User:JM01085758/aslr

Address space layout randomization

Address space layout randomization (ASLR) randomizes the memory addresses of processes in an attempt to make exploitation of vulnerabilities via buffer overflow more difficult. Its effectiveness is reduced if a program's randomized memory layout is in some way predictable, if variations in memory layout don't affect a given exploitation technique, or if an attacker is able to make many attempts. As with all entropy-based statistical defense methods, brute force could (in principle) overcome it eventually. In user space, incorrect guesses usually result in the application crashing.

The idea originated in 2001 with the PaX project.^[1] ASLR in some form has been enabled by default since kernel 2.6.12.^[2]^[3]^[4]^[5]

The 2019 article Address Space Layout Randomization Next Generation^[6] provides one of the best overviews of current approaches, vulnerabilities, and proposed improvements. Implementations can vary with respect to what is randomized, how often, and to what extent. The need for program memory to grow and shrink at runtime negatively affects entropy, and huge pages especially have low entropy. Another major issue is the inheriting of parent process memory layout by child processes. The paper outlines a proposal for ASLR-NG (Next Generation) which pre-reserves memory and divides memory objects into zones to overcome many of these issues.

Position-independent executables

A position-independent executable^[7] (PIE) is compiled such that it can be located anywhere in memory and still execute correctly. Without this, ASLR protection has no effect.^[8] Gentoo Hardened GCC profiles do this automatically (see Automatic generation of Position Independent Executables).

Kernel ASLR

Kernel address space layout randomization (KASLR) was added in 3.14 and randomizes the physical and virtual addresses where the kernel image is decompressed at boot.^[9] It is not currently compatible with hibernation.^[10]^[11]^[12]

KASLR can be disabled at boot by passing nokaslr to the kernel command line.^[13]^[14] For example, in GRUB:

FILE /etc/default/grub

GRUB_CMDLINE_LINUX="nokaslr"

Checking if ASLR is enabled

In the kernel

root #cat /proc/sys/kernel/randomize_va_space

0 — Disabled
1 — Conservative Randomization (Shared libraries, stack, mmap(), VDSO and heap)^[15]
2 — Full Randomization

A script for this can be found here.^[16]

Another way to check is:

root #sysctl -a --pattern randomize

kernel.randomize_va_space = 2

For an executable

The command ldd can be used to print the modules/libraries a program depends on, along with their current location in memory.^[17] As the dependencies are loaded each time ldd is run, running it twice with the same program should display different locations in memory when ASLR/PIE are enabled. For example:

root #ldd /bin/alacritty

	linux-vdso.so.1 (0x00007ffe07db9000)
	libfreetype.so.6 => /usr/lib64/libfreetype.so.6 (0x00007ff276b05000)
	libfontconfig.so.1 => /usr/lib64/libfontconfig.so.1 (0x00007ff2772d1000)
	libgcc_s.so.1 => /usr/lib/gcc/x86_64-pc-linux-gnu/13/libgcc_s.so.1 (0x00007ff2772ac000)
	libm.so.6 => /usr/lib64/libm.so.6 (0x00007ff276a24000)
	libc.so.6 => /usr/lib64/libc.so.6 (0x00007ff276841000)
	libz.so.1 => /usr/lib64/libz.so.1 (0x00007ff277292000)
	libbz2.so.1 => /usr/lib64/libbz2.so.1 (0x00007ff27727c000)
	libpng16.so.16 => /usr/lib64/libpng16.so.16 (0x00007ff276806000)
	libbrotlidec.so.1 => /usr/lib64/libbrotlidec.so.1 (0x00007ff27726d000)
	libexpat.so.1 => /usr/lib64/libexpat.so.1 (0x00007ff2767da000)
	/lib64/ld-linux-x86-64.so.2 (0x00007ff277369000)
	libbrotlicommon.so.1 => /usr/lib64/libbrotlicommon.so.1 (0x00007ff2767b6000)

vs.

root #ldd /bin/alacritty

	linux-vdso.so.1 (0x00007ffea35ea000)
	libfreetype.so.6 => /usr/lib64/libfreetype.so.6 (0x00007f3075d05000)
	libfontconfig.so.1 => /usr/lib64/libfontconfig.so.1 (0x00007f30764ae000)
	libgcc_s.so.1 => /usr/lib/gcc/x86_64-pc-linux-gnu/13/libgcc_s.so.1 (0x00007f3076489000)
	libm.so.6 => /usr/lib64/libm.so.6 (0x00007f3075c24000)
	libc.so.6 => /usr/lib64/libc.so.6 (0x00007f3075a41000)
	libz.so.1 => /usr/lib64/libz.so.1 (0x00007f307646f000)
	libbz2.so.1 => /usr/lib64/libbz2.so.1 (0x00007f3076459000)
	libpng16.so.16 => /usr/lib64/libpng16.so.16 (0x00007f3075a06000)
	libbrotlidec.so.1 => /usr/lib64/libbrotlidec.so.1 (0x00007f30759f7000)
	libexpat.so.1 => /usr/lib64/libexpat.so.1 (0x00007f30759cb000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f3076546000)
	libbrotlicommon.so.1 => /usr/lib64/libbrotlicommon.so.1 (0x00007f30759a7000)

Modify ASLR at runtime

ASLR can be temporarily changed with

root #echo value > /proc/sys/kernel/randomize_va_space

or via sysctl:

root #sysctl -w kernel.randomize_va_space=value

where value is 0, 1, or 2.

Issues with programs

ASLR may cause issues with some programs. In the GNU debugger, it is disabled by default. IBM's Db2 may also have issues with it.^[18]

External resources

An abridged history of Linux kernel security — Russell Currey (Everything Open 2023)
ASLR-NG: ASLR Next Generation
Kernel Address Space Layout Randomization — Kees Cook, Linux Security Summit 2013^[19]
Kernel address randomization — Jonathan Corbet, 2011
Kernel Security Is Cool Again — Casey Schaufler, linux.conf.au 2019
Overview of the Linux Kernel Security Subsystem — James Morris, Microsoft

References

[1] ttps://web.archive.org/web/20220120211435/https://grsecurity.net/PaX-presentation.pdf

[2] ttps://www.tomshardware.com/reviews/pwn2own-mac-hack,2254-4.html

[3] ttps://lkml.iu.edu/hypermail/linux/kernel/1011.3/02674.html

[4] ttps://lkml.iu.edu/hypermail/linux/kernel/1011.3/02831.html

[5] ttps://lkml.org/lkml/2005/1/27/56

[6] ttps://www.mdpi.com/2076-3417/9/14/2928

[7] ttps://en.wikipedia.org/wiki/Position-independent_code

[8] ttps://web.archive.org/web/20210814111134/https://securityetalii.es/2013/02/03/how-effective-is-aslr-on-linux-systems/

[9] ttps://kernelnewbies.org/Linux_3.14#Kernel_address_space_randomization

[10] ttps://lwn.net/Articles/569635/

[11] ttps://bugs.launchpad.net/ubuntu/+source/linux-aws/+bug/1837469

[12] ttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hibernation-disable-kaslr.html

[13] ttps://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html

[14] ttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_security_guide/sect-virtualization_security_guide-guest_security-kaslr

[15] ttps://askubuntu.com/questions/318315/how-can-i-temporarily-disable-aslr-address-space-layout-randomization

[16] ttps://gist.github.com/RomainBertin/f33060720851a00e4c789831f6b99fdb

[17] ttps://man7.org/linux/man-pages/man1/ldd.1.html

[18] ttps://www.ibm.com/support/pages/various-db2-failures-may-occur-linux-address-space-layout-randomization-aslr

[19] ttps://kernsec.org/wiki/index.php/Linux_Security_Summit_2013

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]