baruch baruch - 3 months ago 17
C Question

Why does ASLR not seem to be working

I checked if ASLR is enabled as follows and I think it is:

[user@localhost test]$ cat /proc/sys/kernel/randomize_va_space
2


I tried testing it with the following program:

test.c:

#include <stdio.h>
int main(void)
{
printf("%p\n", main);
return 1;
}


I expected, if ASLR is active, to a different address for each run, right? But I got the same each time. I tested both for 64bit and 32bit executables. I am using a 64bit Arch Linux system to test this:

[user@localhost test]$ gcc test.c -o test
[user@localhost test]$ ./test
0x4004c6
[user@localhost test]$ ./test
0x4004c6
[user@localhost test]$ ./test
0x4004c6
[user@localhost test]$ ./test
0x4004c6
[user@localhost test]$ gcc -m32 test.c -o test
[user@localhost test]$ ./test
0x80483eb
[user@localhost test]$ ./test
0x80483eb
[user@localhost test]$ ./test
0x80483eb
[user@localhost test]$ ./test
0x80483eb


As you can see, the address is the same for every run. Doesn't this mean that ASLR is off?

Answer

Your executable must be position-independent to allow that.

gcc -pie -fPIE -o test test.c

Try running it this way, the address should visibly change on each run.

Non-PI executables are meant to be loaded at a fixed, explicitly non-random address stored in their ELF header. This assumption allows compiler and linker to hard-code absolute addresses into the output, making it smaller and faster on some targets.

Loading non-PI executables at any other address invalidates all those absolute references, resulting in SIGSEGV at best and some random code running at worst. The address of main can't be randomized safely because the compiler was allowed to assume that it won't be, so it's never done even if ASLR is enabled.

To allow randomization, the compiler must be told to generate position-independent code (-fPIE), and the resulting executable must be marked as position-independent (-pie) so that the kernel would know it's safe to load at any address.

Which options are necessary to achieve that depends a lot on toolchain configuration, -fpie, -fPIE, -fpic, -fPIC, some may generate PI code by default. The safe bet is to compile with -fPIE and link with -pie -fPIE.

Comments