AD2050: DoNotUseCustomBaseAddress¶
Summary¶
| Property | Value |
|---|---|
| ID | AD2050 |
| Name | DoNotUseCustomBaseAddress |
| Category | Security |
| Severity | Warning |
| Applies to | PE (Windows) |
Description¶
PE binaries should not specify a custom base address that could interfere with ASLR or reduce the randomization entropy.
How It Works¶
The rule checks the PE optional header:
- ImageBase field for non-standard values
- Linker flags that fix the base address
- Conflicts with high-entropy ASLR
Why This Matters¶
Custom base addresses can undermine ASLR effectiveness by making the binary's location predictable or reducing available randomization space.
Standard Base Addresses¶
| Binary Type | Standard Base |
|---|---|
| EXE (32-bit) | 0x00400000 |
| EXE (64-bit) | 0x140000000 |
| DLL (32-bit) | 0x10000000 |
| DLL (64-bit) | 0x180000000 |
ASLR Interference¶
High-entropy ASLR:
Base can be anywhere in address space
Maximum randomization
Custom base at 0x10000000:
Forces loading near fixed address
Reduces or eliminates randomization
Why Developers Use Custom Bases¶
| Reason | Better Alternative |
|---|---|
| Avoid collisions | Let ASLR handle it |
| Performance | Enable high-entropy ASLR |
| Legacy compatibility | Update the code |
| Debugging | Use ASLR-aware tools |
Security Impact¶
| Configuration | ASLR Entropy |
|---|---|
| Default + high-entropy | ~17-28 bits |
| Custom base | 0 bits |
| Potential attack | Much easier with custom base |
Resolution¶
Remove custom base address specifications:
# Do NOT use
link /BASE:0x10000000 program.obj
# Use default
link /DYNAMICBASE /HIGHENTROPYVA program.obj