Bruteforcing 64bit ASLR

A lot of times we hear that it’s impractical or even impossible to brute force 64bit ASLR. It’s been the general consensus that the address space is too large and therefor any attack would be unreliable. On a vanilla implementation of ASLR I think it has become clear that, on its own, a 64bit address space is not enough to prevent bruteforcing ASLR.

A paper recently set out to attack 64bit ASLR to see how effective bruteforcing can be. It’s important to note that they don’t take any other modern mitigation techniques into account, such as NX.

The paper shows a primitive attack against 64bit ASLR on their Linux system can take as few as 1.3 hours but as many as 34.1 hours. They note that they could optimize and improve the performance quite a bit. To me I think it’s really important to note that there’s significant variability here – an attacker can not rely on bruteforcing to be done in 1.3 hours, they could potentially have to wait quite a lot longer. That variability and uncertainty is important.

The paper then goes on to mention PaX ASLR, which introduces far more entropy into the system. Due to the papers very narrow focus on ASLR it, again, leaves out other mitigation techniques, such as the Grsecurity patchset’s Exploit Bruteforce Prevention. There are actually numerous PaX and Grsecurity mitigation techniques that could be implemented to prevent these attacks but the focus is less about “real world” and more about proving that 64bit ASLR on its own is not enough to prevent bruteforce attacks.

So while it’s clear that on a process that doesn’t use NX or modern mitigation techniques other than ASLR that bruteforcing is potentially possible, it’s incredibly unlikely that you’re running any programs that don’t use those techniques. Anyone who uses PaX ASLR with Grsecurity likely has multiple mitigation techniques designed to prevent these attacks. These attacks also would likely cause program instability, and are still somewhat impractical even if they can be optimized. But, to say that ASLR can not be bruteforced only due to a 64bit address space would be incorrect.

Leave a Reply

Your email address will not be published. Required fields are marked *