From Gentoo Wiki
Jump to:navigation Jump to:search

Address space layout randomization

Address space layout randomization (ASLR) randomizes the memory addresses of processes in an attempt to make exploitation of existing vulnerabilities more difficult. Its effectiveness is reduced if a program's randomized memory layout is in some way predictable, if variations in memory layout don't affect a given exploitation technique, or if an attacker is able to make many attempts. As with all entropy-based statistical defense methods, brute force can overcome it eventually. In user space, incorrect guesses usually result in the application crashing.

The idea originated in 2001 with the PaX project.[1] ASLR in some form has been enabled by default since kernel 2.6.12.[2][3][4][5]

The 2019 article Address Space Layout Randomization Next Generation[6] provides one of the best overviews of current approaches, vulnerabilities, and proposed improvements. Implementations can vary with respect to what is randomized, how often, and to what extent. The need for program memory to grow and shrink at runtime negatively affects entropy, and huge pages especially have low entropy. Another major issue is the inheriting of parent process memory layout by child processes. The paper outlines a proposal for ASLR-NG (Next Generation) which pre-reserves memory and divides memory objects into zones to overcome many of these issues.

Kernel ASLR

Kernel address space layout randomization (KASLR) was added in 3.14 and randomizes the physical and virtual addresses where the kernel image is decompressed at boot.[7] It is not currently compatible with hibernation.[8][9][10]

Checking if ASLR is enabled

root #cat /proc/sys/kernel/randomize_va_space
  • 0 — Disabled
  • 1 — Conservative Randomization (Shared libraries, stack, mmap(), VDSO and heap)[11]
  • 2 — Full Randomization

A script for this can be found here.[12]

Modify ASLR at runtime

ASLR can be temporarily changed via:

root #echo value > /proc/sys/kernel/randomize_va_space

Position-independent executables

A position-independent executable[13] (PIE) is compiled such that it can be located anywhere in memory and still execute correctly. Without this, ASLR protection has no effect.[14] Gentoo Hardened GCC profiles do this automatically (see Automatic generation of Position Independent Executables).

See also

  • Kernel — the core of the operating system.
  • Kernel Modules — object files that contain code to extend the kernel of an operating system.
  • Signed kernel module support — allows further hardening of the system by disallowing unsigned kernel modules, or kernel modules signed with the wrong key, to be loaded.

External resources