Predictable Paths: Novel ASLR Bypass Methods and Mitigations
Address Space Layout Randomization (ASLR) is a widely adopted mitigation designed to protect systems against memory corruption attacks by randomizing memory addresses of critical regions; however, its effectiveness is limited by inherent design flaws and platform-specific vulnerabilities. This paper...
Saved in:
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/11030573/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | Address Space Layout Randomization (ASLR) is a widely adopted mitigation designed to protect systems against memory corruption attacks by randomizing memory addresses of critical regions; however, its effectiveness is limited by inherent design flaws and platform-specific vulnerabilities. This paper introduces a novel methodology for bypassing ASLR on modern, 64-bit Windows systems, focusing on High Entropy ASLR. By using Return-Oriented Programming (ROP) and exploiting predictable internal Windows structures such as the Process Environment Block (PEB) and module lists, the paper demonstrates how base addresses from three system DLLs can be disclosed reliably on virtually all modern Windows systems. These techniques negate ASLR’s protections and allow the attack surface for ROP to be expanded, to include Kernel32.dll, Kernelbase.dll, and NTDLL.dll. This research provides nine original bypass approaches, each validated across Windows versions from 7 to 11, each one working without error in our tests. These findings demonstrate weaknesses in current ASLR implementations in Windows. These ASLR bypasses demonstrate the need for stronger mitigations, such as hardened internal data structure layouts and access control enhancements. Exploit mitigation can be improved and advanced by the future defenses that stem from this research. |
|---|---|
| ISSN: | 2169-3536 |