Linux and ASLR: kernel/randomize_va_space
Configuring ASLR with randomize_va_space
The Linux kernel has a defense mechanism named address space layout randomization (ASLR). This setting is tunable with the randomize_va_space setting. Before making changes to this setting, it is good to understand what this Linux security measure actually does and how it works.
In 2001 the term ASLR was first introduced as a patch to the Linux kernel. Its main goal was to randomize memory segments to make abuse by malicious programs harder. A normal program consists of several components, which are loaded into memory and flagged with special properties. Some pieces of the program are executable bits, others are normal data. Before going into these properties, let’s first determine the main goal of a program. Simply said, it should have a start procedure, maintain itself, and finally end. For some programs this whole cycle can take milliseconds, others may take years to complete. It all depends on the program, its stability and how often a system is rebooted.
Guarding against malicious software attacks
While the program runs in memory, we want it to be protected against more evil programs. One of the tricks they use is hijacking the stack pointer. This is a like a traffic agent stating where to go next. Evil programs want to abuse this and perform a redirection trick to insert malicious code into a running program. For this reason, programs have different sections and should be properly flagged in the memory. A section where only normal data is stored should be marked as non-executable. Executable code that does not dynamically change, should be flagged as read-only, etc.
Besides the mentioned protection mechanisms, we can add another layer and defend against memory misuse. This layer is randomization of virtual address space. For this to work, the binaries running on the system should be a position-independent executable. This means it does not require static memory addresses to fulfill its duties. Since many years this feature is common, which enabled the kernel to apply memory randomization.
Default randomize_va_space setting
Modern Linux kernels have ASLR enabled by default with the specific value 2.
Normally you might expect a value of 0 (disabled), or 1 (enabled). In the case of the randomize_va_space setting, this is true as well. When setting the value to 1, address space is randomized. This includes the positions of the stack itself, virtual dynamic shared object (VDSO) page, and shared memory regions. Setting the option to value 2 will be similar to 1, and add data segments as well. For most systems, this setting is the default and the most secure setting.
Note: some older platforms do not support this setting.
If you want to change the value, it can be done temporarily or permanently. One option is to set the value via the pseudo proc file system. You need to be root to change this setting.
echo 2 > /proc/sys/kernel/randomize_va_space
Another option to temporarily change the setting is via the sysctl command.
sysctl -w kernel.randomize_va_space=2
To make this setting permanent and active after a system reboot, add the option to /etc/sysctl.conf.
Note: kernel hardening is a good way to improve the security defenses of a Linux system. To perform a security scan in this area, you can use the open source tool Lynis. It includes the scanning of kernel settings and sees if they are already tuned.
If you temporarily want to disable, you can set the value to zero with the instructions above. If you just want to test for a single program you can use the
setarch command. This leverages a so-called personality flag.
setarch `uname -m` -R /root/mybinary
The -R option disables the randomization of the virtual address space by turning on ADDR_NO_RANDOMIZE. This option allows programs to disable ASLR and run without any randomization.
If you are doing research (e.g. to test how buffer overflows work), keep in mind that also the compiler has some protection mechanisms in place. If you found this page to achieve that, then use this disable stack protection during compilation.
gcc -fno-stack-protector -z execstack -o program program.c
More tunables via sysctl
Are you looking to perform additional kernel hardening of your Linux system? Have a look at the knowledge base section sysctl on the Linux Security Expert website.