codeblog code is freedom — patching my itch

1/15/2008

full ASLR in Hardy

Filed under: Security,Ubuntu — kees @ 11:07 am

Thanks to all the people that worked on it from the coding, breaking, testing, and refactoring, Hardy is now sporting the last piece of full Address Space Layout Randomization support. ASLR has been mostly unchanged since Dapper, when the first bits of ASLR went in: stack and mmap (library) randomization. Those changes made simple stack overflow, heap overflow, and return-into-libc attacks much less trivial. Now in Hardy, with the VDSO and brk (text) randomization, things are even more difficult for attackers to exploit.

For binaries that have been compiled with -pie (Position Independent Executable), the kernel is finally able to take advantage of it. As an example, openssh is already using this compile option, and the results are easy to see. Here are the processes from two SSH connections:

$ pstree -lp | grep sshd
        |-sshd(7243)-+-sshd(9136)---sshd(9140)---bash(9142)-+-grep(15380)
        |            +-sshd(9181)---sshd(9185)---bash(9186)

If we examine the memory layout of both sshd processes (9136 and 9181), we can see no user-space memory locations are shared:

$ sudo cat /proc/9136/maps
7ff69df86000-7ff69e0c6000 rw-s 00000000 00:09 34320                      /dev/zero (deleted)
7ff69e0c6000-7ff69e0c9000 r-xp 00000000 fe:15 480495                     /lib/security/pam_limits.so
...
7ff6a1fc8000-7ff6a1fd0000 rw-p 7ff6a1fc8000 00:00 0
7ff6a1ff7000-7ff6a1ffa000 rw-p 7ff6a1ff7000 00:00 0
7ff6a1ffa000-7ff6a1ffc000 rw-p 0001d000 fe:15 1040531                    /lib/ld-2.7.so
7ff6a1ffc000-7ff6a205b000 r-xp 00000000 fe:15 98598                      /usr/sbin/sshd
7ff6a225a000-7ff6a225d000 rw-p 0005e000 fe:15 98598                      /usr/sbin/sshd
7ff6a225d000-7ff6a2289000 rw-p 7ff6a225d000 00:00 0                      [heap]
7fffaa045000-7fffaa05a000 rw-p 7ffffffea000 00:00 0                      [stack]
7fffaa1fe000-7fffaa200000 r-xp 7fffaa1fe000 00:00 0                      [vdso]
...
$ sudo cat /proc/9181/maps
7f05a07b8000-7f05a08f8000 rw-s 00000000 00:09 35989                      /dev/zero (deleted)
7f05a08f8000-7f05a08fb000 r-xp 00000000 fe:15 480495                     /lib/security/pam_limits.so
...
7f05a47fa000-7f05a4802000 rw-p 7f05a47fa000 00:00 0
7f05a4829000-7f05a482c000 rw-p 7f05a4829000 00:00 0
7f05a482c000-7f05a482e000 rw-p 0001d000 fe:15 1040531                    /lib/ld-2.7.so
7f05a482e000-7f05a488d000 r-xp 00000000 fe:15 98598                      /usr/sbin/sshd
7f05a4a8c000-7f05a4a8f000 rw-p 0005e000 fe:15 98598                      /usr/sbin/sshd
7f05a4a8f000-7f05a4abb000 rw-p 7f05a4a8f000 00:00 0                      [heap]
7fffac877000-7fffac88c000 rw-p 7ffffffea000 00:00 0                      [stack]
7fffac9fe000-7fffaca00000 r-xp 7fffac9fe000 00:00 0                      [vdso]
...

The larger the memory space, the more effective ASLR is, so 64bit is the way to go. And, as always, using 64bit kernels automatically gives you the NX bit protections too. Running a 64bit Hardy system is going to rock. :)

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

Powered by WordPress