Exploiting Linux and PaX ASLR's Weaknesses on 32-bit and 64-bit Systems

Presented at Black Hat Asia 2016, Unknown date/time (Unknown duration)

In this work, we present four weaknesses in current Linux and PaX ASLR design and implementation: 1) Too low entropy 2) Non-uniform distribution 3) Correlation between objects 4) Inheritance A proof of concept exploiting the correlation weakness is presented, which bypasses the Full ASLR Linux in 64-bit systems in less than one second - the system is protected. A deep analysis of all these weaknesses enabled us to propose a new ASLR design. A proof of concept on Linux will be named ASLR-NG, which overcomes all current ASLRs including PaX solution. Finally, we present ASLRA, a suit tool to analyze the ASLR entropy of Linux.

Presenters:

• Dr. Hector Marco-Gisbert - Polytechnic University of Valencia
  Hector Marco-Gisbert have received the Ph.D. degree in computer science, CyberSecurity in 2015. Initially, he participated in several research projects where the main goal was to develop an hypervisor for the next generation of space crafts for the ESA (European Space Agency). He contributed to extend the scope of the projects to include security aspects using the MILS (Multiple Independent Levels of Security/Safety) architecture. His research aims to identify and thwart critical security threats focusing on servers and smartphone platforms. His interests include study and design new low level protection mechanism. He revisited mature and well known techniques, as SSP (Stack Smashing Protection) and ASLR (Address Space Layout Randomization), and he was able to make substantial contributions like RenewSSP and ASLR-NG. Currently, Hector Marco is a Cybersecurity researcher at UPV Cybersecurity group.
• Dr. Ismael Ripoll - Polytechnic University of Valencia
  Ismael Ripoll received the PhD in computer science from the Universitat Politecnica de Valencia in 1996, where he is professor of several cybersecurity subjects in the Department of Computing Engineering. In reverse chronological order: before working on security, he participated in multiple research projects related to hypervisor solutions for European spacecrafts; dynamic memory allocation algorithms; Real-Time Linux; and hard real-time scheduling theory. Currently, he is applying all this background to the security field. His current research interests include memory error defense/attacks techniques (SSP and ASLR) and software diversification. Ismael Ripoll is a Cybersecurity researcher at UPV Cybersecurity group.

Links:

• https://www.blackhat.com/asia-16/briefings.html#exploiting-linux-and-pax-aslrs-weaknesses-on-32-bit-and-64-bit-systems
• https://www.youtube.com/watch?v=p0TgWhU04pg
• https://www.blackhat.com/docs/asia-16/materials/asia-16-Marco-Gisbert-Exploiting-Linux-And-PaX-ASLRS-Weaknesses-On-32-And-64-Bit-Systems.pdf
• https://www.blackhat.com/docs/asia-16/materials/asia-16-Marco-Gisbert-Exploiting-Linux-And-PaX-ASLRS-Weaknesses-On-32-And-64-Bit-Systems-wp.pdf

Similar Presentations:

• Black Hat Asia 2018 / return-to-csu: A New Method to Bypass 64-bit Linux ASLR
• Black Hat USA 2014 / Abusing Performance Optimization Weaknesses to Bypass ASLR
• DeepSec 2014 „Do you want to know more?“ / On the Effectiveness of Full-ASLR on 64-bit Linux