aslr
Address Space Layout Randomization (ASLR) is a security technique used in operating systems, first implemented in 2001. The current versions of all major operating systems (iOS, Android, Windows, macOS, and Linux) feature ASLR protection. But in the past week, a new method of bypassing ASLR has been found. So, should you be worried?
地址空间布局随机化(ASLR)是操作系统中使用的一种安全技术,于2001年首次实现。所有主要操作系统(iOS,Android,Windows,macOS和Linux)的当前版本均具有ASLR保护。 但在过去的一周内,绕过ASLR的新方法已被发现 。 那么,您应该担心吗?
To those without a low-level programming background, ASLR can be confusing. To understand it, you must first understand virtual memory.
对于那些没有底层编程背景的人,ASLR可能会令人困惑。 要了解它,您必须首先了解虚拟内存。
什么是虚拟内存? (What Is Virtual Memory?)Virtual Memory is a memory management technique with many benefits, but it was primarily created to make programming easier. Imagine you have Google Chrome, Microsoft Word, and several other programs open on a computer with 4 GB of RAM. As a whole, the programs on this computer use much more than 4 GB of RAM. However, not all the programs will be active at all times, or need simultaneous access to that RAM.
虚拟内存是一种具有很多优点的内存管理技术,但其主要目的是简化编程。 假设您在具有4 GB RAM的计算机上打开了Google Chrome,Microsoft Word和其他几个程序。 总体而言,此计算机上的程序使用的内存远远超过4 GB。 但是,并非所有程序始终都处于活动状态,或者需要同时访问该RAM。
The operating system allocates chunks of memory to programs called pages. If there is not enough RAM to store all the pages at once, the pages least likely to be needed are stored on the slower (but more spacious) hard drive. When the stored pages are needed, they’ll switch spaces with less necessary pages currently in RAM. This process is called paging, and lends its name to the pagefile.sys file on Windows.
操作系统将内存块分配给称为page的程序。 如果没有足够的RAM一次存储所有页面,则将最不需要的页面存储在速度较慢(但更宽敞)的硬盘驱动器上。 当需要存储的页面时,它们将切换RAM中当前具有较少必要页面的空间。 此过程称为分页,并将其名称借给Windows上的pagefile.sys文件 。
Virtual memory makes it easier for programs to manage their own memory, and also makes them more secure. Programs don’t need to worry about where other programs are storing data, or how much RAM is left. They can just ask the operating system for additional memory (or return unused memory) as necessary. All the program sees is a single continuous chunk of memory addresses for its exclusive use, called virtual addresses. The program is not allowed to look at another program’s memory.
虚拟内存使程序更易于管理自己的内存,也使程序更加安全。 程序无需担心其他程序将数据存储在何处或剩余多少RAM。 他们可以根据需要向操作系统索要更多内存(或返回未使用的内存)。 程序只看到一个连续的内存地址块,供其专用,称为虚拟地址。 该程序不允许查看其他程序的内存。
When a program needs to access memory, it gives the operating system a virtual address. The operating system contacts the CPU’s memory management unit (MMU). The MMU translates between virtual and physical addresses, returning that information to the operating system. At no point does the program directly interact with RAM.
当程序需要访问内存时,它将为操作系统提供一个虚拟地址。 操作系统与CPU的内存管理单元(MMU)联系。 MMU在虚拟地址和物理地址之间进行转换,然后将该信息返回给操作系统。 程序绝对不会直接与RAM交互。
什么是ASLR? (What Is ASLR?)Address Space Layout Randomization (ASLR) is primarily used to protect against buffer overflow attacks. In a buffer overflow, attackers feed a function as much junk data as it can handle, followed by a malicious payload. The payload will overwrite data the program intends to access. Instructions to jump to another point in code are a common payload. The famous JailbreakMe method of jailbreaking iOS 4, for example, used a buffer overflow attack, prompting Apple to add ASLR to iOS 4.3.
地址空间布局随机化(ASLR)主要用于防止缓冲区溢出攻击。 在缓冲区溢出中,攻击者会向函数提供尽可能多的垃圾数据,然后是恶意的有效负载。 有效负载将覆盖程序打算访问的数据。 跳转到代码另一点的指令是常见的有效载荷。 例如,著名的越狱iOS 4的JailbreakMe方法使用了缓冲区溢出攻击,促使苹果将ASLR添加到iOS 4.3。
Buffer overflows require an attacker to know where each part of the program is located in memory. Figuring this out is usually a difficult process of trial and error. After determining that, they must craft a payload and find a suitable place to inject it. If the attacker does not know where their target code is located, it can be difficult or impossible to exploit it.
