<div align="center">
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- Contents -->
<ins class="adsbygoogle"
     style="display:inline-block;width:728px;height:90px"
     data-ad-client="ca-pub-1411820076951016"
     data-ad-slot="3793401480"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>

Excuse the ads! We need some help to keep our site up.

<div id="google_translate_element"></div><script type="text/javascript">
function googleTranslateElementInit() {
  new google.translate.TranslateElement({pageLanguage: 'ko', layout: google.translate.TranslateElement.InlineLayout.SIMPLE, multilanguagePage: true, gaTrack: true, gaId: 'UA-92563911-1'}, 'google_translate_element');
}
</script><script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script>

List


ASLR

Set ASLR

echo 0 > /proc/sys/kernel/randomize_va_space

0 : ASLR 해제
1 : 랜덤 스택 & 랜덤 라이브러리 설정
2 : 랜덤 스택 & 랜덤 라이브러리 & 랜덤 힙 설정

Check the protection techniques of binary files.

checksec.sh

lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ ./ASLR 
[Heap]  address: 0x1137010
[Stack] address: 0x7fffcfcd6b20
[libc]  address: 0x7f9526812830
^Z
[1]+  Stopped                 ./ASLR
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ checksec.sh --proc ASLR
* System-wide ASLR (kernel.randomize_va_space): On (Setting: 2)

  Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.
  This, among other things, implies that shared libraries will be loaded to random 
  addresses. Also for PIE-linked binaries, the location of code start is randomized.

  See the kernel file 'Documentation/sysctl/kernel.txt' for more details.

* Does the CPU support NX: Yes

         COMMAND    PID RELRO             STACK CANARY           NX/PaX        PIE
            ASLR  10366 Partial RELRO     Canary found           NX enabled    No PIE                  
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$

