This articleneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Address space layout randomization" – news ·newspapers ·books ·scholar ·JSTOR(January 2018) (Learn how and when to remove this message)

Address space layout randomization (ASLR) is acomputer security technique involved in preventingexploitation ofmemory corruptionvulnerabilities.^[1] In order to prevent an attacker from reliably redirecting code execution to a particular exploited function in memory, ASLR randomly arranges theaddress space positions of key data areas of aprocess, including the base of theexecutable and the positions of thestack,heap andlibraries. When applied to thekernel, this technique is calledkernel address space layout randomization (KASLR).^[2]

The LinuxPaX project first coined the term "ASLR", and published the first design andimplementation of ASLR in July 2001 as apatch for theLinux kernel. It is seen as a complete implementation, providing a patch for kernel stack randomization since October 2002.^[3]

The first mainstreamoperating system to support ASLR by default wasOpenBSD version3.4 in 2003,^[4][5] followed by Linux in 2005.

Address space randomization hinders some types of security attacks by making it more difficult for an attacker to predict target addresses. For example, attackers trying to executereturn-to-libc attacks must locate the code to be executed, while other attackers trying to executeshellcode injected on the stack have to find the stack first. In both cases, the system makes related memory-addresses unpredictable from the attackers' point of view. These values have to be guessed, and a mistaken guess is not usually recoverable due to the application crashing.

Address space layout randomization is based upon the low chance of an attacker guessing the locations of randomly placed areas. Security is increased by increasing the search space. Thus, address space randomization is more effective when moreentropy is present in the random offsets. Entropy is increased by either raising the amount ofvirtual memory area space over which the randomization occurs or reducing the period over which the randomization occurs. The period is typically implemented as small as possible, so most systems must increase VMA space randomization.

To defeat the randomization, attackers must successfully guess the positions of all areas they wish to attack. For data areas such as stack and heap, where custom code or useful data can be loaded, more than one state can be attacked by usingNOP slides for code or repeated copies of data. This allows an attack to succeed if the area is randomized to one of a handful of values. In contrast, code areas such as library base and main executable need to be discovered exactly. Often these areas are mixed, for examplestack frames are injected onto the stack and a library is returned into.

The following variables can be declared:

• ${\displaystyle E_s}$ (entropy bits of stack top)
• ${\displaystyle E_m}$ (entropy bits ofmmap() base)
• ${\displaystyle E_x}$ (entropy bits of main executable base)
• ${\displaystyle E_h}$ (entropy bits of heap base)
• ${\displaystyle A_s}$ (attacked bits per attempt of stack entropy)
• ${\displaystyle A_m}$ (attacked bits per attempt ofmmap() base entropy)
• ${\displaystyle A_x}$ (attacked bits per attempt of main executable entropy)
• ${\displaystyle A_h}$ (attacked bits per attempt of heap base entropy)
• ${\displaystyle \alpha }$ (attempts made)
• ${\displaystyle N}$ (total amount of entropy:${\displaystyle N=(E_s-A_s)+(E_m-A_m)+(E_x-A_x)+(E_h-A_h)}$)

To calculate the probability of an attacker succeeding, a number of attemptsα carried out without being interrupted by a signature-based IPS, law enforcement, or other factor must be assumed; in the case of brute forcing, the daemon cannot be restarted. The number of relevant bits and how many are being attacked in each attempt must also be calculated, leaving however many bits the attacker has to defeat.

The following formulas represent the probability of success for a given set ofα attempts onN bits of entropy.

• ${\displaystyle g\left(\alpha \right)=1-{\left(1-2^{-N}\right)}^{\alpha }\text{ if }0\le \alpha }$ (isolated guessing; address space is re-randomized after each attempt)
• ${\displaystyle b\left(\alpha \right)=\frac{\alpha }{2^N}\text{ if }0\le \alpha \le 2^N}$ (systematic brute forcing on copies of the program with the same address space)

In many systems,${\displaystyle 2^N}$ can be in the thousands or millions. On 32-bit systems, a typical amount of entropyN is 8 bits.^[6] For 2004 computer speeds, Shacham and co-workers state "... 16 bits of address randomization can be defeated by abrute force attack within minutes."^[7] (The authors' statement depends on the ability to attack the same application multiple times without any delay. Proper implementations of ASLR, like that included in grsecurity, provide several methods to make such brute force attacks infeasible. One method involves preventing an executable from executing for a configurable amount of time if it has crashed a certain number of times.) On modern^[update]64-bit systems, these numbers typically reach the millions at least.^{[citation needed]}

