Solaris: Address Space Layout Randomization (ASLR)
Address Space Layout Randomization is a security defense mechanism against attacks like buffer overflow or Return Oriented Programming (ROP) attacks that exploit software vulnerabilities. An attacker gaining control of the call stack of a process at runtime to manipulate program control flow to execute instructions of choice is an ROP attack.
All major operating systems including Solaris support Address Space Layout Randomization to minimize the risk of such attacks. In general, user land processes place the starting address of key areas at a known place. ASLR randomizes the starting address of the key areas of the proces address space such as the base of the executable, stack, brk
-based heap, memory mappings including the mapping of libraries.
On Solaris, ASLR is configurable at the system level (global & local zones) and at the binary and process level with the help of sxadm
command line utility. It is possible to enable or disable ASLR for all processes; or selectively enable/disable ASLR for certain applications by tagging related binaries. Tagging is just a special ELF entry inside target binary's dynamic section that explicitly tells whether or not to enable the defense mechanism. Binary tagging has precedence over the system-level configuration. Out of the box, many of userland binaries are tagged on Solaris to enable ASLR; and by default, Solaris boots the global and all non-global zones with ASLR enabled only for those binaries that are explicitly marked (tagged) to support it.
Rest of the post demonstrates ASLR configuration with few examples.
Current ASLR Settings
% sxadm info aslr EXTENSION STATUS CONFIGURATION aslr enabled (tagged-files) default (default)
Above output shows that ASLR is currently enabled for tagged binaries, which is the default behavior on recent Solaris 11 updates.
Tag a Specific Userland Binary to Enable ASLR
Developers can rely on link-editor's "-z aslr=..
" option to selectively tag certain dynamic executables and position-independent executables to enable or disable ASLR for those binaries.
% elfdump -d <somebin> | grep -i aslr % ^^^^ binary not tagged for ASLR .. tag to enable ASLR .. % cc -z aslr <obj-files> -o <somebin> % elfdump -d <somebin> | grep -i aslr [34] SUNW_ASLR 0x2 ENABLE ^^^^^^ binary tagged to enable ASLR .. tag to disable ASLR .. % cc -z aslr=disable <obj-files> -o <somebin> % elfdump -d <somebin> | grep -i aslr [34] SUNW_ASLR 0x1 DISABLE ^^^^^^ binary tagged to disable ASLR
System-wide ASLR Configuration
ASLR is managed as a security extension by the sxadm
command line utility. sxadm
command configures and controls Solaris security extensions both at the system level (global zone, non-global zone) and at the process level.
The enable
and disable
subcommands enable and disable ASLR system-wide, and the delcust
subcommand resets custom ASLR configuration to the out-of-the-box default configuration.
Please check the man page of sxadm(1M)
for detailed information about all supported options.
% sxadm info aslr EXTENSION STATUS CONFIGURATION aslr enabled (tagged-files) default (default) .. enable ASLR system-wide .. # sxadm enable -c model=all aslr # sxadm info aslr EXTENSION STATUS CONFIGURATION aslr enabled (all) enabled (all) .. enable ASLR system-wide only for the tagged binaries .. # sxadm enable -c model=tagged-files aslr # sxadm info aslr EXTENSION STATUS CONFIGURATION aslr enabled (tagged-files) enabled (tagged-files) .. disable ASLR system-wide .. # sxadm disable aslr # sxadm info aslr EXTENSION STATUS CONFIGURATION aslr disabled disabled .. reset custom/current config to default .. # sxadm delcust aslr # sxadm info aslr EXTENSION STATUS CONFIGURATION aslr enabled (tagged-files) default (default)
Runtime Process Level ASLR Configuration
sxadm
command supports runtime process configuration through "sxadm exec
" interface. Child processes of the command executed via "sxadm exec
" inherit the same security extension configuration unless the child process is executing a setuid binary or is more privileged.
# sxadm disable aslr .. enable ASLR during runtime forpmap
process .. # sxadm exec -s aslr=enable /usr/bin/pmap self | grep heap 00000039452A8000 32K rw----- [ heap ] 00000039452B0000 64K rw----- [ heap ] # sxadm exec -s aslr=enable /usr/bin/pmap self | grep heap 00000039B567E000 8K rw----- [ heap ] 00000039B5680000 64K rw----- [ heap ] .. disable ASLR during runtime forpmap
process .. # sxadm exec -s aslr=disable /usr/bin/pmap self | grep heap 000000010010A000 24K rwx---- [ heap ] 0000000100110000 64K rw----- [ heap ] # sxadm exec -s aslr=disable /usr/bin/pmap self | grep heap 000000010010A000 24K rwx---- [ heap ] 0000000100110000 64K rw----- [ heap ]
Binary tagging takes precedence over runtime process conconfiguration if the binary was tagged to disable ASLR.
Note:
ASLR might give a hard time especially during debugging that require consistent and repeatable conditions including address space offsets. In such situations, disable ASLR tentatively for the target binary (best case) or for the entire system (worst case) until the debugging exercise completes.
No comments:
Post a Comment