Saturday, March 8, 2014

Linux Address space layout randomization (ASLR) Example

Linux kernel 2.4 and above has developed a security feature known as address space layout randomization in order to protect the Linux system from buffer overflow attacks. This security technique introduces randomization in memory address space, so the malicious hacker is prevented from accessing the same memory space every time. How this feature is setup in Linux can be shown by reviewing the memory map of the same process which is run twice and you can see that the memory locations are not the same for the program.

user@ubuntu:/proc/26709$ more maps
08048000-08049000 r-xp 00000000 08:01 1212250    /home/user/GDB/tst4
08049000-0804a000 r--p 00000000 08:01 1212250    /home/user/GDB/tst4
0804a000-0804b000 rw-p 00001000 08:01 1212250    /home/user/GDB/tst4
b75bd000-b75be000 rw-p 00000000 00:00 0
b75be000-b7762000 r-xp 00000000 08:01 1461785    /lib/i386-linux-gnu/libc-2.15.so
b7762000-b7763000 ---p 001a4000 08:01 1461785    /lib/i386-linux-gnu/libc-2.15.so
b7763000-b7765000 r--p 001a4000 08:01 1461785    /lib/i386-linux-gnu/libc-2.15.so
b7765000-b7766000 rw-p 001a6000 08:01 1461785    /lib/i386-linux-gnu/libc-2.15.so
b7766000-b7769000 rw-p 00000000 00:00 0
b777f000-b7782000 rw-p 00000000 00:00 0
b7782000-b7783000 r-xp 00000000 00:00 0          [vdso]
b7783000-b77a3000 r-xp 00000000 08:01 1461799    /lib/i386-linux-gnu/ld-2.15.so
b77a3000-b77a4000 r--p 0001f000 08:01 1461799    /lib/i386-linux-gnu/ld-2.15.so
b77a4000-b77a5000 rw-p 00020000 08:01 1461799    /lib/i386-linux-gnu/ld-2.15.so
bfccf000-bfcf0000 rw-p 00000000 00:00 0          [stack]

When we ran the same program tst4 a second time the memory map is showing different values
as seen below

user@ubuntu:/proc/28246$ more maps
08048000-08049000 r-xp 00000000 08:01 1212250    /home/user/GDB/tst4
08049000-0804a000 r--p 00000000 08:01 1212250    /home/user/GDB/tst4
0804a000-0804b000 rw-p 00001000 08:01 1212250    /home/user/GDB/tst4
b759b000-b759c000 rw-p 00000000 00:00 0
b759c000-b7740000 r-xp 00000000 08:01 1461785    /lib/i386-linux-gnu/libc-2.15.so
b7740000-b7741000 ---p 001a4000 08:01 1461785    /lib/i386-linux-gnu/libc-2.15.so
b7741000-b7743000 r--p 001a4000 08:01 1461785    /lib/i386-linux-gnu/libc-2.15.so
b7743000-b7744000 rw-p 001a6000 08:01 1461785    /lib/i386-linux-gnu/libc-2.15.so
b7744000-b7747000 rw-p 00000000 00:00 0
b775d000-b7760000 rw-p 00000000 00:00 0
b7760000-b7761000 r-xp 00000000 00:00 0          [vdso]
b7761000-b7781000 r-xp 00000000 08:01 1461799    /lib/i386-linux-gnu/ld-2.15.so
b7781000-b7782000 r--p 0001f000 08:01 1461799    /lib/i386-linux-gnu/ld-2.15.so
b7782000-b7783000 rw-p 00020000 08:01 1461799    /lib/i386-linux-gnu/ld-2.15.so
bfb6a000-bfb8b000 rw-p 00000000 00:00 0          [stack]



Notice the files of the stack have changed for the same process which was run twice on Linux with ASLR enabled.

