• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Urban Penguin

The Urban Penguin - Linux Training

  • Home
  • About
  • Live Online Courses
  • Shop
  • RHCSA Guide
  • Programming
    • Master Editing Text Files Using VIM
    • Learn Shell Scripting with BASH
    • PERL Scripting in Linux
    • Ruby Scripting in Linux
    • Scripting with PowerShell
    • Learn C Programming using Linux and the Raspberry Pi
    • General Java Tutorials
    • Java 7 OCA Exam 1ZO-803
  • OS Tutorials
    • Red Hat and CentOS Training
      • Red Hat Enterprise Linux System Administration 1 – RH124
      • RHCSA – System Admin 2 – RH134
      • RHCE – EX294 – Automation With Ansible
    • Learning Ubuntu
    • LPI Training
      • LPI Linux Essentials
      • LPIC-1 Linux Administrator
      • LPIC-2 Certified Linux Engineer
      • LPIC-3 Senior Level Certification
        • LPIC-3 Exam 300 : Mixed Environments
        • LPIC-3 Exam 303 : Security
        • LPIC-3 Exam 304 : Virtualization and High Availability
    • Linux Technologies
      • Apache HTTPD Server
      • Learning PHP
      • Learning PUPPET
      • Learning SAMBA
      • Linux File-Systems
      • Monitoring with Nagios Core
      • MYSQL
      • openLDAP Directories on Linux
You are here: Home / Linux / LPIC-3 Exam 303 / ASLR – Address Space Layout Randomization

ASLR – Address Space Layout Randomization

April 23, 2018 by The Urban Penguin

ASLRLPIC-3 303 Topic 326.1

The LPIC-3 certification for Linux security wants you to be a master of managing security on a Linux system. The topic is, of course broad but one of the smaller objectives is to know how Linux protects from rogue developers and applications by randomizing application address space. This is known as ASLR or Address Space Layout Randomization. ASLR was introduced into the Linux kernel in 2005, earlier in 2004 it has been available as a patch. With memory randomization enabled the address space in which an application is randomised. Meaning that an application does not use the address space on each execution. This is standard behaviour for Linux modules as they are required to be compiled with ASLR support. For you to observe this though it most be enabled in the Kernel using the procfs. It is enabled by default in most Linux distributions if not all.

Each objective is available to view online. However if you prefer to have all the content in one place and study from an eBook then the objective ‘LPIC 3 Linux Security 326.1 Host Hardening’ is now available to download for just £0.99.

Download

View ASLR Settings

To view the current settings for ASLR on your system you can use either cat or more specifically using sysctl:

$ cat /proc/sys/kernel/randomize_va_space
2
$ sysctl -a --pattern randomize
kernel.randomize_va_space = 2

The sysctl tool is part of the Linux core-utils package and is found on all systems. Settings that sysctl can read and write to are found in the /proc/sys directory. The option -a is used to display all settings but we can drill down with the –pattern option which can take extended regular expressions as an argument.

Valid Settings

Normally these keys can take an option of 0 or 1. We see here that a value of 2 is used.

  • 0 = Disablabed
  • 1 = Conservative Randomization
  • 2 = Full Randomization

View Address Space

Using the command ldd we can view the address space of modules required by applications, these modules are dynamically loaded with the command requiring the module. The address space used is shown in brackets. We run the ldd command twice against the same command, bash. This allows us to see that the module use a different or random address space each time when ASLR is enabled.:

$ ldd /bin/bash
 linux-vdso.so.1 =>  (0x00007fff6f572000)
 libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007fc1ecf16000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fc1ecd12000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc1ec948000)
 /lib64/ld-linux-x86-64.so.2 (0x00007fc1ed13f000)
$ ldd /bin/bash
 linux-vdso.so.1 =>  (0x00007ffca6113000)
 libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f8e8dc3e000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f8e8da3a000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8e8d670000)
 /lib64/ld-linux-x86-64.so.2 (0x00007f8e8de67000)

Disable ASLR

If we now disable ASLR memomy space will not be random and we will see the same space used each time. It is this behaviour that we want to prevent. Disabling from the CLI in this way is not persistent. we would need to add the setting to /etc/sysctl.conf to persist that setting.

$ sudo sysctl -w kernel.randomize_va_space=0
kernel.randomize_va_space = 0
$ ldd /bin/bash
 linux-vdso.so.1 =>  (0x00007ffff7ffa000)
 libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007ffff7bae000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ffff79aa000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff75e0000)
 /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd7000)
$ ldd /bin/bash
 linux-vdso.so.1 =>  (0x00007ffff7ffa000)
 libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007ffff7bae000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ffff79aa000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff75e0000)
 /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd7000)

Running the same ldd command we see now the modules use the same address space for each execution.

Applications need to be Compiled with ASLR Support

Linux modules will support ASLR if it is enabled on the system. This is because they are compiled with support for ASLR or in the complier it is called PIE, Position Independent Executable. Applications need this support enabled too, both on the server as we have seen and in the compilation. Let’s review some simple C code to display the memory address of the application:

#include <stdlib.h>
#include <stdio.h>

void* getAddr () {
 return __builtin_return_address(0)-0x5;
};

int main(int argc, char** argv){
 printf("Code located at: %p\n",getAddr());
 return 0;
}

The code is very simple and only displays the memory location of the application when it runs. We save the file as pie.c. If we compile it with the gcc, we might omit the PIE support. Let’s see what happens. First, before we forget, we will re-enable ASLR on the server and then compile the code:

$ sudo sysctl -w kernel.randomize_va_space=2
kernel.randomize_va_space = 2
$ gcc pie.c -o getAddr

We compiled this time without adding in the support or PIE, we create an executable called getAddr. See what happens now when we execute it a couple if times:

$ ./getAddr 
Code located at: 0x400548
$ ./getAddr 
Code located at: 0x400548

Even though ASLR is enabled the application does not support it and it runs in the same address space each time. To enable support in the executable we add some compiler options:

$ gcc -fPIE -pie pie.c -o getAddr
$ ./getAddr
Code located at: 0x556d528a5772
$ ./getAddr
Code located at: 0x5638beaa9772

We see now that the code runs in different address spaces. The video follows:

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on Pinterest (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to print (Opens in new window)

Filed Under: LPIC-3 Exam 303

Primary Sidebar

Newest Video

The Urban Penguin On Youtube

Products

  • Complete RHCSA 8 Study Guide Complete RHCSA 8 Study Guide £5.99
  • SELinux Guide SELinux Fundamentals in Red Hat Enterprise Linux 8 £1.99
  • Managing POSIX ACLS in Linux £0.99
  • Managing Linux File Permissions £0.99
  • Kernel Module Administration in Linux £0.99

Categories

Pages

  • About The Urban Penguin
  • Contact Us
  • Shop
    • Basket
    • Checkout
    • My Account
  • LPI Training from The Urban Penguin
    • Live and Pluralsight hosted courses
    • Complete Linux Essentials
    • LPIC-3 Senior Level Certification
      • LPIC-3 Exam 300 : Mixed Environments
      • LPIC-3 Exam 303 : Security
      • LPIC-3 Exam 304 : Virtualization and High Availability
    • LPIC-2 Certified Linux Engineer
    • LPIC-1 Linux Administrator
    • LPI Linux Essentials for Raspberry Pi
    • LPI Linux Essentials
  • Operating System Tutorials
    • Linux Foundation Training
    • Solaris 11 OCA 1ZO-821
    • Learning Ubuntu
    • Learning SUSE
    • Red Hat and CentOS Training
      • RHCE – EX294 – Automation With Ansible
      • RHCSA – System Admin 1 – RH124
      • RHCSA – System Admin 2 – RH134
  • Scripting – the power of repetition!
    • Java 7 OCA Exam 1ZO-803
    • General Java Tutorials
    • Learn C Programming using Linux and the Raspberry Pi
    • Ruby Scripting in Linux
    • Scripting with PowerShell
    • PERL Scripting in Linux
    • Learn Shell Scripting with BASH
    • Master Editing Text Files Using VIM
  • Linux Technologies
    • Learning PUPPET
    • openLDAP Directories on Linux
    • Monitoring with Nagios Core
    • Linux File-Systems
    • Learning SAMBA
    • Apache HTTPD Server
    • Learning PHP
    • MYSQL
  • OpenStack
    • Pluralsight
    • Udemy
    • Raspberry Pi Tutorials
    • Citrix Videos
  • Online Instructor-led Courses
    • Red Hat Enterprise Linux System Administration 1 – RH124
    • SELinux Masterclass
    • Bash Scripting Masterclass
    • Nftables Masterclass

© 2021 The Urban Penguin · All Rights Reserved

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok