User:JM01085758/aslr
Address space layout randomization
Address space layout randomization (ASLR) randomizes the memory addresses of processes in an attempt to make exploitation of vulnerabilities via buffer overflow more difficult. Its effectiveness is reduced if a program's randomized memory layout is in some way predictable, if variations in memory layout don't affect a given exploitation technique, or if an attacker is able to make many attempts. As with all entropy-based statistical defense methods, brute force could (in principle) overcome it eventually. In user space, incorrect guesses usually result in the application crashing.
The idea originated in 2001 with the PaX project.[1] ASLR in some form has been enabled by default since kernel 2.6.12.[2][3][4][5]
The 2019 article Address Space Layout Randomization Next Generation[6] provides one of the best overviews of current approaches, vulnerabilities, and proposed improvements. Implementations can vary with respect to what is randomized, how often, and to what extent. The need for program memory to grow and shrink at runtime negatively affects entropy, and huge pages especially have low entropy. Another major issue is the inheriting of parent process memory layout by child processes. The paper outlines a proposal for ASLR-NG (Next Generation) which pre-reserves memory and divides memory objects into zones to overcome many of these issues.
Position-independent executables
A position-independent executable[7] (PIE) is compiled such that it can be located anywhere in memory and still execute correctly. Without this, ASLR protection has no effect.[8] Gentoo Hardened GCC profiles do this automatically (see Automatic generation of Position Independent Executables).
Kernel ASLR
Kernel address space layout randomization (KASLR) was added in 3.14 and randomizes the physical and virtual addresses where the kernel image is decompressed at boot.[9] It is not currently compatible with hibernation.[10][11][12]
KASLR can be disabled at boot by passing nokaslr to the kernel command line.[13][14] For example, in GRUB:
/etc/default/grubGRUB_CMDLINE_LINUX="nokaslr"
Checking if ASLR is enabled
In the kernel
root #cat /proc/sys/kernel/randomize_va_space- 0 — Disabled
- 1 — Conservative Randomization (Shared libraries, stack, mmap(), VDSO and heap)[15]
- 2 — Full Randomization
A script for this can be found here.[16]
Another way to check is:
root #sysctl -a --pattern randomizekernel.randomize_va_space = 2
For an executable
The command ldd can be used to print the modules/libraries a program depends on, along with their current location in memory.[17] As the dependencies are loaded each time ldd is run, running it twice with the same program should display different locations in memory when ASLR/PIE are enabled. For example:
root #ldd /bin/alacrittylinux-vdso.so.1 (0x00007ffe07db9000) libfreetype.so.6 => /usr/lib64/libfreetype.so.6 (0x00007ff276b05000) libfontconfig.so.1 => /usr/lib64/libfontconfig.so.1 (0x00007ff2772d1000) libgcc_s.so.1 => /usr/lib/gcc/x86_64-pc-linux-gnu/13/libgcc_s.so.1 (0x00007ff2772ac000) libm.so.6 => /usr/lib64/libm.so.6 (0x00007ff276a24000) libc.so.6 => /usr/lib64/libc.so.6 (0x00007ff276841000) libz.so.1 => /usr/lib64/libz.so.1 (0x00007ff277292000) libbz2.so.1 => /usr/lib64/libbz2.so.1 (0x00007ff27727c000) libpng16.so.16 => /usr/lib64/libpng16.so.16 (0x00007ff276806000) libbrotlidec.so.1 => /usr/lib64/libbrotlidec.so.1 (0x00007ff27726d000) libexpat.so.1 => /usr/lib64/libexpat.so.1 (0x00007ff2767da000) /lib64/ld-linux-x86-64.so.2 (0x00007ff277369000) libbrotlicommon.so.1 => /usr/lib64/libbrotlicommon.so.1 (0x00007ff2767b6000)
vs.
