From Gentoo Wiki
Jump to:navigation Jump to:search

Address space layout randomization

Address space layout randomization (ASLR) randomizes the memory addresses of processes in an attempt to make exploitation of vulnerabilities via buffer overflow more difficult. Its effectiveness is reduced if a program's randomized memory layout is in some way predictable, if variations in memory layout don't affect a given exploitation technique, or if an attacker is able to make many attempts. As with all entropy-based statistical defense methods, brute force could (in principle) overcome it eventually. In user space, incorrect guesses usually result in the application crashing.

The idea originated in 2001 with the PaX project.[1] ASLR in some form has been enabled by default since kernel 2.6.12.[2][3][4][5]

The 2019 article Address Space Layout Randomization Next Generation[6] provides one of the best overviews of current approaches, vulnerabilities, and proposed improvements. Implementations can vary with respect to what is randomized, how often, and to what extent. The need for program memory to grow and shrink at runtime negatively affects entropy, and huge pages especially have low entropy. Another major issue is the inheriting of parent process memory layout by child processes. The paper outlines a proposal for ASLR-NG (Next Generation) which pre-reserves memory and divides memory objects into zones to overcome many of these issues.

Position-independent executables

A position-independent executable[7] (PIE) is compiled such that it can be located anywhere in memory and still execute correctly. Without this, ASLR protection has no effect.[8] Gentoo Hardened GCC profiles do this automatically (see Automatic generation of Position Independent Executables).

Kernel ASLR

Kernel address space layout randomization (KASLR) was added in 3.14 and randomizes the physical and virtual addresses where the kernel image is decompressed at boot.[9] It is not currently compatible with hibernation.[10][11][12]

KASLR can be disabled at boot by passing nokaslr to the kernel command line.[13][14] For example, in GRUB:

FILE /etc/default/grub

Checking if ASLR is enabled

In the kernel
root #cat /proc/sys/kernel/randomize_va_space
  • 0 — Disabled
  • 1 — Conservative Randomization (Shared libraries, stack, mmap(), VDSO and heap)[15]
  • 2 — Full Randomization

A script for this can be found here.[16]

Another way to check is:

root #sysctl -a --pattern randomize
kernel.randomize_va_space = 2
For an executable

The command ldd can be used to print the modules/libraries a program depends on, along with their current location in memory.[17] As the dependencies are loaded each time ldd is run, running it twice with the same program should display different locations in memory when ASLR/PIE are enabled. For example:

root #ldd /bin/alacritty (0x00007ffe07db9000) => /usr/lib64/ (0x00007ff276b05000) => /usr/lib64/ (0x00007ff2772d1000) => /usr/lib/gcc/x86_64-pc-linux-gnu/13/ (0x00007ff2772ac000) => /usr/lib64/ (0x00007ff276a24000) => /usr/lib64/ (0x00007ff276841000) => /usr/lib64/ (0x00007ff277292000) => /usr/lib64/ (0x00007ff27727c000) => /usr/lib64/ (0x00007ff276806000) => /usr/lib64/ (0x00007ff27726d000) => /usr/lib64/ (0x00007ff2767da000)
	/lib64/ (0x00007ff277369000) => /usr/lib64/ (0x00007ff2767b6000)


root #ldd /bin/alacritty (0x00007ffea35ea000) => /usr/lib64/ (0x00007f3075d05000) => /usr/lib64/ (0x00007f30764ae000) => /usr/lib/gcc/x86_64-pc-linux-gnu/13/ (0x00007f3076489000) => /usr/lib64/ (0x00007f3075c24000) => /usr/lib64/ (0x00007f3075a41000) => /usr/lib64/ (0x00007f307646f000) => /usr/lib64/ (0x00007f3076459000) => /usr/lib64/ (0x00007f3075a06000) => /usr/lib64/ (0x00007f30759f7000) => /usr/lib64/ (0x00007f30759cb000)
	/lib64/ (0x00007f3076546000) => /usr/lib64/ (0x00007f30759a7000)

Modify ASLR at runtime

ASLR can be temporarily changed with

root #echo value > /proc/sys/kernel/randomize_va_space

or via sysctl:

root #sysctl -w kernel.randomize_va_space=value

where value is 0, 1, or 2.

Issues with programs

ASLR may cause issues with some programs. In the GNU debugger, it is disabled by default. IBM's Db2 may also have issues with it.[18]

See also

External resources