[Translation] Implementing ASLR in Linux Kernel 3.7

Author: Jonathan Salwan>

Translation Date:>

Http://www.cfeng.org>

Original English: >

In this short article, we will see how to implement ASLR in Linux Kernel 3.7>. The kernel generates a pseudo-random number by calling the get_random_int ()> function. This function is located in drivers/char/random. c>.

 

First, get_random_int ()> function call get_cpu_var ()> initialize a hash>. Function get_cpu_var ()> return a variable with the value of the current processor version. Then, add some other information to the generated Random Number:

• Current PID>

• Jiffies>

• Numbers of instruction cycles>

Jiffies> is the global variable of the kernel, which indicates irq0 ticks>, because it starts when the machine starts.

In Intel> architecture, the number of cycles is obtained through rdtsc> commands. Trace get_cycles> function:

The random number obtained in the first step is:

First_step = (random int) + (current PID) + (IRQ0 ticks) + (RDTSC)>

For the second step of the function get_random_int>, you only need to change the first step and then call md5_transform ()>. Md5_transform ()> is the core of the MD5> algorithm. It modifies the existing MD5 Hash> Save it to the buffer to reflect the new 16> length parameters.

After these two steps, we have a pseudo-random number that is hard to be re-copied.

Random_int = md5_transform (random_int + current PID + IRQ0 ticks + RDTSC), random_int2)>

The kernel uses the randomize_range ()> function to generate a number between two addresses. This function only calls get_random_int >>and uses the modulo operation to obtain the value between start> and end>.

When the kernel loads an ELF>, the load_elf_binary ()> function in/fs/binfmt_elf.c> is called. Part of the code of this function is to initialize a memory pointer, such as code segment, data segment, and stack segment. The following is part of the code of the load_elf_binary ()> function.

In the arch_randmoize_brk ()> function, we can see that if the variable randomize_va_space >>> is greater than 1 >>, and the PF_RANDOMIZE >> flag is set, then the base address of brk> will be randomized. The following scheme traces and calls different randomization functions from load_elf_binary ()> functions.