Badaslr: Exceptional cases of ASLR aiding exploitation. Issue 112 (January 2022)
- Record Type:
- Journal Article
- Title:
- Badaslr: Exceptional cases of ASLR aiding exploitation. Issue 112 (January 2022)
- Main Title:
- Badaslr: Exceptional cases of ASLR aiding exploitation
- Authors:
- Jang, Daehee
- Abstract:
- Abstract: Address Space Layout Randomization (ASLR) is de-facto standard exploit mitigation in our daily life software. The simplest idea of unpredictably randomizing memory layout significantly raises the bar for memory exploitation due to the additionally required attack primitives such as information leakage. Ironically, although exceptional, there are rare edge cases where ASLR becomes handy for memory exploitation. In this paper, we dig into such theoretical set of cases and name it as BadASLR. Based on our study, we introduce four categories of BadASLR: (i) aiding free chunk reclamation in heap spraying attack, (ii) aiding stack pivoting in frame-pointer null poisoning attack, (iii) reviving the exploitability of invalid pointer referencing bug, and (iv) introducing wild-card ROP gadgets in x86/x64 position independent code environment. To evaluate if BadASLR can be an actual plausible scenario, we look into real-world bug bounty cases, CTF/wargame challenges. Surprisingly, we found multiple vulnerabilities in commercial software where ASLR becomes handy for attacker. With BadASLR cases, we succeeded in exploiting peculiar vulnerabilities, and received total 10, 000 USD as bug bounty reward including one CVE assignment.
- Is Part Of:
- Computers & security. Issue 112(2022)
- Journal:
- Computers & security
- Issue:
- Issue 112(2022)
- Issue Display:
- Volume 112, Issue 112 (2022)
- Year:
- 2022
- Volume:
- 112
- Issue:
- 112
- Issue Sort Value:
- 2022-0112-0112-0000
- Page Start:
- Page End:
- Publication Date:
- 2022-01
- Subjects:
- Address space layout randomization -- memory exploit -- heap randomization -- low fragmentation heap -- return oriented programming
Computer security -- Periodicals
Electronic data processing departments -- Security measures -- Periodicals
005.805 - Journal URLs:
- http://www.sciencedirect.com/science/journal/01674048 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.cose.2021.102510 ↗
- Languages:
- English
- ISSNs:
- 0167-4048
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3394.781000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 20110.xml