Android,^{[8][non-primary source needed]} and possibly other systems,^[which?] implementLibrary Load Order Randomization, a form of ASLR which randomizes the order in which libraries are loaded. This supplies very little entropy. An approximation of the number of bits of entropy supplied per needed library appears below; this does not yet account for varied library sizes, so the actual entropy gained is really somewhat higher. Attackers usually need only one library; the math is more complex with multiple libraries, and shown below as well. The case of an attacker using only one library is a simplification of the more complex formula for${\displaystyle l=1}$.

• l (number of libraries loaded)
• β (number of libraries used by the attacker)
• 

These values tend to be low even for large values ofl, most importantly since attackers typically can use only theC standard library and thus one can often assume that${\displaystyle \beta =1}$. However, even for a small number of libraries there are a few bits of entropy gained here; it is thus potentially interesting to combine library load order randomization with VMA address randomization to gain a few extra bits of entropy. These extra bits of entropy will not apply to other mmap() segments, only libraries.

Attackers may make use of several methods to reduce the entropy present in a randomized address space, ranging from simple information leaks to attacking multiple bits of entropy per attack (such as byheap spraying). There is little that can be done about this.

It is possible to leak information about memory layout usingformat string vulnerabilities. Format string functions such asprintf use avariable argument list to do their job; format specifiers describe what the argument list looks like. Because of the way arguments are typically passed, each format specifier moves closer to the top of the stack frame. Eventually, the return pointer and stack frame pointer can be extracted, revealing the address of a vulnerable library and the address of a known stack frame; this can eliminate library and stack randomization as an obstacle to an attacker.

One can also decrease entropy in the stack or heap. The stack typically must be aligned to 16 bytes, and so this is the smallest possible randomization interval; while the heap must be page-aligned, typically 4096 bytes. When attempting an attack, it is possible to align duplicate attacks with these intervals; aNOP slide may be used withshellcode injection, and the string '/bin/sh' can be replaced with '////////bin/sh' for an arbitrary number of slashes when attempting to return tosystem. The number of bits removed is exactly${\displaystyle {\log }_2\left(n\right)}$ forn intervals attacked.

Such decreases are limited due to the amount of data in the stack or heap. The stack, for example, is typically limited to8 MB^[9] and grows to much less; this allows for at most19 bits, although a more conservative estimate would be around 8–10 bits corresponding to 4–16 KB^[9] of stack stuffing. The heap on the other hand is limited by the behavior of the memory allocator; in the case ofglibc, allocations above 128 KB are created usingmmap, limiting attackers to 5 bits of reduction. This is also a limiting factor when brute forcing; although the number of attacks to perform can be reduced, the size of the attacks is increased enough that the behavior could in some circumstances become apparent tointrusion detection systems.

ASLR-protected addresses can be leaked by various side channels, removing mitigation utility. Recent attacks have used information leaked by the CPU branch target predictor buffer (BTB) ormemory management unit (MMU) walking page tables. It is not clear if this class of ASLR attack can be mitigated. If they cannot, the benefit of ASLR is reduced or eliminated.

In August 2024 a paper^[10] was published with an empirical analysis of major desktop platforms, including Linux, macOS, and Windows, by examining the variability in the placement of memory objects across various processes, threads, and system restarts. The results show that while some systems as of 2024, like Linux distributions, provide robust randomization, others, like Windows and macOS, often fail to adequately randomize key areas like executable code and libraries. Moreover, they found a significant reduction in the entropy of libraries after the Linux 5.18 version and identify correlation paths that an attacker could leverage to reduce exploitation complexity significantly.

Several mainstream, general-purpose operating systems implement ASLR.

Android 4.0 Ice Cream Sandwich provides address space layout randomization (ASLR) to help protect system and third-party applications from exploits due to memory-management issues. Position-independent executable support was added in Android 4.1.^[11] Android 5.0 dropped non-PIE support and requires all dynamically linked binaries to be position independent.^[12][13] Library load ordering randomization was accepted into the Android open-source project on 26 October 2015,^{[8][non-primary source needed]} and was included in the Android 7.0 release.

DragonFly BSD has an implementation of ASLR based upon OpenBSD's model, added in 2010.^[14] It is off by default, and can be enabled by setting the sysctl vm.randomize_mmap to 1.

