What Is ASLR, and How Does It Keep Your Computer Secure?

aslr_cpu

Address Space Layout Randomization (ASLR) is a security technique used in operating systems, first implemented in 2001. The current versions of all major operating systems (iOS, Android, Windows, macOS, and Linux) feature ASLR protection. But in the past week, a new method of bypassing ASLR has been found. So, should you be worried?

To those without a low-level programming background, ASLR can be confusing. To understand it, you must first understand virtual memory.

What Is Virtual Memory?

Virtual Memory is a memory management technique with many benefits, but it was primarily created to make programming easier. Imagine you have Google Chrome, Microsoft Word, and several other programs open on a computer with 4 GB of RAM. As a whole, the programs on this computer use much more than 4 GB of RAM.  However, not all the programs will be active at all times, or need simultaneous access to that RAM.

The operating system allocates chunks of memory to programs called pages. If there is not enough RAM to store all the pages at once, the pages least likely to be needed are stored on the slower (but more spacious) hard drive. When the stored pages are needed, they’ll switch spaces with less necessary pages currently in RAM. This process is called paging, and lends its name to the pagefile.sys file on Windows.

Virtual memory makes it easier for programs to manage their own memory, and also makes them more secure. Programs don’t need to worry about where other programs are storing data, or how much RAM is left. They can just ask the operating system for additional memory (or return unused memory) as necessary. All the program sees is a single continuous chunk of memory addresses for its exclusive use, called virtual addresses. The program is not allowed to look at another program’s memory.

When a program needs to access memory, it gives the operating system a virtual address. The operating system contacts the CPU’s memory management unit (MMU). The MMU translates between virtual and physical addresses, returning that information to the operating system. At no point does the program directly interact with RAM.

What Is ASLR?

Address Space Layout Randomization (ASLR) is primarily used to protect against buffer overflow attacks. In a buffer overflow, attackers feed a function as much junk data as it can handle, followed by a malicious payload. The payload will overwrite data the program intends to access. Instructions to jump to another point in code are a common payload. The famous JailbreakMe method of jailbreaking iOS 4, for example, used a buffer overflow attack, prompting Apple to add ASLR to iOS 4.3.

Buffer overflows require an attacker to know where each part of the program is located in memory. Figuring this out is usually a difficult process of trial and error. After determining that, they must craft a payload and find a suitable place to inject it. If the attacker does not know where their target code is located, it can be difficult or impossible to exploit it.

ASLR works alongside virtual memory management to randomize the locations of different parts of the program in memory. Every time the program is run, components (including the stack, heap, and libraries) are moved to a different address in virtual memory. Attackers can no longer learn where their target is through trial and error, because the address will be different every time. Generally, applications need to be compiled with ASLR support, but this is becoming the default, and is even required on Android 5.0 and later.

So Does ASLR Still Protect You?

Last Tuesday, researchers from SUNY Binghamton and University of California, Riverside, presented a paper called Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR. The paper details a way to attack the Branch Target Buffer (BTB). The BTB is part of the processor that speeds up if statements by predicting the outcome. Using the authors’ method, it is possible to determine locations of known branch instructions in a running program. The attack in question was performed on a Linux machine with an Intel Haswell processor (first released in 2013), but could likely be applied to any modern operating system and processor.

That said, you shouldn’t necessarily despair. The paper offered a few ways that hardware and operating system developers can mitigate this threat. Newer, fine-grain ASLR techniques would require more effort from the attacker, and increasing the amount of entropy (randomness) can make the Jump Over attack infeasible. Most likely, newer operating systems and processors will be immune to this attack.

So what is left for you to do? The Jump Over bypass is new, and hasn’t yet been spotted in the wild. When attackers exploit it, the flaw will increase the potential damage an attacker can cause on your device. This level of access isn’t unprecedented; Microsoft and Apple only implemented ASLR in their operating systems released 2007 and later. Even if this style of attack becomes commonplace, you won’t be any worse off than you were back in the days of Windows XP.

Keep in mind that attackers still have to get their code on your device to do any harm. This flaw does not provide them with any additional ways to infect you. As always, you should follow security best practices. Use antivirus, stay away from sketchy websites and programs, and keep your software up to date. By following these steps and keeping malicious actors off your computer, you’ll be as safe as you’ve ever been.

Image Credit: Steve/Flickr

Dennis Stewart is a science fiction fan who wants you to be a little more paranoid. When he's not at his day job as a CipherTechs security engineer or writing for How-To Geek, he works a third job as a space trucker in Elite: Dangerous.