Badaslr: Exceptional cases of ASLR aiding exploitation

Research output: Contribution to journalArticlepeer-review

3 Citations (Scopus)

Abstract

Address Space Layout Randomization (ASLR) is de-facto standard exploit mitigation in our daily life software. The simplest idea of unpredictably randomizing memory layout significantly raises the bar for memory exploitation due to the additionally required attack primitives such as information leakage. Ironically, although exceptional, there are rare edge cases where ASLR becomes handy for memory exploitation. In this paper, we dig into such theoretical set of cases and name it as BadASLR. Based on our study, we introduce four categories of BadASLR: (i) aiding free chunk reclamation in heap spraying attack, (ii) aiding stack pivoting in frame-pointer null poisoning attack, (iii) reviving the exploitability of invalid pointer referencing bug, and (iv) introducing wild-card ROP gadgets in x86/x64 position independent code environment. To evaluate if BadASLR can be an actual plausible scenario, we look into real-world bug bounty cases, CTF/wargame challenges. Surprisingly, we found multiple vulnerabilities in commercial software where ASLR becomes handy for attacker. With BadASLR cases, we succeeded in exploiting peculiar vulnerabilities, and received total 10,000 USD as bug bounty reward including one CVE assignment.

Original languageEnglish
Article number102510
JournalComputers and Security
Volume112
DOIs
Publication statusPublished - Jan 2022

Bibliographical note

Publisher Copyright:
© 2021

Keywords

  • Address space layout randomization
  • heap randomization
  • low fragmentation heap
  • memory exploit
  • return oriented programming

Fingerprint

Dive into the research topics of 'Badaslr: Exceptional cases of ASLR aiding exploitation'. Together they form a unique fingerprint.

Cite this