Linux and ASLR: kernel/randomize_va_space

Configuring ASLR with randomize_va_space

The Linux kernel has a defense mechanism named address space layout randomization (ASLR). This setting is tunable with the randomize_va_space setting. Before making changes to this setting, it is good to understand what this Linux security measure does.

Understanding ASLR

In 2001 the term ASLR was first introduced as a patch to the Linux kernel. Its main goal was to randomize memory segments to make abuse by malicious programs harder. A normal program consists of several components, which are loaded into memory and flagged with special properties. Some pieces of the program are executable bits, others are normal data. Before going into these properties, let’s first determine the main goal of a program. Simply said, it should have a start procedure, maintain itself, and finally end. For some programs this whole cycle can take milliseconds, others may take years to complete. It all depends on the program, its stability and how often a system is rebooted.

Guarding against malicious software attacks

While the program runs in memory, we want it to be protected against more evil programs. One of the tricks they use is hijacking the stack pointer. This is a like a traffic agent stating where to go next. Evil programs want to abuse this and perform a redirection trick to insert malicious code into a running program. For this reason, programs have different sections and should be properly flagged in the memory. A section where only normal data is stored should be marked as non-executable. Executable code that does not dynamically change, should be flagged as read-only, etc.

Memory randomization

Besides the mentioned protection mechanisms, we can add another layer and defend against memory misuse. This layer is randomization of virtual address space. For this to work, the binaries running on the system should be a position-independent executable. This means it does not require static memory addresses to fulfill its duties. Since many years this feature is common, which enabled the kernel to apply memory randomization.

Default randomize_va_space setting

Modern Linux kernels have ASLR enabled by default with the specific value 2.

Output of sysctl kernel.randomize_va_space

Normally you might expect a value of 0 (disabled), or 1 (enabled). In the case of the randomize_va_space setting, this is true as well. When setting the value to 1, address space is randomized. This includes the positions of the stack itself, virtual dynamic shared object (VDSO) page, and shared memory regions. Setting the option to value 2 will be similar to 1, and add data segments as well. For most systems, this setting is the default and the most secure setting.

Note: some older platforms do not support this setting.

Configure randomize_va_space

If you want to change the value, it can be done temporarily or permanently. One option is to set the value via the pseudo proc file system. You need to be root to change this setting.

echo 2 > /proc/sys/kernel/randomize_va_space

Another option to temporarily change the setting is via the sysctl command.

sysctl -w kernel.randomize_va_space=2

 

To make this setting permanent and active after a boot, add the option to /etc/sysctl.conf.

Disable ASLR

If you temporarily want to disable, you can set the value to zero with the instructions above. If you just want to test for a single program, as part of research, you can use the setarch command. This leverages a so-called personality flag.

setarch `uname -m` -R /bin/bash

The -R disables the randomization of the virtual address space by turning on ADDR_NO_RANDOMIZE. This option allows programs to disable ASLR and run without any randomization.

If you are performing researching (e.g. to test how buffer overflows work), keep in mind that also the compiler has some protection mechanisms in place. If you found this page to achieve that, then use this disable stack protection during compilation.

gcc -fno-stack-protector -z execstack -o program program.c

 

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


2 comments

  • Marcin PohlMarcin Pohl

    https://gcc.gnu.org/wiki/Randomization this talks about the -L flag, legacy memory layout. Do you know how does that come into play with ASLR?

    Reply
    • It enables an older way of mapping the memory, in a more “flat” way from the time that randomization was not considered important yet as a defensive mechanism. This flag you probably will never use, unless testing your home-brewed buffer overflows :)

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *