Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities.
[1] In order to prevent an attacker from reliably redirecting code execution to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
[2] The first mainstream operating system to support ASLR by default was OpenBSD version 3.4 in 2003,[3][4] followed by Linux in 2005.
In both cases, the system makes related memory-addresses unpredictable from the attackers' point of view.
The period is typically implemented as small as possible, so most systems must increase VMA space randomization.
In contrast, code areas such as library base and main executable need to be discovered exactly.
The following variables can be declared: To calculate the probability of an attacker succeeding, a number of attempts α carried out without being interrupted by a signature-based IPS, law enforcement, or other factor must be assumed; in the case of brute forcing, the daemon cannot be restarted.
The following formulas represent the probability of success for a given set of α attempts on N bits of entropy.
[5] For 2004 computer speeds, Shacham and co-workers state "... 16 bits of address randomization can be defeated by a brute force attack within minutes.
"[6] (The authors' statement depends on the ability to attack the same application multiple times without any delay.
Proper implementations of ASLR, like that included in grsecurity, provide several methods to make such brute force attacks infeasible.
Because of the way arguments are typically passed, each format specifier moves closer to the top of the stack frame.
Recent attacks have used information leaked by the CPU branch target predictor buffer (BTB) or memory management unit (MMU) walking page tables.
In August 2024 a paper [9] was published with an empirical analysis of major desktop platforms, including Linux, macOS, and Windows, by examining the variability in the placement of memory objects across various processes, threads, and system restarts.
Android 4.0 Ice Cream Sandwich provides address space layout randomization (ASLR) to help protect system and third-party applications from exploits due to memory-management issues.
[10] Android 5.0 dropped non-PIE support and requires all dynamically linked binaries to be position independent.
[20] The PaX and Exec Shield patchsets to the Linux kernel provide more complete implementations.
In 2014, Marco-Gisbert and Ripoll disclosed offset2lib technique that weakens Linux ASLR for PIE executables.
They proposed a new randomize_va_space=3 option to randomize the placement of the executable relative to the library,[5] but it is yet to be incorporated into the upstream as of 2024.
With a change in 5.18, files greater than 2 MiB are made to return 2 MiB-aligned addresses, so they can be potentially backed by huge pages.
[24] Martin Doucha added a Linux Test Project testcase to detect this issue.
[29][30] In late 2017, kernel page-table isolation (KPTI aka KAISER) was developed to defeat these attacks.
[31][32] However, this method cannot protect against side-channel attacks utilizing collisions in branch predictor structures.
Typically, only older software is incompatible and ASLR can be fully enabled by editing a registry entry HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages,[36] or by installing Microsoft's Enhanced Mitigation Experience Toolkit.
A security whitepaper from Symantec noted that ASLR in 32-bit Windows Vista may not be as robust as expected, and Microsoft has acknowledged a weakness in its implementation.
The test code caused the Mac OS X 10.7.3 system to kernel panic, so it was left unclear about its ASLR behavior in this scenario.
[45] In 2003, OpenBSD became the first mainstream operating system to support a strong form of ASLR and to activate it by default.
[46] In Mac OS X Leopard 10.5 (released October 2007), Apple introduced randomization for system libraries.
[51] A side-channel attack utilizing branch target buffer was demonstrated to bypass ASLR protection.