Address Space Randomization (ASR) techniques randomize process layout to prevent attackers from locating target functions. Prior ASR techniques have considered singletarget attacks, which succeed if the attacker can locate a single, powerful system library function. These techniques are not sufficient to defend against chained return-into-lib(c) attacks, each of which calls a sequence of system library functions in order. In this paper, we propose a new ASR technique, code islands, that randomizes not only the base pointers of memory mapping (mmapping), but also relative distances between functions, maximally and dynamically. Our technique can minimize the utility of information gained in early probes of a chained return-into-lib(c) attack, for later stages of that attack. With a pre-defined rerandomization threshold, our code islands technique not only is exponentially more effective than any prior ASR technique in defending against brute-force searches for locations of multiple targets-a key component of chained return-into-lib(c) attacks, but can also maintain high service availability even under attack. Our overhead measurement on some wellknown GNU applications shows that it takes less than 0.05 second to load/rerandomize a process with the necessary C system library functions using code islands, and our technique introduces a 3-10% run-time overhead from interisland control transfers. We conclude that the code island technique is well-suited to dedicated multi-threaded servers.