ASLR
In July 1998, solar designer published a Linux kernel
patch
to make the stack non-executable. It also changes the default address that
shared libraries are mmap‘ed at so that it always contain a zero byte. While this
is not ASLR, since it’s about changing memory offset to change security
properties, it’s not entirely off-topic here.
The term ASLR (Address Space Layout Randomisation) was coined in July 2001 by pipacs. Its original design covered:
- binaries, via RANDEXEC, August 2001
- files and anonymous mappings (binary and libraries) as well as the
mmap(via RANDMMAP, August 2001. brkrandomization was added in July 2003
In August 2001, Artur Grabowski
implemented
in OpenBSD the possibility to add a random offset to the stack on execve,
with the following commit message:
Add a possibility to add a random offset to the stack on exec. This makes it slightly harder to write generic buffer overflows. This doesn’t really give any real security, but it raises the bar for script-kiddies and it’s really cheap.
The feature was enabled by default in February 2002.
In August 2002, the userland stack was also randomised in PaX via RANDUSTACK, and the ASLR design paper was likely completed accordingly.
In March 2003,
PaX’ PAGEEXEC and RANDEXEC/RANDUSTACK/RANDMMAP were ported to alpha, sparc,
sparc64, and parisc.
Randomization for mmap and libraries landed in OpenBSD
3.4 in November 2003.
Linux added ASLR support for the stack and mmap in January
2005 and enabled it by default, 2 years
after OpenBSD, in 2.6.12, thanks to Arjan van de
Ven.
The same month, Wehnus released their implementation of ASLR for Windows 2000, XP and 2003 named WehnTrust, based on PaX’ work.
Microsoft added ASLR to Windows Vista in 2006, and announced it at ph-neutral 0x7d6.
In April 2008, Linux got heap randomisation and PIE support was well.
FreeBSD on amd64 got ASLR by default in 2023, with the release of FreeBSD 13.2, along with PIE by default. Amusingly, this work was sponsored by Stormshield, since they’re using it for the “Web security firewall” since 1998!
The 13th of March 2023, Mark Kettenis improved the randomisation of the stack on all 64-bit architectures except alpha, with the following justification: “This should make it harder for an attacker to find the stack.”, but this is completely overkill, since OpenBSD already had 37 bits of entropy.
In 2023, in his CanSecWest talk, De Raadt credited PaX for inventing ASLR. But he also explained that leaks to bypass ASLR are found when an attacker is able to make a program crash in a particular way, which is complete nonsense.
The bypasses for ASLR are numerous and well documented: infoleak, partial/relative overwrite, bruteforce, BROP, return to derandomized/non-randomised code, spraying, side-channels, …
Without something like
Nergal’s segvguard,
GRKERNSEC_BRUTE,
or PAX_SEGVGUARD,
an attacker can simply bruteforce everything, when fork+exec
isn’t used.
It’s interesting to note that in KASLR: An Exercise in Cargo Cult Security, pipacs said, in 2013:
ASLR was always meant to be a temporary measure and its survival for this long speaks much less to its usefulness than our inability to get our collective acts together and develop/deploy actual defenses against the remaining exploit techniques.
He also said, in 2011:
for ASLR, it’s really obscurity that we use because its cost/benefit ratio is very low due to its low cost, not due to its high benefit ;). in other words, when it works, we got it for free basically, when it doesn’t, nothing is lost that wasn’t lost already.
In February 2019, spender said:
Because the history of ASLR didn’t magically start in 2005 and browser developers ignored its threat model (or did not care, ‘it raises the bar’ etc) – it’s not useful when you effectively provide an arbitrary computation environment with the ability to influence memory layout
OpenBSD’s claim of being the “first widely used operating system to provide ASLR by default” is a bit dubious, as it’s unclear whether they had/have more users than Gentoo Hardened or Adamantix. It’s also interesting to note that OpenBSD doesn’t actually have ASLR, but ASR, as highlighted by Shawn Webb. The difference it that the different sections are mapped at a random address, but with a constant delta between them, making it prone to, amongst others, things like offset2lib. But ASR is still way better than the per-boot ASLR from OSX and iOS, Windows and Android.
As a side note, OpenBSD’s kernel stack, like Linux’ one, isn’t randomized.
OpenBSD randomizing everything is neat, and forces attackers to find/create better leaks. But nowadays, all the modern operating systems have those kind of mitigations, and are now focusing on killing bugs exploitable when an attacker has some reading capabilities, instead of fixating on randomizing things for questionable gains.