Lixin Li
Global Infotek, Reston, VA
USA

James Just
Global Infotek, Reston, VA
USA

R Sekar
Stony Brook University, Stony Brook
USA

Address-space randomization is a promising solution to defend against
memory corruption attacks that have contributed to about 75\% of US-CERT
advisories in the past few years. Several techniques have been proposed
for implementation of address-space randomization (ASR) for Linux, but, to
the best of our knowledge, there hasn't been any previous work describing
ASR for the largest monoculture on the Internet, namely, the Wintel
platform. We address this problem in this paper and describe a solution
that provides at least 15-bits of randomness in the locations of all (code
or data) objects. Our randomization is applicable to all processes on a
Windows box, including all core system services, as well as applications
such as web browsers, office applications, and so on. Our solution has
been deployed continuously for about nine months on a desktop system used
daily, thus the solution seems robust enough for enterprise applications.
Although some commercial implementations of address-space randomization
have started to emerge, their features as well as implementations appear
to be cloaked in secrecy --- they don't fully describe what regions of
memory are randomized and by how much. Typically, some regions aren't
randomized, making it possible to craft successful attacks.

Keywords: Address Space Randomization, buffer overflows, Windows

Read Paper (in PDF)