmap allocations throughout the entire 3 gigabyte user address space. The approach improves upon the protection of the best existing technique by an order of magnitude and with no more than 8 kilobytes lost to padding. Further, the technique incurs a performance overhead of 7-13% during process startup and less than 1% overhead thereafter. We also present a validation of address space randomization by showing that randomization limits the propagation speed of worms reliant on memory corruption attack vectors. Our analysis shows that an average time of more than 57 minutes is needed to complete a brute-force attack on the protection provided by our technique. The increased time needed for worms to exploit individual targets using the absolute location of either the user stack, heap, or an mmap allocation means that the fastest time needed to infect nearly 100% of a vulnerable population is on the order of hours, not minutes. Our analysis provides an in depth discussion of the probabilistic protection provided by our technique. The results offer detailed information regarding the expected performance impact in three critical computing environments: scientific, desktop, and network server. We conclude that our address obfuscation technique is capable of providing greater probabilistic protection than existing techniques at a comparable performance cost.
Date: 2005-10-18
Degree: MS
Discipline: Computer Science

Files in this item

Files Size Format View
etd.pdf 398.2Kb PDF View/Open

This item appears in the following Collection(s)

Show full item record