root #ldd /bin/alacrittylinux-vdso.so.1 (0x00007ffea35ea000) libfreetype.so.6 => /usr/lib64/libfreetype.so.6 (0x00007f3075d05000) libfontconfig.so.1 => /usr/lib64/libfontconfig.so.1 (0x00007f30764ae000) libgcc_s.so.1 => /usr/lib/gcc/x86_64-pc-linux-gnu/13/libgcc_s.so.1 (0x00007f3076489000) libm.so.6 => /usr/lib64/libm.so.6 (0x00007f3075c24000) libc.so.6 => /usr/lib64/libc.so.6 (0x00007f3075a41000) libz.so.1 => /usr/lib64/libz.so.1 (0x00007f307646f000) libbz2.so.1 => /usr/lib64/libbz2.so.1 (0x00007f3076459000) libpng16.so.16 => /usr/lib64/libpng16.so.16 (0x00007f3075a06000) libbrotlidec.so.1 => /usr/lib64/libbrotlidec.so.1 (0x00007f30759f7000) libexpat.so.1 => /usr/lib64/libexpat.so.1 (0x00007f30759cb000) /lib64/ld-linux-x86-64.so.2 (0x00007f3076546000) libbrotlicommon.so.1 => /usr/lib64/libbrotlicommon.so.1 (0x00007f30759a7000)
Modify ASLR at runtime
ASLR can be temporarily changed with
root #echo value > /proc/sys/kernel/randomize_va_spaceor via sysctl:
root #sysctl -w kernel.randomize_va_space=valuewhere value is 0, 1, or 2.
Issues with programs
ASLR may cause issues with some programs. In the GNU debugger, it is disabled by default. IBM's Db2 may also have issues with it.[18]
See also
- Kernel — the core of the operating system.
- Kernel Modules — object files that contain code to extend the kernel of an operating system.
- Signed kernel module support — allows further hardening of the system by disallowing unsigned kernel modules, or kernel modules signed with the wrong key, to be loaded.
- Kernel Crash Dumps
External resources
- An abridged history of Linux kernel security — Russell Currey (Everything Open 2023)
- ASLR-NG: ASLR Next Generation
- Kernel Address Space Layout Randomization — Kees Cook, Linux Security Summit 2013[19]
- Kernel address randomization — Jonathan Corbet, 2011
- Kernel Security Is Cool Again — Casey Schaufler, linux.conf.au 2019
- Overview of the Linux Kernel Security Subsystem — James Morris, Microsoft
References
- ↑ https://web.archive.org/web/20220120211435/https://grsecurity.net/PaX-presentation.pdf
- ↑ https://www.tomshardware.com/reviews/pwn2own-mac-hack,2254-4.html
- ↑ https://lkml.iu.edu/hypermail/linux/kernel/1011.3/02674.html
- ↑ https://lkml.iu.edu/hypermail/linux/kernel/1011.3/02831.html
- ↑ https://lkml.org/lkml/2005/1/27/56
- ↑ https://www.mdpi.com/2076-3417/9/14/2928
- ↑ https://en.wikipedia.org/wiki/Position-independent_code
- ↑ https://web.archive.org/web/20210814111134/https://securityetalii.es/2013/02/03/how-effective-is-aslr-on-linux-systems/
- ↑ https://kernelnewbies.org/Linux_3.14#Kernel_address_space_randomization
- ↑ https://lwn.net/Articles/569635/
- ↑ https://bugs.launchpad.net/ubuntu/+source/linux-aws/+bug/1837469
- ↑ https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hibernation-disable-kaslr.html
- ↑ https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
- ↑ https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_security_guide/sect-virtualization_security_guide-guest_security-kaslr
- ↑ https://askubuntu.com/questions/318315/how-can-i-temporarily-disable-aslr-address-space-layout-randomization
- ↑ https://gist.github.com/RomainBertin/f33060720851a00e4c789831f6b99fdb
- ↑ https://man7.org/linux/man-pages/man1/ldd.1.html
- ↑ https://www.ibm.com/support/pages/various-db2-failures-may-occur-linux-address-space-layout-randomization-aslr
- ↑ https://kernsec.org/wiki/index.php/Linux_Security_Summit_2013