On Thu, Apr 11, 2013 at 12:54 PM, Reindl Harald <h.reindl(a)thelounge.net> wrote:
which is exactly the goal ASLR is desigend for
It's designed to make certain types of attacks more difficult. It
doesn't make them impossible, just much harder.
Here is an example.
When you write a security exploit, you generally have to do things
like call into system libraries to do useful things. Generally you
have a limited amount of room for your exploit's "payload", so the
idea is to just leverage what the system can already do. Calling
system() would be an example of this. Now long ago, before things like
ASLR, if you had access to the binary you wanted to attack, you could
inspect the binary to see what the address of system() was. It didn't
change between runs of the binary, so I could hard code that address
into my exploit. With ASLR, every time you run the binary the address
of various system calls is now basically random (it's not exactly, but
that's an exercise for the reader to figure out). If your payload
needs to call system(), you need a way to figure out what that address
is before you can use it, the added step should make it more difficult
to exploit a problem. The technology isn't fool proof of course, but
that's a topic for another day.