ASLR
What is ASLR?
ASLRAddress Space Layout Randomization randomizes the memory locations of code, stacks, heaps, and libraries so attackers cannot reliably predict target addresses for exploits.
ASLR is a defensive mitigation that randomizes the base addresses of key process regions — the executable, shared libraries, heap, stack, and mmap area — each time a program runs. It was pioneered by the PaX project in 2001 and has since shipped in Linux, Windows, macOS, iOS, and Android. By making memory layout unpredictable, ASLR forces an attacker to first leak an address before mounting code-reuse attacks such as ROP. Effectiveness depends on entropy (more bits is better), full coverage including PIE/ASLR-enabled binaries, and complementary mitigations like DEP/NX, stack canaries, and CFI to defeat partial-overwrite and info-leak techniques.
● Examples
- 01
Linux randomizing the stack, heap, and PIE binary base on every exec.
- 02
Windows ASLR rebasing kernel32.dll and ntdll.dll on each boot.
● Frequently asked questions
What is ASLR?
Address Space Layout Randomization randomizes the memory locations of code, stacks, heaps, and libraries so attackers cannot reliably predict target addresses for exploits. It belongs to the Application Security category of cybersecurity.
What does ASLR mean?
Address Space Layout Randomization randomizes the memory locations of code, stacks, heaps, and libraries so attackers cannot reliably predict target addresses for exploits.
How does ASLR work?
ASLR is a defensive mitigation that randomizes the base addresses of key process regions — the executable, shared libraries, heap, stack, and mmap area — each time a program runs. It was pioneered by the PaX project in 2001 and has since shipped in Linux, Windows, macOS, iOS, and Android. By making memory layout unpredictable, ASLR forces an attacker to first leak an address before mounting code-reuse attacks such as ROP. Effectiveness depends on entropy (more bits is better), full coverage including PIE/ASLR-enabled binaries, and complementary mitigations like DEP/NX, stack canaries, and CFI to defeat partial-overwrite and info-leak techniques.
How do you defend against ASLR?
Defences for ASLR typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for ASLR?
Common alternative names include: Address Space Layout Randomization, PIE.
● Related terms
- appsec№ 581
KASLR
Kernel Address Space Layout Randomization (KASLR) randomizes the kernel base and module load addresses each boot so attackers cannot hardcode kernel symbols for local privilege escalation.
- appsec№ 303
DEP
Data Execution Prevention (also called NX or W^X) marks memory pages as non-executable so attackers cannot run shellcode injected into the stack or heap.
- appsec№ 925
Return-Oriented Programming
Return-Oriented Programming (ROP) is a code-reuse exploit technique that chains short instruction sequences ending in RET to execute arbitrary computation without injecting new code.
- appsec№ 1095
Stack Canary
A stack canary is a secret value placed between a function's local buffers and its saved return address to detect stack buffer overflows before they hijack control flow.
- appsec№ 217
Control-Flow Integrity
Control-Flow Integrity (CFI) constrains a program's indirect calls and returns to a precomputed set of legitimate targets, blocking ROP and JOP exploits that hijack control flow.
- appsec№ 670
Memory Safety
Memory safety is the property that a program never reads, writes, or executes memory it has not legitimately allocated, preventing entire classes of vulnerabilities.
● See also
- № 471Heap Spraying
- № 469Heap Feng Shui
- № 569Jump-Oriented Programming
- № 1028Shadow Stack
- № 545Intel CET
- № 671Memory-Safe Languages