Sleak: Automating Address Space Layout Derandomization

We present a novel approach to automatically recover information about the address space layout of remote processes in the pres- ence of Address Space Layout Randomization (ASLR). Our system, dubbed Sleak, performs static analysis and symbolic execution of binary executable programs, and identifies program paths and input parameters leading to partial (i.e., only a few bits) or complete (i.e., the whole address) information disclosure vulnerabilities, revealing addresses of known objects of the target service or application. Sleak takes, as input, the binary executable program, and generates a symbolic expression for each program output that leaks informa- tion about the addresses of objects, such as stack variables, heap structures, or function pointers. By comparing these expressions with the concrete output of a remote process executing the same binary program image, our system is able to recover from a few bits to whole addresses of objects of the target application or service. Discovering the address of a single object in the target application is often enough to guess the layout of entire sections of the address space, which can be leveraged by attackers to bypass ASLR.

Christophe Hauser
Information Sciences Institute, University of Southern California

Jayakrishna Menon
Arizona State University

Yan Shoshitaishvili
Arizona State University

Ruoyu Wang
Arizona State University

Christopher Kruegel
University of California, Santa Barbara

Giovanni Vigna
University of California, Santa Barbara