The linux kernel version can be found by typing

%uname -a
Linux ubuntu 3.5.0-46-generic #70-Ubuntu SMP xxx xx:xx:xx UTC 2014 i686 i686 i686 GNU/Linux

We can disable ASLR in modern linux kernels by changing the value of  randomize_va_space from 2 to zero
 user@ubuntu:/proc/sys/kernel$ sudo -i
root@ubuntu:~# echo "0" >/proc/sys/kernel/randomize_va_space
root@ubuntu:~# cat /proc/sys/kernel/randomize_va_space
 0

Now we can re-run our tst4 program twice and it should occupy the same memory space.


user@ubuntu:/proc$ ps -aux |grep tst4
user 27044  0.0  0.1  10704  3344 pts/13   S+   Mar07   0:00 vi tst4.c
user  29073  0.0  0.0   2012   280 pts/12   S+   00:50   0:00 ./tst4 9 7
user  29084  0.0  0.0   4396   820 pts/2    S+   00:50   0:00 grep --color=auto tst4

user@ubuntu:/proc$ more /proc/29073/maps
08048000-08049000 r-xp 00000000 08:01 1212250    /home/user/GDB/tst4
08049000-0804a000 r--p 00000000 08:01 1212250    /home/user/GDB/tst4
0804a000-0804b000 rw-p 00001000 08:01 1212250    /home/user/GDB/tst4
b7e18000-b7e19000 rw-p 00000000 00:00 0
b7e19000-b7fbd000 r-xp 00000000 08:01 1461785    /lib/i386-linux-gnu/libc-2.15.so
b7fbd000-b7fbe000 ---p 001a4000 08:01 1461785    /lib/i386-linux-gnu/libc-2.15.so
b7fbe000-b7fc0000 r--p 001a4000 08:01 1461785    /lib/i386-linux-gnu/libc-2.15.so
b7fc0000-b7fc1000 rw-p 001a6000 08:01 1461785    /lib/i386-linux-gnu/libc-2.15.so
b7fc1000-b7fc4000 rw-p 00000000 00:00 0
b7fda000-b7fdd000 rw-p 00000000 00:00 0
b7fdd000-b7fde000 r-xp 00000000 00:00 0          [vdso]
b7fde000-b7ffe000 r-xp 00000000 08:01 1461799    /lib/i386-linux-gnu/ld-2.15.so
b7ffe000-b7fff000 r--p 0001f000 08:01 1461799    /lib/i386-linux-gnu/ld-2.15.so
b7fff000-b8000000 rw-p 00020000 08:01 1461799    /lib/i386-linux-gnu/ld-2.15.so
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]

user@ubuntu:/proc$ ps -aux|grep tst4
user 27044  0.0  0.1  10704  3344 pts/13   S+   Mar07   0:00 vi tst4.c
user 29107  0.0  0.0   2012   280 pts/12   S+   00:51   0:00 ./tst4 9 7
user 29116  0.0  0.0   4396   820 pts/2    S+   00:51   0:00 grep --color=auto tst4

user@ubuntu:/proc$ more /proc/29107/maps
08048000-08049000 r-xp 00000000 08:01 1212250    /home/user/GDB/tst4
08049000-0804a000 r--p 00000000 08:01 1212250    /home/user/GDB/tst4
0804a000-0804b000 rw-p 00001000 08:01 1212250    /home/user/GDB/tst4
b7e18000-b7e19000 rw-p 00000000 00:00 0
b7e19000-b7fbd000 r-xp 00000000 08:01 1461785    /lib/i386-linux-gnu/libc-2.15.so
b7fbd000-b7fbe000 ---p 001a4000 08:01 1461785    /lib/i386-linux-gnu/libc-2.15.so
b7fbe000-b7fc0000 r--p 001a4000 08:01 1461785    /lib/i386-linux-gnu/libc-2.15.so
b7fc0000-b7fc1000 rw-p 001a6000 08:01 1461785    /lib/i386-linux-gnu/libc-2.15.so
b7fc1000-b7fc4000 rw-p 00000000 00:00 0
b7fda000-b7fdd000 rw-p 00000000 00:00 0
b7fdd000-b7fde000 r-xp 00000000 00:00 0          [vdso]
b7fde000-b7ffe000 r-xp 00000000 08:01 1461799    /lib/i386-linux-gnu/ld-2.15.so
b7ffe000-b7fff000 r--p 0001f000 08:01 1461799    /lib/i386-linux-gnu/ld-2.15.so
b7fff000-b8000000 rw-p 00020000 08:01 1461799    /lib/i386-linux-gnu/ld-2.15.so
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]


No comments:

Post a Comment