Memory map

Memory area첫번째 실행

두번째 실행 

Stack0x7ffea624c000 ~ 0x7ffea626d000

0x7ffc75b23000 ~ 0x7ffc75b44000

Heap0x0229e000 ~ 0x022bf000

0x01198000 ~ 0x011b9000

Libc0x7fb51e026000 ~ 0x7fb51e618000

0x7f6adb39b000 ~ 0x7f6adb98d000

lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ ./ASLR 
[Heap]  address: 0x229e010
[Stack] address: 0x7ffea626a3e0
[libc]  address: 0x7fb51e046830
^Z
[1]+  Stopped                 ./ASLR
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ ps -ef |grep ASLR
lazenca+   8521   6173  0 02:12 pts/4    00:00:00 ./ASLR
lazenca+   8523   6369  0 02:12 pts/18   00:00:00 grep --color=auto ASLR
lazenca0x0@ubuntu:~/Documents/Definition/protection$ cat /proc/8521/maps
00400000-00401000 r-xp 00000000 08:01 551811                             /home/lazenca0x0/Documents/Definition/protection/ASLR/ASLR
00600000-00601000 r--p 00000000 08:01 551811                             /home/lazenca0x0/Documents/Definition/protection/ASLR/ASLR
00601000-00602000 rw-p 00001000 08:01 551811                             /home/lazenca0x0/Documents/Definition/protection/ASLR/ASLR
0229e000-022bf000 rw-p 00000000 00:00 0                                  [heap]
7fb51e026000-7fb51e1e6000 r-xp 00000000 08:01 655589                     /lib/x86_64-linux-gnu/libc-2.23.so
7fb51e1e6000-7fb51e3e6000 ---p 001c0000 08:01 655589                     /lib/x86_64-linux-gnu/libc-2.23.so
7fb51e3e6000-7fb51e3ea000 r--p 001c0000 08:01 655589                     /lib/x86_64-linux-gnu/libc-2.23.so
7fb51e3ea000-7fb51e3ec000 rw-p 001c4000 08:01 655589                     /lib/x86_64-linux-gnu/libc-2.23.so
7fb51e3ec000-7fb51e3f0000 rw-p 00000000 00:00 0 
7fb51e3f0000-7fb51e416000 r-xp 00000000 08:01 655548                     /lib/x86_64-linux-gnu/ld-2.23.so
7fb51e5f6000-7fb51e5f9000 rw-p 00000000 00:00 0 
7fb51e613000-7fb51e615000 rw-p 00000000 00:00 0 
7fb51e615000-7fb51e616000 r--p 00025000 08:01 655548                     /lib/x86_64-linux-gnu/ld-2.23.so
7fb51e616000-7fb51e617000 rw-p 00026000 08:01 655548                     /lib/x86_64-linux-gnu/ld-2.23.so
7fb51e617000-7fb51e618000 rw-p 00000000 00:00 0 
7ffea624c000-7ffea626d000 rw-p 00000000 00:00 0                          [stack]
7ffea635f000-7ffea6361000 r--p 00000000 00:00 0                          [vvar]
7ffea6361000-7ffea6363000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ ./ASLR 
[Heap]  address: 0x1198010
[Stack] address: 0x7ffc75b423e0
[libc]  address: 0x7f6adb3bb830
^Z
[2]+  Stopped                 ./ASLR
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ ps -ef |grep ASLR
lazenca+   8539   6173  0 02:13 pts/4    00:00:00 ./ASLR
lazenca+   8541   6369  0 02:13 pts/18   00:00:00 grep --color=auto ASLR
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ cat /proc/8539/maps
00400000-00401000 r-xp 00000000 08:01 551811                             /home/lazenca0x0/Documents/Definition/protection/ASLR/ASLR
00600000-00601000 r--p 00000000 08:01 551811                             /home/lazenca0x0/Documents/Definition/protection/ASLR/ASLR
00601000-00602000 rw-p 00001000 08:01 551811                             /home/lazenca0x0/Documents/Definition/protection/ASLR/ASLR
01198000-011b9000 rw-p 00000000 00:00 0                                  [heap]
7f6adb39b000-7f6adb55b000 r-xp 00000000 08:01 655589                     /lib/x86_64-linux-gnu/libc-2.23.so
7f6adb55b000-7f6adb75b000 ---p 001c0000 08:01 655589                     /lib/x86_64-linux-gnu/libc-2.23.so
7f6adb75b000-7f6adb75f000 r--p 001c0000 08:01 655589                     /lib/x86_64-linux-gnu/libc-2.23.so
7f6adb75f000-7f6adb761000 rw-p 001c4000 08:01 655589                     /lib/x86_64-linux-gnu/libc-2.23.so
7f6adb761000-7f6adb765000 rw-p 00000000 00:00 0 
7f6adb765000-7f6adb78b000 r-xp 00000000 08:01 655548                     /lib/x86_64-linux-gnu/ld-2.23.so
7f6adb96b000-7f6adb96e000 rw-p 00000000 00:00 0 
7f6adb988000-7f6adb98a000 rw-p 00000000 00:00 0 
7f6adb98a000-7f6adb98b000 r--p 00025000 08:01 655548                     /lib/x86_64-linux-gnu/ld-2.23.so
7f6adb98b000-7f6adb98c000 rw-p 00026000 08:01 655548                     /lib/x86_64-linux-gnu/ld-2.23.so
7f6adb98c000-7f6adb98d000 rw-p 00000000 00:00 0 
7ffc75b23000-7ffc75b44000 rw-p 00000000 00:00 0                          [stack]
7ffc75b7a000-7ffc75b7c000 r--p 00000000 00:00 0                          [vvar]
7ffc75b7c000-7ffc75b7e000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$

/proc : process의 줄임말이며, 이 디렉토리에 프로세스의 정보들이 저장됩니다.
/proc/self : 현재 실행되고 있는 프로세스의 정보가 담겨있는 디렉토리입니다.
/proc/self/maps : 현재 실행되고 있는 프로세스의 주소 맵입니다. 

Example

Source code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char *global = "Lazenca.0x0";
 
int main(){
	char *heap = malloc(100);
	char *stack[] = {"LAZENCA.0x0"};

	printf("[Heap]  address: %p\n", heap);
	printf("[Stack] address: %p\n", stack);
	printf("[libc]  address: %p\n",**(&stack + 3));
	printf("[.data] address: %p\n",global);
	gets(heap);
	return 0;
}

echo 0 > /proc/sys/kernel/randomize_va_space

lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ ./ASLR 
[Heap]  address: 0x602010
[Stack] address: 0x7fffffffe1f0
[libc]  address: 0x7ffff7a2d830
[.data] address: 0x400764
^C
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ ./ASLR 
[Heap]  address: 0x602010
[Stack] address: 0x7fffffffe1f0
[libc]  address: 0x7ffff7a2d830
[.data] address: 0x400764
^C
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ ./ASLR 
[Heap]  address: 0x602010
[Stack] address: 0x7fffffffe1f0
[libc]  address: 0x7ffff7a2d830
[.data] address: 0x400764
^C
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ 

echo 1 > /proc/sys/kernel/randomize_va_space

lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ ./ASLR 
[Heap]  address: 0x602010
[Stack] address: 0x7ffc5bcf1640
[libc]  address: 0x7f37ba468830
[.data] address: 0x400764
^C                  
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ ./ASLR 
[Heap]  address: 0x602010
[Stack] address: 0x7fff2ea773e0
[libc]  address: 0x7f6bd7256830
[.data] address: 0x400764
^C
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ ./ASLR 
[Heap]  address: 0x602010
[Stack] address: 0x7ffd2f5f9ae0
[libc]  address: 0x7fba0f3b3830
[.data] address: 0x400764
^C
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$

echo 2 > /proc/sys/kernel/randomize_va_space

lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ ./ASLR 
[Heap]  address: 0x1ccb010
[Stack] address: 0x7ffe56b07500
[libc]  address: 0x7f896e125830
[.data] address: 0x400764
^C
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ ./ASLR 
[Heap]  address: 0x127b010
[Stack] address: 0x7fffeb87cf70
[libc]  address: 0x7eff87928830
[.data] address: 0x400764
^C
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ ./ASLR 
[Heap]  address: 0x179b010
[Stack] address: 0x7fff04362ea0
[libc]  address: 0x7f16e3ad6830
[.data] address: 0x400764
^C
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ 