缓冲区溢出要求攻击者知道程序的每个部分在内存中的位置。 弄清这一点通常是一个反复试验的困难过程。 确定后,他们必须制造有效载荷并找到合适的位置进行注入。 如果攻击者不知道其目标代码位于何处,则可能很难或不可能利用它。
ASLR works alongside virtual memory management to randomize the locations of different parts of the program in memory. Every time the program is run, components (including the stack, heap, and libraries) are moved to a different address in virtual memory. Attackers can no longer learn where their target is through trial and error, because the address will be different every time. Generally, applications need to be compiled with ASLR support, but this is becoming the default, and is even required on Android 5.0 and later.
ASLR与虚拟内存管理一起工作,以使程序在内存中不同部分的位置随机化。 每次运行程序时,组件(包括堆栈,堆和库)都将移至虚拟内存中的其他地址。 攻击者无法通过反复试验来了解目标所在,因为每次的地址都会不同。 通常,应用程序需要使用ASLR支持进行编译,但这已成为默认设置,甚至在Android 5.0及更高版本上也是如此。
那么ASLR仍然可以保护您吗? (So Does ASLR Still Protect You?)Last Tuesday, researchers from SUNY Binghamton and University of California, Riverside, presented a paper called Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR. The paper details a way to attack the Branch Target Buffer (BTB). The BTB is part of the processor that speeds up if statements by predicting the outcome. Using the authors’ method, it is possible to determine locations of known branch instructions in a running program. The attack in question was performed on a Linux machine with an Intel Haswell processor (first released in 2013), but could likely be applied to any modern operating system and processor.
上周二,来自纽约州立大学宾厄姆顿分校和加州大学河滨分校的研究人员发表了一篇名为“ 跳过ASLR:攻击分支预测器以绕过ASLR”的论文 。 本文详细介绍了一种攻击分支目标缓冲区(BTB)的方法。 BTB是处理器的一部分,它通过预测结果来加速if语句。 使用作者的方法,可以确定正在运行的程序中已知分支指令的位置。 有问题的攻击是在装有Intel Haswell处理器(于2013年首次发布)的Linux计算机上进行的,但很可能会应用于任何现代操作系统和处理器。
That said, you shouldn’t necessarily despair. The paper offered a few ways that hardware and operating system developers can mitigate this threat. Newer, fine-grain ASLR techniques would require more effort from the attacker, and increasing the amount of entropy (randomness) can make the Jump Over attack infeasible. Most likely, newer operating systems and processors will be immune to this attack.
就是说,您不必一定感到绝望。 该文件提供了几种方法,可以使硬件和操作系统开发人员减轻这种威胁。 较新的细粒度ASLR技术将需要攻击者付出更多的努力,并且增加熵(随机性)的数量会使“越过攻击”变得不可行。 最有可能的是,更新的操作系统和处理器将不受此攻击的影响。
So what is left for you to do? The Jump Over bypass is new, and hasn’t yet been spotted in the wild. When attackers exploit it, the flaw will increase the potential damage an attacker can cause on your device. This level of access isn’t unprecedented; Microsoft and Apple only implemented ASLR in their operating systems released 2007 and later. Even if this style of attack becomes commonplace, you won’t be any worse off than you were back in the days of Windows XP.
那么,什么是留给你做什么? 跳过跳过是新的,尚未被发现。 当攻击者利用它时,该缺陷将增加攻击者可能对您的设备造成的潜在损害。 这种访问级别并非前所未有。 Microsoft和Apple仅在2007年及以后发布的操作系统中实现了ASLR。 即使这种攻击方式变得司空见惯,也不会比Windows XP时的情况更糟。
Keep in mind that attackers still have to get their code on your device to do any harm. This flaw does not provide them with any additional ways to infect you. As always, you should follow security best practices. Use antivirus, stay away from sketchy websites and programs, and keep your software up to date. By following these steps and keeping malicious actors off your computer, you’ll be as safe as you’ve ever been.
请记住,攻击者仍然必须在您的设备上获取其代码才能造成任何伤害。 此缺陷不会为他们提供任何其他方式来感染您。 与往常一样,您应该遵循安全最佳实践 。 使用防病毒软件,远离粗略的网站和程序,并使软件保持最新。 通过执行以下步骤并使恶意行为者远离计算机,您将像以往一样安全。
Image Credit: Steve/Flickr
图片来源: Steve / Flickr
翻译自: https://www.howtogeek.com/278056/what-is-aslr-and-how-does-it-keep-your-computer-secure/
aslr