Address Space Layout Randomization (ASLR) is a crucial defense mechanism employed by modern operating systems to mitigate exploitation by randomizing processes' memory layouts. However, the stark reality is that real-world implementations of ASLR are imperfect and subject to weaknesses that attackers can exploit. This work evaluates the effectiveness of ASLR on major desktop platforms, including Linux, MacOS, and Windows, by examining the variability in the placement of memory objects across various processes, threads, and system restarts. In particular, we collect samples of memory object locations, conduct statistical analyses to measure the randomness of these placements and examine the memory layout to find any patterns among objects that could decrease this randomness. The results show that while some systems, like Linux distributions, provide robust randomization, others, like Windows and MacOS, often fail to adequately randomize key areas like executable code and libraries. Moreover, we find a significant entropy reduction in the entropy of libraries after the Linux 5.18 version and identify correlation paths that an attacker could leverage to reduce exploitation complexity significantly. Ultimately, we rank the identified weaknesses based on severity and validate our entropy estimates with a proof-of-concept attack. In brief, this paper provides the first comprehensive evaluation of ASLR effectiveness across different operating systems and highlights opportunities for Operating System (OS) vendors to strengthen ASLR implementations.
翻译:地址空间布局随机化(ASLR)是现代操作系统采用的关键防御机制,通过随机化进程的内存布局来缓解漏洞利用。然而,现实情况是实际部署的ASLR实现存在缺陷,攻击者可能利用其弱点进行突破。本研究通过考察不同进程、线程及系统重启场景下内存对象布局的变异性,评估了ASLR在主流桌面平台(包括Linux、MacOS和Windows)上的实际效能。我们系统采集了内存对象位置的样本数据,通过统计分析量化布局随机性程度,并深入检视内存布局以发现可能降低随机性的对象间关联模式。实验结果表明:虽然Linux发行版等系统能提供较强的随机化保护,但Windows和MacOS等系统往往未能对可执行代码和库等关键区域实现充分随机化。此外,我们发现Linux 5.18版本后库加载的熵值出现显著衰减,并识别出攻击者可利用的相关性路径以大幅降低漏洞利用复杂度。最后,我们依据严重程度对发现的弱点进行分级,并通过概念验证攻击验证了熵值评估结果。本文首次实现了跨操作系统ASLR效能的系统性评估,为操作系统厂商强化ASLR实现指明了改进方向。