Skip to content
October 11, 2008 / gus3

HOWTO: Test for Address Space Randomization in GNU/Linux

Address space layout randomization (ASLR) is a simple process for making stack-smashing attacks less likely to succeed. By placing binary code into somewhat-random virtual addresses, vulnerable code is placed into different locations; hostile code has no guarantee that its target vulnerability resides at any particular address.

A very simple hack in the GNU ELF loader/linker, documented in the ld.so(8) manual page, shows one of the randomized addresses. By setting the LD_SHOW_AUXV environment variable, the ld.so linker will dump the information in the Linux auxiliary vector, including the base address for shared object libraries. The following CLI command will expose this address:

( LD_SHOW_AUXV=yes ls ) | grep AT_BASE

If the address changes, your system is using ASLR. If your particular Linux installation does not use address space randomization, then repeated invocations of this command will show the same base addresses for linked libraries, meaning:

  • Insecure code can reside at a predictable address, therefore
  • Your system is more vulnerable to attack.

Most desktop Linux distributions are configured with ASLR; if yours is not, I strongly suggest you file a bug report for your distribution developer(s).

You can view other Linux auxiliary vector values with a simple LD_SHOW_AUXV=yes ls in a shell/terminal. The Linux ld.so program can display more information through even more environment variables; see ld.so(8).

Nota bene: There is no guarantee that environment variables affecting ld.so at this writing will continue to do so; check your distribution’s online documentation to be sure.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: