UP | HOME
2019-11-04 | ../../

ASLR

1 Abstract

Address Space Layout Randomization (ASLR) is a code injection mitigation technique. It mitigates injection via stack smashing, heap overflow, and such where the addresses of methods internal to a process are needed in the exploit.

2 ASLR

  1. ASLR is done in all modern OS: Linux (and Android), Windows, MacOS, …
  2. Depends heavily on virtual memory, linking and loading details.
  3. The value stored in /proc/sys/kernel/randomize_va_space controls whether kernel is applying this idea.
    1. A value of 0 indicates disabled.
    2. A value of 1 indicates enabled. The addresses of stack, virtual dynamic shared object (VDSO) page, and shared memory regions are randomized.
    3. A value of 2 is similar to 1, but memory managed through brk() is also randomized.
    4. Use sysctl -w kernel.randomize_va_space=2 to enable. The most secure setting.
  4. View the memory map of process 1: more /proc/1/maps

2.1 Stack Top Randomization

  1. Compile gcc -o stacktop stacktop.c -Wall and invoke the following repeatedly. 

    #include <stdio.h>

int main() {
  printf("address of main: %p\n", main);
}
  2. Each invocation shows a different address for main.
  3. Buffer overflow Aleph One exploit depends on knowing this stacktop. Randomizing it mitigates.

2.2 Position Independent Execution/ Code (PIE/ PIC)

  1. Consider the machine code compiled for a procedure/ function M(…) of a program P. Program P can be compiled so that it does not depend on a specific address for M. So, wherever the methods of P are loaded at run time, P will work the same, assuming that appropriate linking was done.
  2. The discovery of addresses of methods M of P becomes harder.
  3. A code injection exploit depends on knowing these.
  4. GCC by default constructs programs with PIE enabled: -pie -fPIE.
  5. Refresher: Look up man system "execute a shell command"

  6. Compile and run the following file named pie.c in two ways:

    1. gcc -o pie pie.c -Wall
    2. gcc -o pie pie.c -no-pie -fno-PIE -Wall
    #include <stdio.h>
#include <stdlib.h>             /* for system(...) */

int main() {
   printf("address of libc method system() == %p\n", system);
}

  7. The standard command file can inform us if a binary is PIE or not. Example file /bin/ls [output folded] 

    /bin/ls: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV),
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
BuildID[sha1]=2f15ad836be3339dec0e2e6a3c637e08e48aacbd, for GNU/Linux
3.2.0, stripped

2.3 ASLR Effectiveness

  1. "A side-channel attack utilizing branch target buffer was demonstrated to bypass ASLR protection. In 2017, an attack named "ASLR + Cache" was demonstrated which could defeat ASLR in a web browser using JavaScript.
  2. https://securityetalii.es/2013/02/03/how-effective-is-aslr-on-linux-systems/ Several Linux distros do not build their binaries with PIE enabled.

3 ASLR in Android

  1. Android introduced ASLR progressively from JellyBean and up.
  2. Android Framework Component: Zygote and its replacement Morula use ASLR
  3. Joshua Drake, Stagefright Scary Code In The Heart Of Android, 85 slides, Black Hat USA, Aug 2015. Despite the ASLR, libstagefright opened up attack surface. Recommended Reading.

4 References

  1. https://en.wikipedia.org/wiki/Address_space_layout_randomization Required Reading
  2. Shacham, Hovav, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. "On the effectiveness of address-space randomization." In Proceedings of the 11th ACM conference on Computer and Communications Security, pp. 298-307. ACM, 2004. PDF Recommended Reading.
  3. Hector Marco-Gisbert, and Ismael Ripoll-Ripoll, return-to-csu: A New Method to Bypass 64-bit Linux ASLR, blackhat.com asia-18 PDF, 2018. Reference.
  4. https://github.com/RPISEC/MBE Modern Binary Exploitation - CSCI4968, RPI, NY, 2015. Recommended Visit.
  5. Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh, Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR, http://www.cs.ucr.edu/~nael/pubs/micro16.pdf Reference.

4.1 Slides on ASLR

  1. Vitaly Shmatiko, http://www.cs.utexas.edu/~shmat/courses/cs380s_fall09/04aslr.pdf 2009 | [This pdf with my (pmateti) scribbled-in notes: ./04aslr-pm.pdf] 30- slides. Required Reading.
  2. http://security.cs.rpi.edu/courses/binexp-spring2015/lectures/15/09_lecture.pdf 65+ slides. Modern Binary Exploitation CSCI 4968 RPI.edu Spring 2015 Patrick Biernat. Alternate Required Reading.
  3. http://www.cs.ucr.edu/~csong/seclab/17/l/lab06-aslr/slides.pdf Chengyu Song; 20 Slides. Alternate Required Reading.

5 End

Copyright © 2019 www.wright.edu/~pmateti • 2019-11-04