====== Address Space Layout Randomization (ASLR) ====== Memory corruption exploitation techniques depend on the knowledge of absolute addresses in the context of the running application. Introducing randomness to the memory layout of the process increases exploitation difficulty. One attempt to do so is Address Space Layout Randomization (ASLR). As an operating system feature ASLR is available on all modern platforms, but its effectiveness depends on the implementation and size of the address space((D. H. Aristizabal, D. M. Rodriguez and R. Y. Guevara, "Measuring ASLR implementations on modern operating systems," 2013 47th International Carnahan Conference on Security Technology (ICCST), Medellin, 2013, pp. 1-6.)). On Linux systems ASLR for user programs is implemented as an operating system feature and is enabled or disabled globally. Its status is represented by the file ''/proc/sys/kernel/randomize_va_space''. Following states are available(([[https://www.kernel.org/doc/Documentation/sysctl/kernel.txt|Documentation for sysctl - The Linux Kernel Archives]])). ^ Value ^ Description ^ | 0 | ASLR is disabled | | 1 | Stack and shared library offsets are randomized | | 2 | Additionally to value 1, also the heap offset is randomized | The program below is used to inspect the effects of the different ASLR values on different types of process addresses.


// gcc addresses.c -no-pie -fno-pie -ldl
#include 
#include 
#include 

int main()
{
    int stack;
    int *heap = malloc(sizeof(int));

    printf("executable: %p\n", &main);
    printf("stack: %p\n", &stack);
    printf("heap: %p\n", heap);
    printf("system@plt: %p\n", &system);

    void *handle = dlopen("libc.so.6", RTLD_NOW | RTLD_GLOBAL);
    printf("libc: %p\n", handle);
    printf("system: %p\n", dlsym(handle, "system"));

    free(heap);
    return 0;
}

First, use a value of ''0'' during the execution.


$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
0
$ ./a.out 
executable: 0x400677
stack: 0x7fffffffe21c
heap: 0x602010
system@plt: 0x400550
libc: 0x7ffff7ff59b0
system: 0x7ffff7877480
$ ./a.out 
executable: 0x400677
stack: 0x7fffffffe21c
heap: 0x602010
system@plt: 0x400550
libc: 0x7ffff7ff59b0
system: 0x7ffff7877480

Clearly, all addresses are unchanged during both executions. Having ASLR enabled with the value 1 results in the following output.


$ echo 1 | sudo tee /proc/sys/kernel/randomize_va_space
1
$ ./a.out 
executable: 0x400677
stack: 0x7fff0561a30c
heap: 0x602010
system@plt: 0x400550
libc: 0x7ff03b6e79b0
system: 0x7ff03af64480
$ ./a.out 
executable: 0x400677
stack: 0x7fffe76dd26c
heap: 0x602010
system@plt: 0x400550
libc: 0x7f063ddf79b0
system: 0x7f063d674480

We can see that the stack and the shared library including the ''system()'' function are randomized. However, this is not true for the code of the executable itself, the heap and the PLT. Increase the ASLR value to ''2'' and check again.


$ echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
2
$ ./a.out 
executable: 0x400677
stack: 0x7ffde2b72b9c
heap: 0x1a5d010
system@plt: 0x400550
libc: 0x7fa0323fc9b0
system: 0x7fa031c79480
$ ./a.out 
executable: 0x400677
stack: 0x7ffc594969cc
heap: 0x16c0010
system@plt: 0x400550
libc: 0x7f16da8019b0
system: 0x7f16da07e480

Now all addresses except for the executable itself and the PLT are randomized which is still a security risk(([[https://sploitfun.wordpress.com/2015/05/08/bypassing-aslr-part-i/|Bypassing ASLR - Part I - sploitF-U-N]])). See the chapter about [[.pie|Position-independent Executable (PIE)]] on how to further improve this situation. Summarizing ASLR, the table below shows how the used ASLR value and the randomization of addresses correlate. ^ ASLR value ^ Executable ^ Stack ^ Heap ^ PLT ^ Shared libraries ^ | 0 | ✗ | ✗ | ✗ | ✗ | ✗ | | 1 | ✗ | ✔ | ✗ | ✗ | ✔ | | 2 | ✗ | ✔ | ✔ | ✗ | ✔ | \\ ----

[[.stack-protection|← Back to stack protection]]

[[..start|Overview]]

[[.pie|Continue with Position-independent Executable (PIE) →]]