Pages

Tuesday, December 13, 2016

C, Solaris & SPARC M7: Get Defensive with Few Techniques .. Part 2/3

Solaris: Address Space Layout Randomization (ASLR)

Address Space Layout Randomization is a security defense mechanism against attacks like buffer overflow or Return Oriented Programming (ROP) attacks that exploit software vulnerabilities. An attacker gaining control of the call stack of a process at runtime to manipulate program control flow to execute instructions of choice is an ROP attack.

All major operating systems including Solaris support Address Space Layout Randomization to minimize the risk of such attacks. In general, user land processes place the starting address of key areas at a known place. ASLR randomizes the starting address of the key areas of the proces address space such as the base of the executable, stack, brk-based heap, memory mappings including the mapping of libraries.

On Solaris, ASLR is configurable at the system level (global & local zones) and at the binary and process level with the help of sxadm command line utility. It is possible to enable or disable ASLR for all processes; or selectively enable/disable ASLR for certain applications by tagging related binaries. Tagging is just a special ELF entry inside target binary's dynamic section that explicitly tells whether or not to enable the defense mechanism. Binary tagging has precedence over the system-level configuration. Out of the box, many of userland binaries are tagged on Solaris to enable ASLR; and by default, Solaris boots the global and all non-global zones with ASLR enabled only for those binaries that are explicitly marked (tagged) to support it.

Rest of the post demonstrates ASLR configuration with few examples.

Current ASLR Settings

% sxadm info aslr
EXTENSION           STATUS                        CONFIGURATION
aslr                enabled (tagged-files)        default (default)

Above output shows that ASLR is currently enabled for tagged binaries, which is the default behavior on recent Solaris 11 updates.

Tag a Specific Userland Binary to Enable ASLR

Developers can rely on link-editor's "-z aslr=.." option to selectively tag certain dynamic executables and position-independent executables to enable or disable ASLR for those binaries.

% elfdump -d <somebin> | grep -i aslr
%
 ^^^^ binary not tagged for ASLR

 .. tag to enable ASLR ..

% cc -z aslr <obj-files> -o <somebin> 
% elfdump -d <somebin> | grep -i aslr
     [34]  SUNW_ASLR       0x2          ENABLE
                                        ^^^^^^ binary tagged to enable ASLR

 .. tag to disable ASLR ..

% cc -z aslr=disable <obj-files> -o <somebin> 
% elfdump -d <somebin> | grep -i aslr
     [34]  SUNW_ASLR       0x1          DISABLE
                                        ^^^^^^ binary tagged to disable ASLR

System-wide ASLR Configuration

ASLR is managed as a security extension by the sxadm command line utility. sxadm command configures and controls Solaris security extensions both at the system level (global zone, non-global zone) and at the process level.

The enable and disable subcommands enable and disable ASLR system-wide, and the delcust subcommand resets custom ASLR configuration to the out-of-the-box default configuration.

Please check the man page of sxadm(1M) for detailed information about all supported options.

% sxadm info aslr
EXTENSION           STATUS                        CONFIGURATION
aslr                enabled (tagged-files)        default (default)

 .. enable ASLR system-wide .. 

# sxadm enable -c model=all aslr
# sxadm info aslr
EXTENSION           STATUS                        CONFIGURATION
aslr                enabled (all)                 enabled (all)

 .. enable ASLR system-wide only for the tagged binaries ..

# sxadm enable -c model=tagged-files aslr
# sxadm info aslr
EXTENSION           STATUS                        CONFIGURATION
aslr                enabled (tagged-files)        enabled (tagged-files)

 .. disable ASLR system-wide ..

# sxadm disable aslr
# sxadm info aslr
EXTENSION           STATUS                        CONFIGURATION
aslr                disabled                      disabled

 .. reset custom/current config to default ..

# sxadm delcust aslr
# sxadm info aslr
EXTENSION           STATUS                        CONFIGURATION
aslr                enabled (tagged-files)        default (default)

Runtime Process Level ASLR Configuration

sxadm command supports runtime process configuration through "sxadm exec" interface. Child processes of the command executed via "sxadm exec" inherit the same security extension configuration unless the child process is executing a setuid binary or is more privileged.

# sxadm disable  aslr

 .. enable ASLR during runtime for pmap process ..

# sxadm exec -s aslr=enable /usr/bin/pmap self | grep heap
00000039452A8000         32K rw-----    [ heap ]
00000039452B0000         64K rw-----    [ heap ]

# sxadm exec -s aslr=enable /usr/bin/pmap self | grep heap
00000039B567E000          8K rw-----    [ heap ]
00000039B5680000         64K rw-----    [ heap ]

 .. disable ASLR during runtime for pmap process ..

# sxadm exec -s aslr=disable /usr/bin/pmap self | grep heap
000000010010A000         24K rwx----    [ heap ]
0000000100110000         64K rw-----    [ heap ]

# sxadm exec -s aslr=disable /usr/bin/pmap self | grep heap
000000010010A000         24K rwx----    [ heap ]
0000000100110000         64K rw-----    [ heap ]

Binary tagging takes precedence over runtime process conconfiguration if the binary was tagged to disable ASLR.

Note:

ASLR might give a hard time especially during debugging that require consistent and repeatable conditions including address space offsets. In such situations, disable ASLR tentatively for the target binary (best case) or for the entire system (worst case) until the debugging exercise completes.

No comments:

Post a Comment