.data

lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ ./ASLR_PIE 
[Heap]  address: 0x55f20dc53010
[Stack] address: 0x7ffcbb14a3d0
[libc]  address: 0x7ff33b9a9830
[.data] address: 0x55f20ca499b4
^C
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ ./ASLR_PIE 
[Heap]  address: 0x55fe918f7010
[Stack] address: 0x7fffe2f15390
[libc]  address: 0x7ff2eb2b8830
[.data] address: 0x55fe916ed9b4
^C
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ ./ASLR_PIE 
[Heap]  address: 0x55a53fd1d010
[Stack] address: 0x7ffe38573570
[libc]  address: 0x7f450f523830
[.data] address: 0x55a53de679b4
^C
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$

How to detect ASLR in the "Checksec.sh" file

# check for system-wide ASLR support
aslrcheck() {
  # PaX ASLR support
  if !(cat /proc/1/status 2> /dev/null | grep -q 'Name:') ; then
    echo -n -e ':\033[33m insufficient privileges for PaX ASLR checks\033[m\n'
    echo -n -e '  Fallback to standard Linux ASLR check'
  fi
  
  if cat /proc/1/status 2> /dev/null | grep -q 'PaX:'; then
    printf ": "
    if cat /proc/1/status 2> /dev/null | grep 'PaX:' | grep -q 'R'; then
      echo -n -e '\033[32mPaX ASLR enabled\033[m\n\n'
    else
      echo -n -e '\033[31mPaX ASLR disabled\033[m\n\n'
    fi
  else
    # standard Linux 'kernel.randomize_va_space' ASLR support
    # (see the kernel file 'Documentation/sysctl/kernel.txt' for a detailed description)
    printf " (kernel.randomize_va_space): "
    if /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 1'; then
      echo -n -e '\033[33mOn (Setting: 1)\033[m\n\n'
      printf "  Description - Make the addresses of mmap base, stack and VDSO page randomized.\n"
      printf "  This, among other things, implies that shared libraries will be loaded to \n"
      printf "  random addresses. Also for PIE-linked binaries, the location of code start\n"
      printf "  is randomized. Heap addresses are *not* randomized.\n\n"
    elif /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 2'; then
      echo -n -e '\033[32mOn (Setting: 2)\033[m\n\n'
      printf "  Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.\n"
      printf "  This, among other things, implies that shared libraries will be loaded to random \n"
      printf "  addresses. Also for PIE-linked binaries, the location of code start is randomized.\n\n"
    elif /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 0'; then
      echo -n -e '\033[31mOff (Setting: 0)\033[m\n'
    else
      echo -n -e '\033[31mNot supported\033[m\n'
    fi
    printf "  See the kernel file 'Documentation/sysctl/kernel.txt' for more details.\n\n"
  fi 
}
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ cat /proc/1/status |grep 'Name'
Name:	systemd
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ cat /proc/1/status |grep 'Pax'
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ sysctl -a | grep 'kernel.randomize_va_space = '
sysctl: permission denied on key 'fs.protected_hardlinks'
sysctl: permission denied on key 'fs.protected_symlinks'
sysctl: permission denied on key 'kernel.cad_pid'
kernel.randomize_va_space = 2
sysctl: permission denied on key 'kernel.unprivileged_userns_apparmor_policy'
sysctl: permission denied on key 'kernel.usermodehelper.bset'
sysctl: permission denied on key 'kernel.usermodehelper.inheritable'
sysctl: permission denied on key 'net.ipv4.tcp_fastopen_key'
sysctl: permission denied on key 'net.ipv6.conf.all.stable_secret'
sysctl: permission denied on key 'net.ipv6.conf.default.stable_secret'
sysctl: permission denied on key 'net.ipv6.conf.ens33.stable_secret'
sysctl: permission denied on key 'net.ipv6.conf.lo.stable_secret'
lazenca0x0@ubuntu:~/Documents/Definition/protection/ASLR$ 

Related information

<div align="center">
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- Contents -->
<ins class="adsbygoogle"
     style="display:inline-block;width:728px;height:90px"
     data-ad-client="ca-pub-1411820076951016"
     data-ad-slot="3793401480"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>