The idea behind address space layout randomization (ASLR) is to randomize the location of functions and variables by placing the base of the segment at random locations. The question is, how random is random?
First, use busy_wait.c to see if ASLR is on. To do this, run the program in the background, and use the command
cat /proc/pid/maps | grep stack
to find the base address of the stack. Repeat this several times (the script stack_base.sh will help you do this). If the base changes, ASLR is working.
To compute the randomness of the base address, and hence of ASLR, you need to do this repeatedly, and see how many bits change.
A quicker way is to print out the address of a variable on the stack. Do this repeatedly, and see how many bits differ. A good side-effect is to see which bits do change.
Three programs will help you do this:
Figure out how to put them together and use them to estimate the number of bits of uncertainty in your system’s ASLR implementation.
Credit: these are adapted from Unit 5, Handling Defenses: Randomization and Cannaries, by Prof. Adam Aviv.
|ECS 198, Preparation for Capture-the-Flag via Exploits
Fall Quarter 2018