Some understandings of ASLR and Pie under Linux

Source: Internet
Author: User

According to the data, the following conclusions are drawn for the time being:

First of all, ASLR is the operating system's functional option for executable (ELF) load memory runtime, thus only the base address of the stack, heap, libraries is randomized, and Pie (Position Independent Executables) is a compiler (GCC,.. ) feature option (-fpie), which is used for the excutable compilation process, which can be interpreted as a special pic (so dedicated, Position independent Code), and the elf File command, which is compiled with the pie option, is displayed as so, It randomly initializes the base address of the Elf-loaded Memory (code snippet, PLT, got, data, and other common base addresses).

Second, ASLR appears earlier than pie, so there are techniques such as RETURN-TO-PLT, got hijack, Stack-pivot (bypass stack ransomize) bypassing ASLR, and after Aslr+pie, All of these bypass technologies fail and can only be compromised by other information disclosure vulnerabilities (common LIBC base addresses).

Finally, ASLR has 0/1/23 levels, of which 0 means that ASLR is not turned on, 1 means that the randomization stack, libraries,2 also randomize the heap.

Here are some examples of the process memory layouts for the different ASLR (on process) and pie (on executable) configurations so that you can clearly see the difference between the two:

ASLR 1 & no PIE eg:

Linux-jiangxin:/home/jiangxin/experiment/fuzz/afl/target/libsndfile-1.0.28/fuzz # file/bin/sleep/bin/sleep:elf 64 -bit LSB executable, x86-64, version 1 (SYSV), for Gnu/linux 2.6.4, dynamically linked (uses shared libs), STRIPPEDLINUX-J Iangxin:/home/jiangxin/experiment/fuzz/afl/target/libsndfile-1.0.28/fuzz # sleep &[2] 14408linux-jiangxin:/ Home/jiangxin/experiment/fuzz/afl/target/libsndfile-1.0.28/fuzz # Cat/proc/14408/maps00400000-00406000 R-xp 00000000 08:07 5464121/bin/sleep unchanged (no PIE)00605000-00606                            R--p 00005000 08:07 5464121/bin/sleep00606000-00607000 rw-p 00006000 08:07 5464121 /bin/sleep00607000-00628000 Rw-p 00000000 00:00 0 [heap] unchanged (ASLR 1)7f81a6b76000-7f81a 6ce4000 R-xp 00000000 08:07 131081/lib64/libc-2.11.3.so Change (ASLR 1) 7f81a6ce4000-7f81a6ee3000---P 0016e000 08:07 131081/lib64/libc-2.11.3.so7f81a6ee3000-7f81a6ee7000 R                     -P 0016d000 08:07 131081/lib64/libc-2.11.3.so7f81a6ee7000-7f81a6ee8000 rw-p 00171000 08:07 131081 /lib64/libc-2.11.3.so7f81a6ee8000-7f81a6eed000 Rw-p 00000000 00:00 0 ...7ffe0f4cd000-7ffe0f4ee000 Rw-p 00000000 00:00 0 [stack] change (ASLR 1) 7ffe0f541000-7ffe0f543000 R--p 00000000 00:00 0 [vvar]7ffe0f543000-7ffe0f545000 R-xp 00000000 00: 0 [vdso]ffffffffff600000-ffffffffff601000 R-xp 00000000 00:00 0 [Vsyscall]lin Ux-jiangxin:/home/jiangxin/experiment/fuzz/afl/target/libsndfile-1.0.28/fuzz # sleep &[3] 14411linux-jiangxin:/home/jiangxin/experiment/fuzz/afl/target/libsndfile-1.0.28/fuzz # Cat/proc/14411/maps00400000-00406000 R-xp 00000000 08:07 5464121/bin/sleep unchanged (no PIE)00605000-0060                            6000 r--p 00005000 08:07 5464121/bin/sleep00606000-00607000 rw-p 00006000 08:07 5464121 /bin/sleep00607000-00628000 Rw-p 00000000 00:00 0 [heap] unchanged (ASLR 1)7fa3e97c1000-7fa3e 992f000 R-xp 00000000 08:07 131081/lib64/libc-2.11.3.so Change (ASLR 1) 7fa3e992f000-7fa3e9b2e000---P 0016e000 08:07 131081/lib64/libc-2.11.3.so7fa3e9b2e000-7fa3e9b32000 R                     -P 0016d000 08:07 131081/lib64/libc-2.11.3.so7fa3e9b32000-7fa3e9b33000 rw-p 00171000 08:07 131081 /lib64/libc-2.11.3.so7fa3e9b33000-7fa3e9b38000 Rw-p 00000000 00:00 0 ...7ffcc90e3000-7ffcc9104000 Rw-p 00000000 00:00 0 [stack] change (ASLR 1) 7ffcc91ad000-7ffcc91af000 R--p 00000000 00:00 0 [vvar]7ffcc91af000-7ffcc91b1000 R-xp 00000000 00: 0 [vdso]ffffffffff600000-ffffffffff601000 R-xp 00000000 00:00 0 [Vsyscall]

ASLR 2 & PIE eg:

