Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD + ASLR



Hello,

Seeing that OpenBSD today added support for PIE executables in the kernel
and we had this feature working in NetBSD for almost a year now (and in
the typical NetBSD style we did not document/advertise it), here's
a small writeup about:

    How to enable address space layout randomization (ASLR) on NetBSD.

First you need to compile a kernel with options PAX_ASLR=0. Or if you want
to risk to have your system unusable you can use PAX_ASLR=1. Now you should
be able to do:

$ sysctl -a | grep aslr
security.pax.aslr.enabled = 0
security.pax.aslr.global = 0
security.pax.aslr.mmap_len = 32
security.pax.aslr.stack_len = 12
security.pax.aslr.exec_len = 12
$ sysctl -w security.pax.aslr.enabled=1
security.pax.aslr.enabled: 0 -> 1

By default programs don't do ASLR (since security.pax.aslr.global is off).
We can turn this on for specific binaries using:

$ paxctl +A foo

For example, the following program can be used to demonstrate how ASLR works.

$ cat aslr.c
#include <stdio.h>

char foo[] = "foo";

int
main(int argc, char *argv[])
{
        printf("Stack %p\n", &argc);
        printf("Text %p\n", main);
        printf("Data %p\n", foo);
        printf("Libc %p\n", printf);
        return 0;
}
$ cc aslr.c
$ ./a.out 
Stack 0x7f7fffffd46c
Text 0x400910
Data 0x500d78
Libc 0x400674
$ ./a.out
Stack 0x7f7fffffd46c
Text 0x400910
Data 0x500d78
Libc 0x400674
$ paxctl +A ./a.out
$ ./a.out 
Stack 0x7f7fff4de28c
Text 0x400910
Data 0x500d78
Libc 0x400674
$ ./a.out 
Stack 0x7f7fffea080c
Text 0x400910
Data 0x500d78
Libc 0x400674

As you can see above, only the stack is randomized. This is because by
default ELF binaries are pinned to a specific address. But we can do
better than that. We can have the compiler generate position independent
executables for us (PIE):

$ gcc -pie -fPIC -shared-libgcc aslr.c
$ ./a.out
Stack 0x7f7fffffd46c
Text 0xb70
Data 0x101280
Libc 0x7f7ffd9bdab0
$ ./a.out
Stack 0x7f7fffffd46c
Text 0xb70
Data 0x101280
Libc 0x7f7ffd9bdab0
$ paxctl +A ./a.out
$ ./a.out
Stack 0x7f7fff9ef2bc
Text 0xbf700b70
Data 0xbf801280
Libc 0x79c99e1bdab0
$ ./a.out
Stack 0x7f7ffff63f1c
Text 0xcd800b70
Data 0xcd901280
Libc 0x7b87b2bbdab0

As you can see above the location where everything is loaded is random.
You can build everything PIE if you set MKPIE=yes in /etc/mk.conf.
Note that I have not built a complete PIE system, or turned on
security.pax.aslr.global. If you do that you are on your own :-)

Enjoy,

christos


Home | Main Index | Thread Index | Old Index