Comprehensive Address Space Randomization

Background Objective Approach Download

See our earlier approach.
See our USENIX Security Symposium (2005) paper for an overview of this approach.


Despite the wide publicity received by buffer overflow attacks, the vast majority of today's security vulnerabilities continue to be caused by memory errors, with a significant shift away from stack-smashing exploits to newer attacks such as heap overflows, integer overflows, and format-string attacks. While comprehensive solutions have been developed to handle memory errors, these solutions suffer from one or more of the following problems: high overheads (often exceeding 100%), incompatibility with legacy C code, and changes to the memory model to use garbage collection. Address space randomization (ASR) is a technique that avoids these drawbacks, but existing techniques for ASR do not offer a level of protection comparable to the above techniques. In particular, attacks that exploit relative distances between memory objects aren't tackled by existing techniques. Moreover, these techniques are susceptible to information leakage and brute-force attacks.


To develop a new approach that supports comprehensive randomization, whereby the absolute locations of all (code and data) objects, as well as their relative distances are randomized.


Our approach makes the memory locations of program objects (including code as well as data objects) unpredictable. This is achieved by randomizing the absolute locations of all objects, as well as the relative distance between any two objects. We adopted a program transformation based approach to perform the randomizations. Ideally, the transformations can be applied on program binaries. However, due to the difficulties associated with analysis of binaries, we need additional information to be present in the binaries in order to make the transformations feasible. This requires changes to the system tools such as compilers and linkers, which are used to generate binaries. Our current implementation avoids this option, and instead uses a source-to-source transformation on C programs. Note that a particular randomization isn't hard-coded into the transformed code. Instead, the transformation produces a self-randomizing program: a program that randomizes itself each time it is run, or continuously during runtime. This means that the use of our approach doesn't, in any way, change the software distribution model that is prevalent today. Software providers can continue to distribute identical copies of program binaries to all users. In our approach, the location of code objects is randomized using binary transformation at load-time. Static data objects are randomized at the beginning of program execution. Stack objects are continuously randomized throughout runtime.


Shipped under GPL.
Download the binary package: asr-1.0-1.i386.rpm.
This package has been built for RedHat Linux 9.0.

Download the source package: asr-1.0-1.src.rpm.
The packages include a README file containing instructions on how to use the software. The file also describes some of the limitations of the current release.


We are thankful to Wei Xu for his insightful comments on the implementation issues, and the anonymous reviewers for their comments and suggestions. This research is supported in by an ONR grant N000140110967 and NSF grants CCR-0098154 and CCR-0208877. Sekar's work was also partly supported by DARPA through an AFRL contract FA8750-04-0244.