Linux-jiangxin:~/desktop/qemu/qemu-2.4.0/bin # echo 2 >/proc/sys/kernel/randomize_va_space linux-jiangxin:~/ Desktop/qemu/qemu-2.4.0/bin # file qemu-system-x86_64 qemu-system-x86_64:elf 64-bit LSB Shared Object, x86-64, version 1 (SYSV), for Gnu/linux 2.6.4, dynamically linked (uses GKFX libs), not strippedlinux-jiangxin:~/desktop/qemu/qemu-2.4.0 /bin #/qemu-system-x86_64 &[2] 14757linux-jiangxin:~/desktop/qemu/qemu-2.4.0/bin # VNC server running on ':: 1:5,901 ' Linux-jiangxin:~/desktop/qemu/qemu-2.4.0/bin # Cat/proc/14757/maps5579dff02000-5579e059d000 R-xp 00000000 08:07 666008/root/desktop/qemu/qemu-2.4.0/bin/qemu-system -x86_64 Change (PIE)5579e079d000-5579e0869000 r-xp 0069b000 08:07 666008/root/desktop/qemu/qemu-2 .4.0/bin/qemu-system-x86_645579e0869000-5579e08e7000 RWXP 00767000 08:07 666008/root/desktop/qemu/qem u-2.4.0/bin/qemu-system-x86_645579e08e7000-5579e0d75000 Rwxp 00000000 00:00 05579e2811000-5579e4b95000 Rwxp 00000000 00:00 0 [heap] change (ASLR 2) 7f3916000000-7f3916001000 Rwxp 00000000 00:00 0 7f3916200000-7f3916201000 Rwxp 00000000 00:00 0 7f3916400000-7f3916600000 Rwxp 00000000 00:00 0 ...7f39259f0000-7f3925b5e000 R-xp 00000000 08:07 131081/lib64/libc-2.11.3.so7f3925b5e000-7f3925d5d000---P 0016e000 08:07 131081/lib64/libc-2.11.3.so7f3925d5d000-7f3925d61000 R                     XP 0016d000 08:07 131081/lib64/libc-2.11.3.so7f3925d61000-7f3925d62000 rwxp 00171000 08:07 131081 /lib64/libc-2.11.3.so7f3925d62000-7f3925d67000 Rwxp 00000000 00:00 0 ...7ffec288e000-7ffec28af000 Rwxp 00000000 00:00 0 [Stack]7ffec28f6000-7ffec28f8000 R--p 00000000 00:00 0 [vvar]7ffec28f8000-7ffec28fa000 R-xp 00000000 00: 0 [vdso]ffffffffff600000-ffffffffff601000 R-xp 00000000 00:00 0 [Vsyscall]lin Ux-jiangxin:~/desktop/qemu/qemu-2.4.0/bin #/qemu-system-x86_64 &[3] 14764linux-jiangxin:~/desktop/qemu/ Qemu-2.4.0/bin # VNC server running on ':: 1:5902 ' Linux-jiangxin:~/desktop/qemu/qemu-2.4.0/bin # cat/proc/14764/maps5636e240c000-5636e2aa7000 R-xp 00000000 08:07 666008/root/desktop/qemu/qemu-2.4.0/bin/qemu-system -x86_64 Change (PIE)5636e2ca7000-5636e2d73000 r-xp 0069b000 08:07 666008/root/desktop/qemu/qemu-2 .4.0/bin/qemu-system-x86_645636e2d73000-5636e2df1000 RWXP 00767000 08:07 666008/root/desktop/qemu/qem u-2.4.0/bin/qemu-system-x86_645636e2df1000-5636e327f000 Rwxp 00000000 00:00 05636e483c000-5636e6bc0000 Rwxp 00000000 00:00 0 [heap] change (ASLR 2) 7fdb88e00000-7fdb88e01000 Rwxp 00000000 00:00 0 7fdb89000000-7fdb89001000 Rwxp 00000000 00:00 0 7fdb89200000-7fdb89400000 Rwxp 00000000 00:00 0 ...7fdb98831000-7fdb9899f000 R-xp 00000000 08:07 131081/lib64/libc-2.11.3.so7fdb9899f000-7fdb98b9e000---P 0016e000 08:07 131081/lib64/libc-2.11.3.so7fdb98b9e000-7fdb98ba2000 R                     XP 0016d000 08:07 131081/lib64/libc-2.11.3.so7fdb98ba2000-7fdb98ba3000 rwxp 00171000 08:07 131081 /lib64/libc-2.11.3.so7fdb98ba3000-7fdb98ba8000 Rwxp 00000000 00:00 0 ...7ffffb724000-7ffffb745000 Rwxp 00000000 00:00 0 [Stack]7ffffb779000-7ffffb77b000 R--p 00000000 00:00 0 [vvar]7ffffb77b000-7ffffb77d000 R-xp 00000000 00: 0 [vdso]ffffffffff600000-ffffffffff601000 R-xp 00000000 00:00 0 [Vsyscall]

The elf's process layout reference after loading into memory:

Http://blog.sina.com.cn/s/blog_4ed962ae01013vhr.html

Some understandings of ASLR and Pie under Linux

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.