What Is ASLR, and How Does It Keep Your Computer Secure?
Address Space Layout Randomization (ASLR) is a security technique used in operating systems, first implemented in 2001. The current versions of all major operating systems (iOS, Android, Windows, macOS, and Linux) feature ASLR protection. But in the past week, a new method of bypassing ASLR has been found. So, should you be worried?
To those without a low-level programming background, ASLR can be confusing. To understand it, you must first understand virtual memory.
What Is Virtual Memory?
The operating system allocates chunks of memory to programs called pages. If there is not enough RAM to store all the pages at once, the pages least likely to be needed are stored on the slower (but more spacious) hard drive. When the stored pages are needed, they’ll switch spaces with less necessary pages currently in RAM. This process is called paging, and lends its name to the pagefile.sys file on Windows.
Virtual memory makes it easier for programs to manage their own memory, and also makes them more secure. Programs don’t need to worry about where other programs are storing data, or how much RAM is left. They can just ask the operating system for additional memory (or return unused memory) as necessary. All the program sees is a single continuous chunk of memory addresses for its exclusive use, called virtual addresses. The program is not allowed to look at another program’s memory.
When a program needs to access memory, it gives the operating system a virtual address. The operating system contacts the CPU’s memory management unit (MMU). The MMU translates between virtual and physical addresses, returning that information to the operating system. At no point does the program directly interact with RAM.
What Is ASLR?
Buffer overflows require an attacker to know where each part of the program is located in memory. Figuring this out is usually a difficult process of trial and error. After determining that, they must craft a payload and find a suitable place to inject it. If the attacker does not know where their target code is located, it can be difficult or impossible to exploit it.
ASLR works alongside virtual memory management to randomize the locations of different parts of the program in memory. Every time the program is run, components (including the stack, heap, and libraries) are moved to a different address in virtual memory. Attackers can no longer learn where their target is through trial and error, because the address will be different every time. Generally, applications need to be compiled with ASLR support, but this is becoming the default, and is even required on Android 5.0 and later.
So Does ASLR Still Protect You?
That said, you shouldn’t necessarily despair. The paper offered a few ways that hardware and operating system developers can mitigate this threat. Newer, fine-grain ASLR techniques would require more effort from the attacker, and increasing the amount of entropy (randomness) can make the Jump Over attack infeasible. Most likely, newer operating systems and processors will be immune to this attack.
So what is left for you to do? The Jump Over bypass is new, and hasn’t yet been spotted in the wild. When attackers exploit it, the flaw will increase the potential damage an attacker can cause on your device. This level of access isn’t unprecedented; Microsoft and Apple only implemented ASLR in their operating systems released 2007 and later. Even if this style of attack becomes commonplace, you won’t be any worse off than you were back in the days of Windows XP.
Keep in mind that attackers still have to get their code on your device to do any harm. This flaw does not provide them with any additional ways to infect you. As always, you should follow security best practices. Use antivirus, stay away from sketchy websites and programs, and keep your software up to date. By following these steps and keeping malicious actors off your computer, you’ll be as safe as you’ve ever been.
No comments:
Post a Comment