Performance and Entropy of Various ASLR Implementations

Whether or not a security feature is useful is highly dependent on how effective it is and how it affects system performance. If a security feature is effective but greatly degrades the performance of the system, then the feature is not useful. Likewise, if a security feature is very fast but is not very effective, then it is also not useful. A useful security feature needs to add a reasonable amount of security to the system but at the same time not greatly impose on system performance. In our study, we measure the performance and entropy of ASLR implementations. The implementations we chose are in Debian, HardenedBSD, and FreeBSD with a patch from the HardenedBSD developers. For the most part, our results are not surprising. ASLR has a very marginal impact on performance, while providing excellent security benefits. The distributions in some cases passes a Chi-Squared (χ) test, but in some cases also does not. We describe our findings below in more detail. 1 Address Space Layout Randomization Address space layout randomization (ASLR) is an exploit mitigation technique implemented natively on many modern operating systems including GNU Linux, Mac OS X and Windows. ASLR takes the three parts of the program, the code, stack and heap, and places them at random addresses in the program’s address space. The challenge ASLR presents to attackers is that they must now attempt to guess addresses that before would have been known. For example, a common technique for exploiting vulnerabilities is a return-to-libc attack. In order for an attacker to be able to implement a return-to-libc attack, they must know the locations of certain functions in memory such as system or execv [A1]. Since the locations of system and execv are not known to the attacker when the process starts, the