Position-Independent Code Reuse: On the Effectiveness of ASLR in the Absence of Information Disclosure

Enes Goktas, Benjamin Kollenda, Philipp Koppe, Erik Bosman, Georgios Portokalidis, Thorsten Holz, Herbert Bos, Cristiano Giuffrida

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

239 Downloads (Pure)


Address-space layout randomization is a wellestablished defense against code-reuse attacks. However, it can be completely bypassed by just-in-time code-reuse attacks that rely on information disclosure of code addresses via memory or side-channel exposure. To address this fundamental weakness, much recent research has focused on detecting and mitigating information disclosure. The assumption being that if we perfect such techniques, we will not only maintain layout secrecy but also stop code reuse. In this paper, we demonstrate that an advanced attacker can mount practical code-reuse attacks even in the complete absence of information disclosure. To this end, we present Position-Independent Code-Reuse Attacks, a new class of codereuse attacks relying on the relative rather than absolute location of code gadgets in memory. By means of memory massaging, the attacker first makes the victim program generate a rudimentary ROP payload (for instance, containing code pointers that target instructions 'close' to relevant gadgets). Afterwards, the addresses in this payload are patched with small offsets via relative memory writes. To establish the practicality of such attacks, we present multiple Position-Independent ROP exploits against real-world software. After showing that we can bypass ASLR in current systems without requiring information disclosures, we evaluate the impact of our technique on other defenses, such as fine-grained ASLR, multi-variant execution, execute-only memory and re-randomization. We conclude by discussing potential mitigations.

Original languageEnglish
Title of host publicationProceedings - 3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages16
ISBN (Electronic)9781538642276
Publication statusPublished - 6 Jul 2018
Event3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018 - London, United Kingdom
Duration: 24 Apr 201826 Apr 2018


Conference3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018
Country/TerritoryUnited Kingdom


We would like to thank the anonymous reviewers for their valuable feedback. This work is based upon research supported in part by the European Commission through project H2020 MSCA-RISE-2015 “PROTASIS” under Grant Agreement No. 690972 and H2020 “BASTION” under Grant Agreement No. 640110, in part by the U.S. Office of Naval Research under award numbers N00014-16-1-2261, N00014-17-1-2788, and N00014-17-1-2782, and in part by the Netherlands Organisation for Scientific Research through grants NWO 639.023.309 VICI “Dowsing” and NWO 639.021.753 VENI “PantaRhei”.

FundersFunder number
U.S. Office of Naval ResearchN00014-17-1-2782, N00014-17-1-2788, N00014-16-1-2261
Horizon 2020 Framework Programme640110
European CommissionH2020 MSCA-RISE-2015, 690972
Nederlandse Organisatie voor Wetenschappelijk Onderzoek639.023.309


    • exploitation
    • security
    • vulnerability


    Dive into the research topics of 'Position-Independent Code Reuse: On the Effectiveness of ASLR in the Absence of Information Disclosure'. Together they form a unique fingerprint.

    Cite this