64-bit ASLR
4 views
Skip to first unread message
Daniel Toliaferro
May 29, 2012, 11:28:55 PM5/29/12
to s4-di...@googlegroups.com
Anybody know anything about 64-bit ASLR? How practical is a bruteforce attack against it?
What are other methods of bypassing 64-bit ASLR besides a bruteforce?
Jonathan Ryan
May 30, 2012, 12:35:10 AM5/30/12
to s4-di...@googlegroups.com
"In many systems, 
can be in the thousands or millions; on modern 64-bit systems, these numbers typically reach the millions at least. For 32-bit systems at 2004 computer speeds which have 16 bits for address randomization, Shacham and co-workers state "… 16 bits of address randomization can be defeated by a brute force attack within minutes."[1] It should be noted that the authors' statement depends on the ability to attack the same application multiple times without any delay. Proper implementations of ASLR, like that included in grsecurity, provide several methods to make such brute force attacks infeasible. One method involves preventing an executable from executing for a configurable amount of time if it has crashed a certain number of times." --
http://en.wikipedia.org/wiki/Address_space_layout_randomization
can be in the thousands or millions; on modern 64-bit systems, these numbers typically reach the millions at least. For 32-bit systems at 2004 computer speeds which have 16 bits for address randomization, Shacham and co-workers state "… 16 bits of address randomization can be defeated by a brute force attack within minutes."[1] It should be noted that the authors' statement depends on the ability to attack the same application multiple times without any delay. Proper implementations of ASLR, like that included in grsecurity, provide several methods to make such brute force attacks infeasible. One method involves preventing an executable from executing for a configurable amount of time if it has crashed a certain number of times." --
http://en.wikipedia.org/wiki/Address_space_layout_randomization On Tue, May 29, 2012 at 11:28 PM, Daniel Toliaferro <d.toli...@gmail.com> wrote:
Anybody know anything about 64-bit ASLR? How practical is a bruteforce attack against it?What are other methods of bypassing 64-bit ASLR besides a bruteforce?
--
You received this message because you are subscribed to the Google Groups "S4 Discuss" group.
To view this discussion on the web visit https://groups.google.com/d/msg/s4-discuss/-/5WR-RM9b84sJ.
To post to this group, send email to s4-di...@googlegroups.com.
To unsubscribe from this group, send email to s4-discuss+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/s4-discuss?hl=en.
Jonathan Ryan
May 30, 2012, 12:38:49 AM5/30/12
to s4-di...@googlegroups.com
Apparently brute force methods on the localhost are best bets: (source: creator of aslr?
http://lwn.net/Articles/332602/ )
"...there're two very simple reasons for this decision: one is that on localhost it's very easy to bruteforce even 32 bits of randomness..." I haven't read what it is or how it works, but based on intuition, if it is used to randomize address spaces, there would be no other means than to brute force.
Daniel Toliaferro
May 30, 2012, 10:53:05 AM5/30/12
to s4-di...@googlegroups.com
So running a remote exploit on 64-bit ASLR is unfeasible?
Jonathan Ryan
May 30, 2012, 10:54:35 AM5/30/12
to s4-di...@googlegroups.com
Seems so.
Daniel Toliaferro
May 30, 2012, 10:56:45 AM5/30/12
to s4-di...@googlegroups.com
Wow, that sucks. So how are people breaking into systems these days? Weak passwords?
Daniel Toliaferro
May 30, 2012, 11:03:29 AM5/30/12
to s4-di...@googlegroups.com
I mean it sucks from the standpoint of learning remote exploits, not from the standpoint
that security is getting better.
Jonathan Ryan
May 30, 2012, 11:05:24 AM5/30/12
to s4-di...@googlegroups.com
It looks like I wasn't 100% correct. http://en.wikipedia.org/wiki/Address_space_layout_randomization, read the whole thing. Looks like you can exploit tricks to reduce entropy.
Daniel Toliaferro
May 30, 2012, 11:11:28 AM5/30/12
to s4-di...@googlegroups.com
Ah, I see. Thanks man.
Reply all
Reply to author
Forward
0 new messages