Support for ASLR appeared inFreeBSD 13.0.^[15][16] It is enabled by default since 13.2.^[17]

Apple introduced ASLR iniOS 4.3 (released March 2011).^[18]

KASLR was introduced in iOS 6.^[19] The randomized kernel base is0x01000000 + ((1+0xRR) * 0x00200000), where0xRR is a random byte from SHA1 (random data) generated by iBoot (the 2nd-stage iOS Boot Loader).^[20]

TheLinux kernel enabled a weak form of ASLR by default since the kernel version 2.6.12, released in June 2005.^[21] ThePaX andExec Shield patchsets to the Linux kernel provide more complete implementations. The Exec Shield patch forLinux supplies 19 bits of stack entropy on a period of 16 bytes, and 8 bits of mmap base randomization on a period of 1 page of 4096 bytes. This places the stack base in an area 8 MB wide containing 524,288 possible positions, and the mmap base in an area 1 MB wide containing 256 possible positions.

ASLR can be disabled for a specific process by changing its execution domain, usingpersonality(2).^[22] A number ofsysctl options control the behavior of mainline ASLR. For example,kernel.randomize_va_space controlswhat to randomize; the strongest option is 2.vm.mmap_rnd_bits controls how many bits to randomize formmap.^[23]

Position-independent executable (PIE) implements a randombase address for the main executable binary and has been in place since April 18, 2004. It provides the same address randomness to the main executable as being used for the shared libraries. The PIE feature cannot be used together with theprelink feature for the same executable. The prelink tool implements randomization at prelink time rather than runtime, because by design prelink aims to handle relocating libraries before thedynamic linker has to, which allows the relocation to occur once for many runs of the program. As a result, real address space randomization would defeat the purpose of prelinking.

In 2014, Marco-Gisbert and Ripoll disclosedoffset2lib technique that weakens Linux ASLR for PIE executables. Linux kernels load PIE executables right after their libraries; as a result, there is a fixed offset between the executable and the library functions. If an attacker finds a way to find the address of a function in the executable, the library addresses are also known. They demonstrated an attack that finds the address in fewer than 400 tries. They proposed a newrandomize_va_space=3 option to randomize the placement of the executable relative to the library,^[6] but it is yet to be incorporated into the upstream as of 2024.^[24]

The Linux kernel 5.18 released May 2022 reduced the effectiveness of both 32-bit and 64-bit implementations. Linux filesystems callthp_get_unmapped_area to respond to a file-backedmmap. With a change in 5.18, files greater than 2 MiB are made to return 2 MiB-aligned addresses, so they can be potentially backed byhuge pages. (Previously, the increased alignment only applied to Direct Access (DAX) mappings.) In the meantime, the C library (libc) has, over time, grown in size to exceed this 2 MiB threshold, so instead of being aligned to a (typically) 4 KiB page boundary as before, these libraries are now 2 MiB-aligned: a loss of 9 bits of entropy. For 32-bit Linux, many distributions show no randomizationat all in the placement of the libc. For 64-bit Linux, the 28 bits of entropy is reduced to 19 bits. In response, Ubuntu has increased itsmmap_rnd_bits setting.^[25] Martin Doucha added aLinux Test Project testcase to detect this issue.^[26]

Kernel address space layout randomization (KASLR) enables address space randomization for the Linux kernel image by randomizing where the kernel code is placed at boot time.^[27] KASLR was merged into theLinux kernel mainline in kernel version 3.14, released on 30 March 2014.^[28] When compiled in, it can be disabled at boot time by specifyingnokaslr as one of the kernel's boot parameters.^[29]

There are severalside-channel attacks in x86 processors that could leak kernel addresses.^[30][31] In late 2017,kernel page-table isolation (KPTI aka KAISER) was developed to defeat these attacks.^[32][33] However, this method cannot protect against side-channel attacks utilizing collisions inbranch predictor structures.^[34]

As of 2021^[update], finer grained kernel address space layout randomization (or function granular KASLR, FGKASLR) is a planned extension of KASLR to randomize down to the function level by placing functions in separate sections and reordering them at boot time.^[35]

This section needs to beupdated. Please help update this article to reflect recent events or newly available information.(August 2018)

Microsoft'sWindows Vista (releasedto manufacturing November 2006, generally available January 2007) and later have ASLR enabled only for executables anddynamic link libraries that are specifically linked to be ASLR-enabled.^[36] For compatibility, it is not enabled by default for other applications. Typically, only older software is incompatible and ASLR can be fully enabled by editing a registry entryHKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages,^[37] or by installing Microsoft'sEnhanced Mitigation Experience Toolkit.

