The Illusion of Randomness: An Empirical Analysis of Address Space Layout Randomization Implementations

TL;DR

This paper empirically evaluates the effectiveness of ASLR across major desktop OSes, revealing significant weaknesses and patterns that could be exploited, and offers insights for improving OS security defenses.

Contribution

It provides the first comprehensive empirical analysis of ASLR implementations across Linux, MacOS, and Windows, identifying weaknesses and suggesting improvements.

Findings

Linux offers robust randomization, unlike Windows and MacOS.

Significant entropy reduction observed in Linux libraries after version 5.18.

Identified correlation paths that attackers could exploit to reduce complexity.

Abstract

Address Space Layout Randomization (ASLR) is a crucial defense mechanism employed by modern operating systems to mitigate exploitation by randomizing processes' memory layouts. However, the stark reality is that real-world implementations of ASLR are imperfect and subject to weaknesses that attackers can exploit. This work evaluates the effectiveness of ASLR on major desktop platforms, including Linux, MacOS, and Windows, by examining the variability in the placement of memory objects across various processes, threads, and system restarts. In particular, we collect samples of memory object locations, conduct statistical analyses to measure the randomness of these placements and examine the memory layout to find any patterns among objects that could decrease this randomness. The results show that while some systems, like Linux distributions, provide robust randomization, others, like Windows and MacOS, often fail to adequately randomize key areas like executable code and libraries. Moreover, we find a significant entropy reduction in the entropy of libraries after the Linux 5.18 version and identify correlation paths that an attacker could leverage to reduce exploitation complexity significantly. Ultimately, we rank the identified weaknesses based on severity and validate our entropy estimates with a proof-of-concept attack. In brief, this paper provides the first comprehensive evaluation of ASLR effectiveness across different operating systems and highlights opportunities for Operating System (OS) vendors to strengthen ASLR implementations.