Tuesday, 10 February 2015

Virtual Address Space Layout Randomization in Linux Kernel aka ASLR

ASLR(Address Space Layout Randomization) is a security feature that has been built into almost all the major operating systems. In Linux, It was built in around the year 2005. ASLR is what you might call an additional layer of security for the kernel. It has been implemented in kernels >= 2.6 and all kernels now support it.

What does ASLR actually do?


 Before ASLR, every time when a program was executed, the stack would load on to the same memory address which made the exploitation or execution of the shell code easier for the Buffer Overflow Attacks. ASLR basically randomizes the memory addresses for the stack to be loaded so every time you execute a program the stack gets loaded into a random memory address instead of the same exact one.

If you look inside the kernel configuration "randomize_va_space" inside the "/proc/sys/kernel" directory you will see If the protection is enabled or not. It basically takes one of the 3 values:
0: No randomization of address space. 

1: Conservative address space randomization. 
   Code start register will be randomized.

2: Full address space randomization.
   Contains the feature of value 1 in addition brk area is randomized.
By default, It should be set on 2 but you can switch it to 0 or 1 depending on your needs.

In both these pictures the same program has been executed two different times and both of the times the address for the stack has been randomly generated.

No comments:

Post a Comment