[tor-bugs] #4152 [- Select a component]: Implement Bottom Up Randomization (Windows platform)

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Sat Oct 1 11:43:54 UTC 2011 

#4152: Implement Bottom Up Randomization (Windows platform)
----------------------------------+-----------------------------------------
 Reporter:  bastik                |          Owner:     
     Type:  enhancement           |         Status:  new
 Priority:  normal                |      Milestone:     
Component:  - Select a component  |        Version:     
 Keywords:                        |         Parent:     
   Points:                        |   Actualpoints:     
----------------------------------+-----------------------------------------
 To improve ASLR efficiency you could add Bottom Up Randomization.

 Matt Miller told Didier Stevens how he did. So I know that too.

 “It works by reserving a random number (between [0,256]) of 64K regions
 via VirtualAlloc. This has the effect of consuming a small portion of the
 bottom part of the address space. Since the Windows kernel assigns base
 addresses for collided DLLs by searching for a free region starting at the
 bottom of the address space, bottom up randomization ensures that a random
 base address will be assigned. Without bottom up randomization the bottom
 part of the address space remains fairly static (with some exceptions,
 such as due to heap, stack, and EXE randomization).”

 Code
 "int iIter;
 int iRand;

 srand(time(NULL));
 iRand = rand() % 256 + 1;
 for (iIter = 0; iIter < iRand; iIter++)
  VirtualAlloc(NULL, 64*1024, MEM_COMMIT | MEM_RESERVE, PAGE_NOACCESS);"

 "In stead of 15 base addresses, with the most frequent address being using
 30% of the time, my Bottom Up Randomization implementation gives me more
 than 300 addresses after 150.000 runs. And there’s no single address being
 used more than 0,5% of the time."

 An comment adds that only MEM_RESERVE should be used for VirtualAlloc,
 because MEM_COMMIT would require more memory. Didier Stevens replies that
 this is possible although the additional memory wouldn't be much.

 Here's the link: http://blog.didierstevens.com/2011/09/29/add-bottom-up-
 randomization-to-your-own-source-code/

 BTW: It's impossible to chose an component, because all binaries
 (Tor/Vidalia at least) should make use of it.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4152>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list