# 7. ASLR in Depth ### ASLR in Depth Actually, the title is a lie. We're not really going to discuss ASLR in that depth yet. We don't really need to. However, what we are going to do is explore the effects of ASLR on a diagnostic binary we used in the previous section. ``` #define _GNU_SOURCE #include #include #include #include int main() { puts("This program helps visualise where libc is loaded.\n"); int pid = getpid(); char command[500]; puts("Memory Layout: "); sprintf(command, "cat /proc/%d/maps", pid); system(command); puts("\nFunction Addresses: "); printf("System@libc 0x%lx\n", dlsym(RTLD_NEXT, "system")); printf("PID: %d\n", pid); } ``` ### ASLR Turned Off First, make sure ASLR is turned off. ``` ubuntu@ubuntu-xenial:/vagrant/lessons/8_aslr/build$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space 0 ``` Now, play with the binaries in `/vagrant/lessons/8_aslr/build/`. You should notice that the addresses the objects are mapped at are more or less constant. ``` ubuntu@ubuntu-xenial:/vagrant/lessons/8_aslr/build$ ./1_reveal_addresses This program helps visualise where libc is loaded. Memory Layout: 08048000-08049000 r-xp 00000000 00:28 161 /vagrant/lessons/8_aslr/build/1_reveal_addresses 08049000-0804a000 r--p 00000000 00:28 161 /vagrant/lessons/8_aslr/build/1_reveal_addresses 0804a000-0804b000 rw-p 00001000 00:28 161 /vagrant/lessons/8_aslr/build/1_reveal_addresses 0804b000-0806c000 rw-p 00000000 00:00 0 [heap] f7e0f000-f7e10000 rw-p 00000000 00:00 0 f7e10000-f7fbf000 r-xp 00000000 08:01 256310 /lib/i386-linux-gnu/libc-2.23.so f7fbf000-f7fc0000 ---p 001af000 08:01 256310 /lib/i386-linux-gnu/libc-2.23.so f7fc0000-f7fc2000 r--p 001af000 08:01 256310 /lib/i386-linux-gnu/libc-2.23.so f7fc2000-f7fc3000 rw-p 001b1000 08:01 256310 /lib/i386-linux-gnu/libc-2.23.so f7fc3000-f7fc6000 rw-p 00000000 00:00 0 f7fc6000-f7fc9000 r-xp 00000000 08:01 256309 /lib/i386-linux-gnu/libdl-2.23.so f7fc9000-f7fca000 r--p 00002000 08:01 256309 /lib/i386-linux-gnu/libdl-2.23.so f7fca000-f7fcb000 rw-p 00003000 08:01 256309 /lib/i386-linux-gnu/libdl-2.23.so f7fd4000-f7fd6000 rw-p 00000000 00:00 0 f7fd6000-f7fd8000 r--p 00000000 00:00 0 [vvar] f7fd8000-f7fd9000 r-xp 00000000 00:00 0 [vdso] f7fd9000-f7ffb000 r-xp 00000000 08:01 256300 /lib/i386-linux-gnu/ld-2.23.so f7ffb000-f7ffc000 rw-p 00000000 00:00 0 f7ffc000-f7ffd000 r--p 00022000 08:01 256300 /lib/i386-linux-gnu/ld-2.23.so f7ffd000-f7ffe000 rw-p 00023000 08:01 256300 /lib/i386-linux-gnu/ld-2.23.so fffdd000-ffffe000 rw-p 00000000 00:00 0 [stack] Function Addresses: System@libc 0xf7e4ada0 PID: 4452 ``` ``` ubuntu@ubuntu-xenial:/vagrant/lessons/8_aslr/build$ ./4_reveal_addresses64_pie This program helps visualise where libc is loaded. Memory Layout: 555555554000-555555555000 r-xp 00000000 00:28 158 /vagrant/lessons/8_aslr/build/4_reveal_addresses64_pie 555555754000-555555755000 r--p 00000000 00:28 158 /vagrant/lessons/8_aslr/build/4_reveal_addresses64_pie 555555755000-555555756000 rw-p 00001000 00:28 158 /vagrant/lessons/8_aslr/build/4_reveal_addresses64_pie 555555756000-555555777000 rw-p 00000000 00:00 0 [heap] 7ffff780a000-7ffff79c9000 r-xp 00000000 08:01 2068 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff79c9000-7ffff7bc9000 ---p 001bf000 08:01 2068 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7bc9000-7ffff7bcd000 r--p 001bf000 08:01 2068 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7bcd000-7ffff7bcf000 rw-p 001c3000 08:01 2068 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7bcf000-7ffff7bd3000 rw-p 00000000 00:00 0 7ffff7bd3000-7ffff7bd6000 r-xp 00000000 08:01 2067 /lib/x86_64-linux-gnu/libdl-2.23.so 7ffff7bd6000-7ffff7dd5000 ---p 00003000 08:01 2067 /lib/x86_64-linux-gnu/libdl-2.23.so 7ffff7dd5000-7ffff7dd6000 r--p 00002000 08:01 2067 /lib/x86_64-linux-gnu/libdl-2.23.so 7ffff7dd6000-7ffff7dd7000 rw-p 00003000 08:01 2067 /lib/x86_64-linux-gnu/libdl-2.23.so 7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 2051 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7fea000-7ffff7fed000 rw-p 00000000 00:00 0 7ffff7ff6000-7ffff7ff8000 rw-p 00000000 00:00 0 7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar] 7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso] 7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 2051 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 2051 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Function Addresses: System@libc 0x7ffff784f390 PID: 4446 ``` ### ASLR Turned On Now, turn on the ASLR. ``` ubuntu@ubuntu-xenial:/vagrant/lessons/8_aslr/build$ echo 2 | sudo tee /proc/sys/kernel/randomize_va_space 2 ``` Before repeating the previous steps on the binaries again, take a look at the output from `checksec`. ``` ubuntu@ubuntu-xenial:/vagrant/lessons/8_aslr/build$ checksec * [*] '/vagrant/lessons/8_aslr/build/1_reveal_addresses' Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE [*] '/vagrant/lessons/8_aslr/build/2_reveal_addresses64' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE [*] '/vagrant/lessons/8_aslr/build/3_reveal_addresses_pie' Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled [*] '/vagrant/lessons/8_aslr/build/4_reveal_addresses64_pie' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled ``` Notice that the last two have PIE enabled. PIE stands for Position Independent Executable. Do you notice any interesting about the results when running these binaries with ASLR turned on?