Address Space Layout Randomization (ASLR) is a crucial defense mechanism employed by modern operating systems to mitigate exploitation by randomizing processes' memory layouts. However, the stark reality is that real-world implementations of ASLR are imperfect and subject to weaknesses that attackers can exploit. This work evaluates the effectiveness of ASLR on major desktop platforms, including Linux, MacOS, and Windows, by examining the variability in the placement of memory objects across various processes, threads, and system restarts. In particular, we collect samples of memory object locations, conduct statistical analyses to measure the randomness of these placements and examine the memory layout to find any patterns among objects that could decrease this randomness. The results show that while some systems, like Linux distributions, provide robust randomization, others, like Windows and MacOS, often fail to adequately randomize key areas like executable code and libraries. Moreover, we find a significant entropy reduction in the entropy of libraries after the Linux 5.18 version and identify correlation paths that an attacker could leverage to reduce exploitation complexity significantly. Ultimately, we rank the identified weaknesses based on severity and validate our entropy estimates with a proof-of-concept attack. In brief, this paper provides the first comprehensive evaluation of ASLR effectiveness across different operating systems and highlights opportunities for Operating System (OS) vendors to strengthen ASLR implementations.

翻译：地址空间布局随机化（ASLR）是现代操作系统采用的关键防御机制，通过随机化进程的内存布局来缓解攻击利用。然而，现实情况是ASLR的实际实现并不完美，存在攻击者可利用的弱点。本研究通过考察不同进程、线程和系统重启场景下内存对象布局的变异性，评估了ASLR在主流桌面平台（包括Linux、MacOS和Windows）上的有效性。我们特别采集了内存对象位置的样本，通过统计分析测量这些布局的随机性，并检查内存布局以发现可能降低随机性的对象间关联模式。结果表明，虽然某些系统（如Linux发行版）提供了较强的随机化能力，但Windows和MacOS等其他系统往往未能充分随机化关键区域（如可执行代码和库）。此外，我们发现Linux 5.18版本后库的熵值显著下降，并识别出攻击者可用于大幅降低利用复杂度的关联路径。最后，我们根据严重程度对发现的弱点进行分级，并通过概念验证攻击验证了熵值评估结果。简而言之，本文首次对不同操作系统的ASLR有效性进行了全面评估，并为操作系统厂商加强ASLR实现指明了改进方向。