What's the purpose of ASLR on android?

Question

Android 4.0 added ASLR

http://developer.android.com/sdk/android-4.0-highlights.html#DeveloperApis

Afaik, ASLR is mainly useful to avoid letting some malicious code leak/put a payload in another library when exploiting a buffer overflow vulnerability

But almost all of the code that'll run on android will be managed, so it shouldn't be affected by memory management errors

It can probably be useful for native code. Otoh, I thought that most of the programs that make use of the NDK (like opengl game engines made in C), still have a layer of java code to deal with the user input and such (and I think user supplied files/strings would be the main vector for malicious code)

Clearly I'm missing something in my picture

Something related..http://stackoverflow.com/questions/5917768/is-there-some-sort-of-aslr-protection-on-android — Krishnabhadra, Oct 19 '11 at 10:53

score 1 · Accepted Answer · answered Nov 19 '14 at 15:06

Even if you can add only programs written in a managed language like Java, the existing C libraries are still vulnerables to buffer overflow.

By example, the library used to play mp3 is probably written in C and a specially crafted mp3 file could trigger a buffer overflow and execute a shellcode. Adding ASLR (Address Space Layout Randomization) in Android will increase the difficulty of writing such an exploit by randomizing some memory addresses.

What's the purpose of ASLR on android?

1 Answers1