On the effectiveness of address-space randomization

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2004, Pages 298-307

  Shacham, Hovav ^a   Page, Matthew ^a   Pfaff, Ben ^a   Goh, Eu Jin ^a   Modadugu, Nagendra ^a   Boneh, Dan ^a  

^a STANFORD UNIVERSITY   (United States)

Author keywords

Address space randomization; Automated attacks; Diversity

Indexed keywords

C (PROGRAMMING LANGUAGE); COMPUTER ARCHITECTURE; COMPUTER CRIME; COMPUTER OPERATING SYSTEMS; COMPUTER SOFTWARE; COSTS; HTTP; SERVERS;

ADDRESS-SPACE RANDOMIZATION; AUTOMATED ATTACKS; DENIAL OF SERVICE; DIVERSITY;

SECURITY OF DATA;

EID: 14844328033     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1030083.1030124     Document Type: Conference Paper

References (35)

1. Aleph One. Smashing the stack for fun and profit. Phrack Magazine, 49(14), Nov. 1996. http://www.phrack.org/phrack/49/P49-14.
2. Anonymous. Once upon a free(). Phrack Magazine, 57(9), Aug. 2001. http://www.phrack.org/phrack/57/p57-0x09.
3. Apache Software Foundation. The Apache HTTP Server project, http://httpd.apache.org.
4. Apache Software Foundation. ASF bulletin 20020617, June 2002. http://httpd.apache.org/info/security_bulletin_20020617.txt.
5. Apache Software Foundation. ASF bulletin 20020620, June 2002. http://httpd.apache.org/info/security_bulletin_20020620.txt.
6. E. G. Barrantes, D. H. Ackley, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In Proc. 10th ACM Conf. Comp. and Comm. Sec. - CCS 2003, pages 281-9. ACM Press, Oct. 2003.
7. S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In V. Paxson, editor, Proc. 12th USENIX Sec. Symp., pages 105-20. USENIX, Aug. 2003.
8. Bulba and Kil3r. Bypassing StackGuard and StackShield. Phrack Magazine, 56(5), May 2000. http://www.phrack.org/phrack/56/p56-0x05.
9. CERT, June 2002. http://www.cert.org/advisories/CA-2002-17.html.
10. CERT. CERT advisory CA-2002-08: Multiple vulnerabilities in Oracle servers, Mar. 2002. http://www.cert.org/advisories/CA-2002-08.html.
11. CERT. CERT advisory CA-2003-04: MS-SQL Server worm, Jan. 2003. http://www.cert.org/advisories/CA-2003-04.html.
12. J. S. Chase, H. M. Levy, M. Baker-Harvey, and E. D. Lazowska. How to use a 64-bit address space. Technical Report 92-03-02, University of Washington, Department of Computer Science and Engineering, March 1992.
13. C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In V. Paxson, editor, Proc. 12th USENIX Sec. Symp., pages 91-104. USENIX, Aug. 2003.
14. C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic detection and prevention of buffer-overflow attacks. In A. Rubin, editor, Proc. 7th USENIX Sec. Symp., pages 63-78. USENIX, Jan. 1998.
15. T. Durden. Bypassing PaX ASLR protection. Phrack Magazine, 59(9), June 2002. http://www.phrack.org/phrack/59/p59-0x09.
16. H. Etoh and K. Yoda. ProPolice: Improved stack-smashing attack detection. IPSJ SIGNotes Computer SECurity, 014(025), Oct. 2001. http://www.trl.ibm.com/ projects/security/ssp.
17. PedCIRC. BotNets: Detection and mitigation, Feb. 2003. http://www.fedcirc.gov/library/documents/botNetsv32.doc.
18. S. Forrest, A. Somayaji, and D. Ackley. Building diverse computer systems. In J. Mogul, editor, Proc. 6th Work. Hot Topics in Operating Sys. - HotOS 1997, pages 67-72. IEEE Computer Society, May 1997.
19. D. Geer, R. Bace, P. Gutmann, P. Metzger, C. Pfleeger, J. Quarterman, and B. Schneier. Cybersecurity: The cost of monopoly - how the dominance of Microsoft's products poses a risk to security. Technical report, Comp. and Comm. Ind. Assn., 2003.
20. M. Kaempf. Vudo malloc tricks. Phrack Magazine, 57(8), Aug. 2001. http://www.phrack.org/phrack/57/p57-0x08.
21. G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proc. 10th ACM Conf. Comp. and Comm. Sec., pages 272-80. ACM Press, Oct. 2003.
22. D. Litchfield. Hackproofing Oracle Application Server, Jan. 2002. http://www.nextgenss.com/papers/hpoas.pdf.
23. L. McLaughlin. Bot software spreads, causes new worries. IEEE Distributed Systems Online, 5(6), June 2004. http://csd1.computer.org/comp/mags/ds/2004/06/ 06001.pdf.
24. Nergal. The advanced return-into-lib(c) exploits (PaX case study). Phrack Magazine, 58(4), Dec. 2001. http://www.phrack.org/phrack/58/p58-0x04.
25. D. Patterson. A simple way to estimate the cost of downtime. In A. Couch, editor, Proc. 16th Systems Administration Conf. - LISA 2002, pages 185-8. USENIX, Nov. 2002.
26. PaX Team. PaX. http://pax.grsecurity.net.
27. PaX Team. PaX address space layout randomization (ASLR), http://pax.grsecurity.net/docs/aslr.txt.
28. Scut/team teso. Exploiting format string vulnerabilities, http://www.team-teso.net, 2001.
29. Solar Designer. StackPatch. http://www.openvall.com/linux.
30. Solar Designer, "return-to-libc" attack. Bugtraq, Aug. 1997.
31. S. Staniford, V. Paxson, and N. Weaver. How to own the Internet in your spare time. In D. Boneh, editor, Proc. 11th USENIX Sec. Symp., pages 149-67. USENIX, Aug. 2002.
32. Vendicator. StackShield. http://www.angelfire.com/sk/stackshield.
33. J. Xu, Z. Kalbarczyk, and R. Iyer. Transparent runtime randomization for security. In A. Fantechi, editor, Proc. 22nd Symp. on Reliable Distributed Systems - SRDS 2003, pages 260-9. IEEE Computer Society, Oct. 2003.
34. C. Yarvin, R. Bukowski, and T. Anderson. Anonymous RFC: Low-latency protection in a 64-bit address space. In Proc. USENIX Summer 1993 Technical Conf., pages 175-86. USENIX, June 1993.
35. M. Zalewski. Remote vulnerability in SSH daemon CRC32 compression attack detector, Feb. 2001. http://www.bindviev.com/Support/RAZOR/Advisories/2001/ adv_ssh1crc.cfm.