The locations of theheap,stack, Process Environment Block, andThread Environment Block are also randomized. A security whitepaper from Symantec noted that ASLR in 32-bit Windows Vista may not be as robust as expected, and Microsoft has acknowledged a weakness in its implementation.^[38]

Host-basedintrusion prevention systems such asWehnTrust^[39] andOzone^[40] also offer ASLR forWindows XP andWindows Server 2003 operating systems. WehnTrust is open-source.^[41] Complete details of Ozone's implementation are not available.^[42]

It was noted in February 2012^[43] that ASLR on 32-bit Windows systems prior toWindows 8 can have its effectiveness reduced in low memory situations. A similar effect also had been achieved on Linux in the same research. The test code caused the Mac OS X 10.7.3 system tokernel panic, so it was left unclear about its ASLR behavior in this scenario.

Support for ASLR in userland appeared inNetBSD 5.0 (released April 2009),^[44] and was enabled by default in NetBSD-current in April 2016.^[45]

Kernel ASLR support on amd64 was added in NetBSD-current in October 2017, making NetBSD the first BSD system to support KASLR.^[46]

In 2003,OpenBSD became the first mainstream operating system to support a strong form of ASLR and to activate it by default.^[4]OpenBSD completed its ASLR support in 2008 when it added support forPIE binaries.^[47] OpenBSD 4.4'smalloc(3) was designed to improve security by taking advantage of ASLR and gap page features implemented as part of OpenBSD'smmapsystem call, and to detect use-after-free bugs.^[48] Released in 2013, OpenBSD 5.3 was the first mainstream operating system to enable position-independent executables by default on multiplehardware platforms, and OpenBSD 5.7 activated position-independent static binaries (Static-PIE) by default.^[47]

InMac OS X Leopard 10.5 (released October 2007), Apple introduced randomization for system libraries.^[49]

InMac OS X Lion 10.7 (released July 2011), Apple expanded their implementation to cover all applications, stating "address space layout randomization (ASLR) has been improved for all applications. It is now available for 32-bit apps (as are heap memory protections), making 64-bit and 32-bit applications more resistant to attack."^[50]

As ofOS X Mountain Lion 10.8 (released July 2012) and later, the entire system including the kernel as well askexts and zones are randomly relocated during system boot.^[51]

ASLR has been introduced inSolaris beginning with Solaris 11.1 (released October 2012). ASLR in Solaris 11.1 can be set system-wide, per zone, or on a per-binary basis.^[52]

Aside-channel attack utilizingbranch target buffer was demonstrated to bypass ASLR protection.^[34] In 2017, an attack named "ASLR⊕Cache" was demonstrated which could defeat ASLR in aweb browser usingJavaScript.^[53]

• Buffer overflow
• Stack buffer overflow
• Stack-smashing protection
• NX bit

• Exploit Mitigation Techniques: an Update After 10 YearsArchived 2014-02-20 at theWayback Machine in OpenBSD
• PaX documentation on ASLR
• Comparison of PaX to Exec Shield and W^XArchived 2012-04-14 at theWayback Machine
• Address Space Layout Randomization in Windows Vista - Michael Howard's Web Log
• ASLR for Windows 2000/XP/2003 (WehnTrust)
• Bypassing PaX ASLR protection
• On the effectiveness of address space layout randomization
• Test Applications (or libraries) for their ASLR and DEP support
• ASLR Smack & Laugh ReferenceArchived 2015-09-28 at theWayback Machine

• Operating system security

• Webarchive template wayback links
• Articles with short description
• Short description matches Wikidata
• Use dmy dates from May 2019
• Articles needing additional references from January 2018
• All articles needing additional references
• Articles containing potentially dated statements from 2009
• All articles containing potentially dated statements
• All articles with unsourced statements
• Articles with unsourced statements from March 2024
• All pages needing factual verification
• Wikipedia articles needing factual verification from March 2016
• All articles with specifically marked weasel-worded phrases
• Articles with specifically marked weasel-worded phrases from October 2015
• Articles containing potentially dated statements from 2021
• Wikipedia articles in need of updating from August 2018
• All Wikipedia articles in need of updating