Shulou(Shulou.com)06/01 Report--

This article will explain in detail how ASLR protects the Linux system from buffer overflow attacks. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Address Space Layout Randomization (ASLR) is a memory protection mechanism used by the operating system against buffer overflow attacks. This technique makes it impossible to predict the memory addresses of processes running on the system, making the vulnerabilities associated with these processes more difficult to exploit.

ASLR is currently used on Linux, Windows, and MacOS systems. It first appeared on the 2005 Linux system. This technology was used by Windows and MacOS deployments in 2007. Although ASLR provides the same functionality on all systems, it has different implementations.

The effectiveness of ASLR depends on whether the entire address space layout remains unknown to the threat. In addition, only executable programs that are compiled as location-independent executables Position Independent Executable (PIE) can get the maximum protection of ASLR technology, because only in this way will all code sections of the executable be loaded at random addresses. The PIE machine code can be executed correctly regardless of the absolute address.

Limitations of ASLR

Although ASLR makes it more difficult to exploit system vulnerabilities, its ability to protect the system is limited. It is important to understand the following points about ASLR:

It does not solve the vulnerability, but makes it more difficult to exploit it.

Do not track or report vulnerabilities

Cannot protect binaries that are not enabled for ASLR support at compile time

Can't avoid being bypassed.

How does ASLR work

By randomizing the offset of the memory layout used by the attacker in the buffer overflow attack, ASLR increases the difficulty of the successful attack, thus enhancing the control flow integrity of the system.

It is generally believed that ASLR works better on 64-bit systems because 64-bit systems provide greater entropy (a random range of addresses).

Is ASLR running on your Linux system?

The two commands shown below can tell your system whether ASLR is enabled:

$cat / proc/sys/kernel/randomize_va_space2 $sysctl-a-- pattern randomizekernel.randomize_va_space = 2

The value (2) in the result of the instruction above indicates that the ASLR is working in full randomization mode. It may be one of the following values:

0 = Disabled1 = Conservative Randomization2 = Full Randomization

If you turn off ASLR and execute the following instructions, you will notice that the output of the two ldd lines is exactly the same. The ldd command loads shared objects and displays their addresses in memory.

$sudo sysctl-w kernel.randomize_va_space=0 / lib/x86_64-linux-gnu/libdl.so.2 (0x00007ffff7c63000) libc.so.6 = > / lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7a79000) / lib64/ld-linux-x86-64.so.2 (0x00007ffff7fd3000) $ldd / bin/bash linux-vdso.so.1 (0x00007ffff7fd1000) / lib/x86_64-linux-gnu/libtinfo.so.6 ( 0x00007ffff7c69000) libdl.so.2 = > / lib/x86_64-linux-gnu/libdl.so.2 (0x00007ffff7c63000) libc.so.6 = > / lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7a79000) / lib64/ld-linux-x86-64.so.2 (0x00007ffff7fd3000)

If you reset it to 2 to enable ASLR, you will see that each time you run ldd, you get a different memory address.

$sudo sysctl-w kernel.randomize_va_space=2 / lib/x86_64-linux-gnu/libdl.so.2 (0x00007f1cb7cda000) libc.so.6 = > / lib/x86_64-linux-gnu/libc.so.6 (0x00007f1cb7af0000) / lib64/ld-linux-x86-64.so.2 (0x00007f1cb8045000) $ldd / bin/bash linux-vdso.so.1 (0x00007ffe1cbd7000) / lib/x86_64-linux-gnu/libtinfo.so.6 ( 0x00007fed59742000) libdl.so.2 = > / lib/x86_64-linux-gnu/libdl.so.2 (0x00007fed5973c000) libc.so.6 = > / lib/x86_64-linux-gnu/libc.so.6 (0x00007fed59552000) / lib64/ld-linux-x86-64.so.2 (0x00007fed59aa7000) attempt to bypass ASLR

Although this technology has many advantages, it is not uncommon to bypass ASLR attacks, mainly in the following categories:

Take advantage of address disclosure

Access data associated with a specific address

To guess the address in view of the defects of ASLR implementation, it is common that the system entropy is too low or the ASLR implementation is not perfect.

Using side channel attack

This is the end of this article on "how ASLR protects the Linux system from buffer overflow attacks". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.