关于Linux下ASLR与PIE的一些理解
Posted rec0rd
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了关于Linux下ASLR与PIE的一些理解相关的知识,希望对你有一定的参考价值。
根据翻阅的资料,暂时得出以下结论:
首先,ASLR的是操作系统的功能选项,作用于executable(ELF)装入内存运行时,因而只能随机化stack、heap、libraries的基址;而PIE(Position Independent Executables)是编译器(gcc,..)功能选项(-fPIE),作用于excutable编译过程,可将其理解为特殊的PIC(so专用,Position Independent Code),加了PIE选项编译出来的ELF用file命令查看会显示其为so,其随机化了ELF装载内存的基址(代码段、plt、got、data等共同的基址)。
其次,ASLR早于PIE出现,所以有return-to-plt、got hijack、stack-pivot(bypass stack ransomize)等绕过ASLR的技术;而在ASLR+PIE之后,这些bypass技术就都失效了,只能借助其他的信息泄露漏洞泄露基址(常用libc基址)。
最后,ASLR有0/1/2三种级别,其中0表示ASLR未开启,1表示随机化stack、libraries,2还会随机化heap。
下面给出几种不同的ASLR(on process)及PIE(on executable)配置下的进程内存布局示例以便能清晰的看出两者的区别:
ASLR 1 & no PIE eg :
linux-jiangxin:/home/jiangxin/experiment/fuzz/AFL/target/libsndfile-1.0.28/fuzz # file /bin/sleep /bin/sleep: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), for GNU/Linux 2.6.4, dynamically linked (uses shared libs), stripped linux-jiangxin:/home/jiangxin/experiment/fuzz/AFL/target/libsndfile-1.0.28/fuzz # sleep 100 & [2] 14408 linux-jiangxin:/home/jiangxin/experiment/fuzz/AFL/target/libsndfile-1.0.28/fuzz # cat /proc/14408/maps 00400000-00406000 r-xp 00000000 08:07 5464121 /bin/sleep 不变(no PIE) 00605000-00606000 r--p 00005000 08:07 5464121 /bin/sleep 00606000-00607000 rw-p 00006000 08:07 5464121 /bin/sleep 00607000-00628000 rw-p 00000000 00:00 0 [heap] 不变(aslr 1) 7f81a6b76000-7f81a6ce4000 r-xp 00000000 08:07 131081 /lib64/libc-2.11.3.so 变(aslr 1) 7f81a6ce4000-7f81a6ee3000 ---p 0016e000 08:07 131081 /lib64/libc-2.11.3.so 7f81a6ee3000-7f81a6ee7000 r--p 0016d000 08:07 131081 /lib64/libc-2.11.3.so 7f81a6ee7000-7f81a6ee8000 rw-p 00171000 08:07 131081 /lib64/libc-2.11.3.so 7f81a6ee8000-7f81a6eed000 rw-p 00000000 00:00 0 ... 7ffe0f4cd000-7ffe0f4ee000 rw-p 00000000 00:00 0 [stack] 变(aslr 1) 7ffe0f541000-7ffe0f543000 r--p 00000000 00:00 0 [vvar] 7ffe0f543000-7ffe0f545000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] linux-jiangxin:/home/jiangxin/experiment/fuzz/AFL/target/libsndfile-1.0.28/fuzz # sleep 100 & [3] 14411 linux-jiangxin:/home/jiangxin/experiment/fuzz/AFL/target/libsndfile-1.0.28/fuzz # cat /proc/14411/maps 00400000-00406000 r-xp 00000000 08:07 5464121 /bin/sleep 不变 (no PIE) 00605000-00606000 r--p 00005000 08:07 5464121 /bin/sleep 00606000-00607000 rw-p 00006000 08:07 5464121 /bin/sleep 00607000-00628000 rw-p 00000000 00:00 0 [heap] 不变(aslr 1) 7fa3e97c1000-7fa3e992f000 r-xp 00000000 08:07 131081 /lib64/libc-2.11.3.so 变(aslr 1) 7fa3e992f000-7fa3e9b2e000 ---p 0016e000 08:07 131081 /lib64/libc-2.11.3.so 7fa3e9b2e000-7fa3e9b32000 r--p 0016d000 08:07 131081 /lib64/libc-2.11.3.so 7fa3e9b32000-7fa3e9b33000 rw-p 00171000 08:07 131081 /lib64/libc-2.11.3.so 7fa3e9b33000-7fa3e9b38000 rw-p 00000000 00:00 0 ... 7ffcc90e3000-7ffcc9104000 rw-p 00000000 00:00 0 [stack] 变(aslr 1) 7ffcc91ad000-7ffcc91af000 r--p 00000000 00:00 0 [vvar] 7ffcc91af000-7ffcc91b1000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
ASLR 2 & PIE eg :
linux-jiangxin:~/Desktop/qemu/qemu-2.4.0/bin # echo 2 > /proc/sys/kernel/randomize_va_space linux-jiangxin:~/Desktop/qemu/qemu-2.4.0/bin # file qemu-system-x86_64 qemu-system-x86_64: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), for GNU/Linux 2.6.4, dynamically linked (uses shared libs), not stripped linux-jiangxin:~/Desktop/qemu/qemu-2.4.0/bin # ./qemu-system-x86_64 & [2] 14757 linux-jiangxin:~/Desktop/qemu/qemu-2.4.0/bin # VNC server running on `::1:5901‘ linux-jiangxin:~/Desktop/qemu/qemu-2.4.0/bin # cat /proc/14757/maps 5579dff02000-5579e059d000 r-xp 00000000 08:07 666008 /root/Desktop/qemu/qemu-2.4.0/bin/qemu-system-x86_64 变(PIE) 5579e079d000-5579e0869000 r-xp 0069b000 08:07 666008 /root/Desktop/qemu/qemu-2.4.0/bin/qemu-system-x86_64 5579e0869000-5579e08e7000 rwxp 00767000 08:07 666008 /root/Desktop/qemu/qemu-2.4.0/bin/qemu-system-x86_64 5579e08e7000-5579e0d75000 rwxp 00000000 00:00 0 5579e2811000-5579e4b95000 rwxp 00000000 00:00 0 [heap] 变(aslr 2) 7f3916000000-7f3916001000 rwxp 00000000 00:00 0 7f3916200000-7f3916201000 rwxp 00000000 00:00 0 7f3916400000-7f3916600000 rwxp 00000000 00:00 0 ... 7f39259f0000-7f3925b5e000 r-xp 00000000 08:07 131081 /lib64/libc-2.11.3.so 7f3925b5e000-7f3925d5d000 ---p 0016e000 08:07 131081 /lib64/libc-2.11.3.so 7f3925d5d000-7f3925d61000 r-xp 0016d000 08:07 131081 /lib64/libc-2.11.3.so 7f3925d61000-7f3925d62000 rwxp 00171000 08:07 131081 /lib64/libc-2.11.3.so 7f3925d62000-7f3925d67000 rwxp 00000000 00:00 0 ... 7ffec288e000-7ffec28af000 rwxp 00000000 00:00 0 [stack] 7ffec28f6000-7ffec28f8000 r--p 00000000 00:00 0 [vvar] 7ffec28f8000-7ffec28fa000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] linux-jiangxin:~/Desktop/qemu/qemu-2.4.0/bin # ./qemu-system-x86_64 & [3] 14764 linux-jiangxin:~/Desktop/qemu/qemu-2.4.0/bin # VNC server running on `::1:5902‘ linux-jiangxin:~/Desktop/qemu/qemu-2.4.0/bin # cat /proc/14764/maps 5636e240c000-5636e2aa7000 r-xp 00000000 08:07 666008 /root/Desktop/qemu/qemu-2.4.0/bin/qemu-system-x86_64 变(PIE) 5636e2ca7000-5636e2d73000 r-xp 0069b000 08:07 666008 /root/Desktop/qemu/qemu-2.4.0/bin/qemu-system-x86_64 5636e2d73000-5636e2df1000 rwxp 00767000 08:07 666008 /root/Desktop/qemu/qemu-2.4.0/bin/qemu-system-x86_64 5636e2df1000-5636e327f000 rwxp 00000000 00:00 0 5636e483c000-5636e6bc0000 rwxp 00000000 00:00 0 [heap] 变(aslr 2) 7fdb88e00000-7fdb88e01000 rwxp 00000000 00:00 0 7fdb89000000-7fdb89001000 rwxp 00000000 00:00 0 7fdb89200000-7fdb89400000 rwxp 00000000 00:00 0 ... 7fdb98831000-7fdb9899f000 r-xp 00000000 08:07 131081 /lib64/libc-2.11.3.so 7fdb9899f000-7fdb98b9e000 ---p 0016e000 08:07 131081 /lib64/libc-2.11.3.so 7fdb98b9e000-7fdb98ba2000 r-xp 0016d000 08:07 131081 /lib64/libc-2.11.3.so 7fdb98ba2000-7fdb98ba3000 rwxp 00171000 08:07 131081 /lib64/libc-2.11.3.so 7fdb98ba3000-7fdb98ba8000 rwxp 00000000 00:00 0 ... 7ffffb724000-7ffffb745000 rwxp 00000000 00:00 0 [stack] 7ffffb779000-7ffffb77b000 r--p 00000000 00:00 0 [vvar] 7ffffb77b000-7ffffb77d000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
ELF装载入内存后的进程布局参考:
http://blog.sina.com.cn/s/blog_4ed962ae01013vhr.html
以上是关于关于Linux下ASLR与PIE的一些理解的主要内容,如果未能解决你的问题,请参考以下文章