Less known, but frequently used Solaris feature: Address space layout randomisation
One of the features introduced with 11.1 is the Address Space Layout Randomization (ASLR) . And when you work with 11.1 you are already using it. So it’s a less known, but frequently used feature: less known in the point that it exists, less known in the point of the methods to control it, frequently used as it’s activated per default for selected binaries (and many were selected)
Address Space Layout Randomization?
Simply said? The basic idea behind ASLR that it’s harder to make assumptions about the address space layout when the layout is randomised. Such assumptions are necessary when you want to use certain attack vectors. As the Wikipedia explains:
Address space layout randomization (ASLR) is a computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space.
[..]
Address space randomization hinders some types of security attacks by making it more difficult for an attacker to predict target addresses. For example, attackers trying to execute return-to-libc attacks must locate the code to be executed, while other attackers trying to execute shellcode injected on the stack have to find the stack first. In both cases, the system obscures related memory-addresses from the attackers. These values have to be guessed, and a mistaken guess is not usually recoverable due to the application crashing.
With Solaris 11.1 ASLR is available in Solaris as well.
How to control it in Solaris
In order to control directly on the command line if a binary uses ALSR or not at the start of the binary, you can use the sxadm exec command.
Let us use pmap itself to show the memory layout of the process. We will start with disabled ASLR.
When try this a second time you will see, that the address space layout is absolutely the same.
Now we try the same with enabled ASLR.
Okay, a second time again:
As you have surely noticed, the layout is different now with every run of the application.
I told you, that you are already using ASLR. It’s controlled by a setting inside the system. You can check it with sxadm info
Okay, it’s enabled for tagged files. Tagged files? The binaries contain a flag that tells the system to use ASLR or not, when the security extension is enabled for tagged files. You can lookup this flag with elfdump tool.
Currently it’s enabled and thus pmap is using ASLR as long as the general status of the extension is enabled (tagged-files). Now we disable it. When you want such kind of information in the header of a binary, you have to use the elfedit tool.
Running the elfdump tool again, you will see the successful change of value:
The next step is to check the result of this change. Please notice that you don’t use the sxadm command.
No randomization. Now we change the tag in the binary again:
Short check.
As you see, randomization is back.
How to change the default behaviour
The next obvious question is how to change the default behaviour. When you want to change it to “ASLR for all”, then you ca do it this way
There is no model=off, you disable it in order to ensure that no
In oder to set it back to the default state, you use this command:
This default is valid for the zone where you have done this configuration.