[ASLR] Better control on Randomization

[ASLR] Better control on Randomization

[Emmanuel Fleury]

Hi all,

I would like to have a way to enable/disable randomization of the stack
independently of the randomization of the dynamic library loading.

I mean, in recent Linux kernel, thanks to the ASLR, we have a
randomization of the stack:

[fleury@carioca programs]$ ./testASLR
str= 0xbf8e3a3c (/bin/sh), envp= 0xbf8e18ec, argv= 0xbf8e18e4
[fleury@carioca programs]$ ./testASLR
str= 0xbfedda3c (/bin/sh), envp= 0xbfedd75c, argv= 0xbfedd754
[fleury@carioca programs]$ ./testASLR
str= 0xbfe3ba3c (/bin/sh), envp= 0xbfe3a10c, argv= 0xbfe3a104

(testASLR just output the address of the envp and the argv variables).

And randomization of the dynamic library:
[fleury@carioca programs]$ cat /proc/self/maps | grep libc
b7e01000-b7f2e000 r-xp 00000000 03:02 328183     /lib/tls/libc-2.3.5.so
b7f2e000-b7f33000 r--p 0012d000 03:02 328183     /lib/tls/libc-2.3.5.so
b7f33000-b7f36000 rw-p 00132000 03:02 328183     /lib/tls/libc-2.3.5.so
[fleury@carioca programs]$ cat /proc/self/maps | grep libc
b7e59000-b7f86000 r-xp 00000000 03:02 328183     /lib/tls/libc-2.3.5.so
b7f86000-b7f8b000 r--p 0012d000 03:02 328183     /lib/tls/libc-2.3.5.so
b7f8b000-b7f8e000 rw-p 00132000 03:02 328183     /lib/tls/libc-2.3.5.so
[fleury@carioca programs]$ cat /proc/self/maps | grep libc
b7de4000-b7f11000 r-xp 00000000 03:02 328183     /lib/tls/libc-2.3.5.so
b7f11000-b7f16000 r--p 0012d000 03:02 328183     /lib/tls/libc-2.3.5.so
b7f16000-b7f19000 rw-p 00132000 03:02 328183     /lib/tls/libc-2.3.5.so

When setting /proc/sys/kernel/randomize_va_space to 0, both
randomization stop (see in linux/arch/i386/kernel/process.c).

Would it be possible to tweak them independently from each other ?
(still via procfs)

Regards
-- 
Emmanuel Fleury

The highest goal of computer science is to automate that
which can be automated.
  -- D. L. VerLee

Re: [ASLR] Better control on Randomization

[Nix]

On 30 Jan 2006, Emmanuel Fleury prattled cheerily:
> Would it be possible to tweak them independently from each other ?
> (still via procfs)

If you prelink your system, shared library randomization (of those
libraries that were prelinked) ceases: but the stack is still
randomized. If you prelink with -R, prelink uses random addresses,
which is pretty much as good as using ASLR, but faster and more
memory-efficient :)

I don't know of any specific knob, nor of a way to turn off stack
randomization but leave mmap(PROT_EXEC) randomization on.

-- 
`I won't make a secret of the fact that your statement/question
 sent a wave of shock and horror through us.' --- David Anderson

Re: [ASLR] Better control on Randomization

[Emmanuel Fleury]

Hi,

Just to say what use I intend to do with this. :)

I'm giving a lecture on software security and I'm trying to have a
kernel in which you can add/remove security features in order to make
the students learn and practice some attacks (this kernel should run
into a UML process).

Ideally, I would like to be able to activate/deactivate (independently):
- Stack randomization
- Heap randomization
- Library randomization
- Non-executable stack

(for the last one, as the kernel will be minimum (No X, no JVM), it
might be easier to NOT consider the trampoline functions).

Well, for now I'm just looking of the _feasibility_ of this idea
(and how hard would it be to make it run in UML).

Any comments or ideas are more than welcome. :)

Regards
-- 
Emmanuel Fleury

That's the whole problem with science. You've got a bunch of
empiricists trying to describe things of unimaginable wonder.
  -- Calvin & Hobbes (Bill Waterson)

Re: [ASLR] Better control on Randomization

[Emmanuel Fleury]

Some more details...

Emmanuel Fleury wrote:
> 
> Would it be possible to tweak them independently from each other ?
> (still via procfs)

I mean it surely immply some modifications of the kernel source. My
question is more about where to locate the "if" to stop only one or the
other.

Regards
-- 
Emmanuel Fleury

A journey of a thousand miles must begin with a single step.
   -- Lao Tzu