Aslr in linux kernel
- Preface
- Oracle Linux Security Overview
- Basic Security Considerations
- Keep Software up to Date
- Restrict Network Access to Critical Services
- Follow the Principle of Least Privilege
- Monitor System Activity
- Keep up to Date on the Latest Security Information
- Pre-Installation Tasks
- Installing Oracle Linux
- Shadow Passwords and Hashing Algorithms
- Strong Passwords
- Separate Disk Partitions
- Encrypted Disk Partitions
- Software Selection
- Network Time Service
- Configuring and Using Data Encryption
- Configuring a GRUB Password
- Configuring and Using Certificate Management
- About the openssl Command
- About the keytool Command
- About Local Oracle Linux Authentication
- About IPA
- About LDAP Authentication
- About NIS Authentication
- About Winbind Authentication
- About Kerberos Authentication
- About SELinux Administration
- About SELinux Modes
- Setting SELinux Modes
- About SELinux Policies
- Targeted Policy
- Multilevel Security (MLS) Policy
- Setting SELinux Policies
- Customizing SELinux Policies
- Displaying SELinux User Mapping
- Displaying SELinux Context Information
- Changing the Default File Type
- Restoring the Default File Type
- Relabelling a File System
- Mapping Oracle Linux Users to SELinux Users
- Configuring the Behavior of Application Execution for Users
- Configuring Update and Patch Management
- Installing and Using the Yum Security Plugin
- Configuring and Using Packet-filtering Firewalls
- Listing Firewall Rules
- Inserting Rules in a Chain
- Deleting Rules in a Chain
- Running DNS and FTP Services in a Chroot Jail
- Creating a Chroot Jail
- Using a Chroot Jail
- Address Space Layout Randomization
- Data Execution Prevention
- Position Independent Executables
- Design Principles for Secure Coding
- General Guidelines for Secure Coding
- General Guidelines for Network Programs
- Minimizing the Software Footprint
- Configuring System Logging
- Disabling Core Dumps
- Minimizing Active Services
- Locking Down Network Services
- Configuring a Packet-filtering Firewall
- Configuring TCP Wrappers
- Configuring Kernel Parameters
- Restricting Access to SSH Connections
- Configuring File System Mounts, File Permissions, and File Ownerships
- Checking User Accounts and Privileges
- About SCAP
- Installing the SCAP Packages
- About the oscap Command
- Displaying the Available SCAP Information
- Displaying Information About a SCAP File
- Displaying Available Profiles
- Validating OVAL and XCCDF Files
- Running a Scan Against a Profile
- Generating a Full Security Guide
- Running an OVAL Auditing Scan
- FIPS Validated Cryptographic Modules for Oracle Linux
- Enabling FIPS Mode on Oracle Linux
- Installing FIPS Validated Cryptographic Modules for Oracle Linux
- Installing and Using the OpenSSL FIPS Object Module
- Installing the OpenSSL FIPS Object Module
- Using the OpenSSL FIPS Object Module
The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.3.15.1 Address Space Layout Randomization
Address Space Layout Randomization (ASLR) can help defeat certain types of buffer overflow attacks. ASLR can locate the base, libraries, heap, and stack at random positions in a process’s address space, which makes it difficult for an attacking program to predict the memory address of the next instruction. ASLR is built into the Linux kernel and is controlled by the parameter /proc/sys/kernel/randomize_va_space . The randomize_va_space parameter can take the following values:
Disable ASLR. This setting is applied if the kernel is booted with the norandmaps boot parameter.
Randomize the positions of the stack, virtual dynamic shared object (VDSO) page, and shared memory regions. The base address of the data segment is located immediately after the end of the executable code segment.
Randomize the positions of the stack, VDSO page, shared memory regions, and the data segment. This is the default setting.
You can change the setting temporarily by writing a new value to /proc/sys/kernel/randomize_va_space , for example:
#
echo
value
> /proc/sys/kernel/randomize_va_spaceTo change the value permanently, add the setting to /etc/sysctl.conf , for example:
kernel.randomize_va_space =
value
and run the sysctl -p command.
If you change the value of randomize_va_space , you should test your application stack to ensure that it is compatible with the new setting.
If necessary, you can disable ASLR for a specific program and its child processes by using the following command:
%
setarch `uname -m` -R
program
[args
. ]Copyright © 2013, 2021, Oracle and/or its affiliates. Legal Notices
Linux and ASLR: kernel/randomize_va_space
The Linux kernel has a defense mechanism named address space layout randomization (ASLR). This setting is tunable with the randomize_va_space setting. Before making changes to this setting, it is good to understand what this Linux security measure actually does and how it works.
Understanding ASLR
In 2001 the term ASLR was first introduced as a patch to the Linux kernel. Its main goal was to randomize memory segments to make abuse by malicious programs harder. A normal program consists of several components, which are loaded into memory and flagged with special properties. Some pieces of the program are executable bits, others are normal data. Before going into these properties, let’s first determine the main goal of a program. Simply said, it should have a start procedure, maintain itself, and finally end. For some programs this whole cycle can take milliseconds, others may take years to complete. It all depends on the program, its stability and how often a system is rebooted.
Guarding against malicious software attacks
While the program runs in memory, we want it to be protected against more evil programs. One of the tricks they use is hijacking the stack pointer. This is a like a traffic agent stating where to go next. Evil programs want to abuse this and perform a redirection trick to insert malicious code into a running program. For this reason, programs have different sections and should be properly flagged in the memory. A section where only normal data is stored should be marked as non-executable. Executable code that does not dynamically change, should be flagged as read-only, etc.
Memory randomization
Besides the mentioned protection mechanisms, we can add another layer and defend against memory misuse. This layer is randomization of virtual address space. For this to work, the binaries running on the system should be a position-independent executable. This means it does not require static memory addresses to fulfill its duties. Since many years this feature is common, which enabled the kernel to apply memory randomization.
Default randomize_va_space setting
Modern Linux kernels have ASLR enabled by default with the specific value 2.
Normally you might expect a value of 0 (disabled), or 1 (enabled). In the case of the randomize_va_space setting, this is true as well. When setting the value to 1, address space is randomized. This includes the positions of the stack itself, virtual dynamic shared object (VDSO) page, and shared memory regions. Setting the option to value 2 will be similar to 1, and add data segments as well. For most systems, this setting is the default and the most secure setting.
Note: some older platforms do not support this setting.
Configure randomize_va_space
If you want to change the value, it can be done temporarily or permanently. One option is to set the value via the pseudo proc file system. You need to be root to change this setting.
echo 2 > /proc/sys/kernel/randomize_va_space
Another option to temporarily change the setting is via the sysctl command.
sysctl -w kernel.randomize_va_space=2
To make this setting permanent and active after a system reboot, add the option to /etc/sysctl.conf.
Note: kernel hardening is a good way to improve the security defenses of a Linux system. To perform a security scan in this area, you can use the open source tool Lynis. It includes the scanning of kernel settings and sees if they are already tuned.
Disable ASLR
If you temporarily want to disable, you can set the value to zero with the instructions above. If you just want to test for a single program you can use the setarch command. This leverages a so-called personality flag.
The -R option disables the randomization of the virtual address space by turning on ADDR_NO_RANDOMIZE. This option allows programs to disable ASLR and run without any randomization.
If you are doing research (e.g. to test how buffer overflows work), keep in mind that also the compiler has some protection mechanisms in place. If you found this page to achieve that, then use this disable stack protection during compilation.
gcc -fno-stack-protector -z execstack -o program program.c
More tunables via sysctl
Are you looking to perform additional kernel hardening of your Linux system? Have a look at the knowledge base section sysctl on the Linux Security Expert website.
One more thing.
Keep learning
So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.
Security scanning with Lynis and Lynis Enterprise
Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.
- Basic Security Considerations