Temporarily disabling Address Space Layout Randomization on Linux en

By Soultaker on Sunday 24 September 2017 15:15 - Comments (0)
Category: Tips & Tricks, Views: 1.417

Address Space Layout Randomization

Address Space Layout Randomization (ASLR) is a kernel feature which causes the kernel to randomize the addresses at which the code and data of a program are loaded, including the addresses of dynamic allocations and memory mappings. The intent is to improve security: when addresses are unpredictable, it is more difficult for attackers to exploit vulnerabilities like buffer overflows, because the code they inject cannot refer to absolute addresses.

However, there is a downside, too: when using memory debuggers (like mtrace) the heap addresses and code locations those tools report are randomized, and it may be difficult to determine what they reference. One way to work around this is to look at the memory maps (e.g. in /proc/${pid}/maps) while the program is running, but this is cumbersome, error-prone and doesn't help if a memory region has already been unmapped or the program has already exited. The easier solution is to temporarily disable ASLR for debugging.

It turns out that in Linux, there are two easy ways to do that. (Note that although many operating systems support ASLR in some form, this post is only about Linux, which happens to be my primary development platform.)

Disabling ASLR globally
ASLR is a kernel feature, and therefore can be enabled/disabled using sysctl or, equivalently, by writing to /proc/sys/kernel/randomize_va_space. To disable ASLR globally:

sudo sysctl -w kernel.randomize_va_space=0

To enable it again:

sudo sysctl -w kernel.randomize_va_space=2

The meaning of the values is explained in the kernel documentation:
0 - Turn the process address space randomization off.  This is the
    default for architectures that do not support this feature anyways,
    and kernels that are booted with the "norandmaps" parameter.

1 - Make the addresses of mmap base, stack and VDSO page randomized.
    This, among other things, implies that shared libraries will be
    loaded to random addresses.  Also for PIE-linked binaries, the
    location of code start is randomized.  This is the default if the
    CONFIG_COMPAT_BRK option is enabled.

2 - Additionally enable heap randomization.  This is the default if
    CONFIG_COMPAT_BRK is disabled.
These changes don't persist across reboots, which is probably a good thing, in this case.

Disabling ASLR locally
A less well-known option is to disable ASLR only for a single process, or a single process tree. This is often preferable, because it allows debugging one specific program, without weakening the security of the rest of the system. Moreover, it doesn't require root permission.

On Linux, this can be done by changing the execution domain for a process with the personality() system call. There is a command line utility, setarch, that calls this function. The primary purpose of setarch is to change the architecture as reported by uname -m, but it also supports additional options to set the various personality flags, which is what we're interested in here.

To execute some-program with ASLR disabled:

setarch $(uname -m) -R ./some-program

Note that uname -m simply reports the current architecture, so setarch doesn't change that. The -R option enables the ADDR_NO_RANDOMIZE flag of the personality() syscall to disable ASLR.

It's also possible to run setarch without an executable argument:

setarch $(uname -m) -R

In that case, it starts a new shell with the specified options. All programs started directly or indirectly from this shell will run with ASLR disabled.

Volgende: Facebook Hacker Cup 2016: Round 2 problem analysis 01-'16 Facebook Hacker Cup 2016: Round 2 problem analysis


There are no comments for this post

Comment form
(required, but will not be displayed)