LPIC-3 303 Topic 326.1
The LPIC-3 certification for Linux security wants you to be a master of managing security on a Linux system. The topic is, of course broad but one of the smaller objectives is to know how Linux protects from rogue developers and applications by randomizing application address space. This is known as ASLR or Address Space Layout Randomization. ASLR was introduced into the Linux kernel in 2005, earlier in 2004 it has been available as a patch. With memory randomization enabled the address space in which an application is randomised. Meaning that an application does not use the address space on each execution. This is standard behaviour for Linux modules as they are required to be compiled with ASLR support. For you to observe this though it most be enabled in the Kernel using the procfs. It is enabled by default in most Linux distributions if not all.
Each objective is available to view online. However if you prefer to have all the content in one place and study from an eBook then the objective ‘LPIC 3 Linux Security 326.1 Host Hardening’ is now available to download for just £0.99.
View ASLR Settings
To view the current settings for ASLR on your system you can use either cat or more specifically using sysctl:
$ cat /proc/sys/kernel/randomize_va_space 2 $ sysctl -a --pattern randomize kernel.randomize_va_space = 2
The sysctl tool is part of the Linux core-utils package and is found on all systems. Settings that sysctl can read and write to are found in the /proc/sys directory. The option -a is used to display all settings but we can drill down with the –pattern option which can take extended regular expressions as an argument.
Valid Settings
Normally these keys can take an option of 0 or 1. We see here that a value of 2 is used.
- 0 = Disablabed
- 1 = Conservative Randomization
- 2 = Full Randomization
View Address Space
Using the command ldd we can view the address space of modules required by applications, these modules are dynamically loaded with the command requiring the module. The address space used is shown in brackets. We run the ldd command twice against the same command, bash. This allows us to see that the module use a different or random address space each time when ASLR is enabled.:
$ ldd /bin/bash linux-vdso.so.1 => (0x00007fff6f572000) libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007fc1ecf16000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fc1ecd12000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc1ec948000) /lib64/ld-linux-x86-64.so.2 (0x00007fc1ed13f000) $ ldd /bin/bash linux-vdso.so.1 => (0x00007ffca6113000) libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f8e8dc3e000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f8e8da3a000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8e8d670000) /lib64/ld-linux-x86-64.so.2 (0x00007f8e8de67000)
Disable ASLR
If we now disable ASLR memomy space will not be random and we will see the same space used each time. It is this behaviour that we want to prevent. Disabling from the CLI in this way is not persistent. we would need to add the setting to /etc/sysctl.conf to persist that setting.
$ sudo sysctl -w kernel.randomize_va_space=0 kernel.randomize_va_space = 0
$ ldd /bin/bash linux-vdso.so.1 => (0x00007ffff7ffa000) libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007ffff7bae000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ffff79aa000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff75e0000) /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd7000) $ ldd /bin/bash linux-vdso.so.1 => (0x00007ffff7ffa000) libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007ffff7bae000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ffff79aa000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff75e0000) /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd7000)
Running the same ldd command we see now the modules use the same address space for each execution.
Applications need to be Compiled with ASLR Support
Linux modules will support ASLR if it is enabled on the system. This is because they are compiled with support for ASLR or in the complier it is called PIE, Position Independent Executable. Applications need this support enabled too, both on the server as we have seen and in the compilation. Let’s review some simple C code to display the memory address of the application:
#include <stdlib.h> #include <stdio.h> void* getAddr () { return __builtin_return_address(0)-0x5; }; int main(int argc, char** argv){ printf("Code located at: %p\n",getAddr()); return 0; }
The code is very simple and only displays the memory location of the application when it runs. We save the file as pie.c. If we compile it with the gcc, we might omit the PIE support. Let’s see what happens. First, before we forget, we will re-enable ASLR on the server and then compile the code:
$ sudo sysctl -w kernel.randomize_va_space=2 kernel.randomize_va_space = 2 $ gcc pie.c -o getAddr
We compiled this time without adding in the support or PIE, we create an executable called getAddr. See what happens now when we execute it a couple if times:
$ ./getAddr Code located at: 0x400548 $ ./getAddr Code located at: 0x400548
Even though ASLR is enabled the application does not support it and it runs in the same address space each time. To enable support in the executable we add some compiler options:
$ gcc -fPIE -pie pie.c -o getAddr $ ./getAddr Code located at: 0x556d528a5772 $ ./getAddr Code located at: 0x5638beaa9772
We see now that the code runs in different address spaces. The video follows: