Last active
August 25, 2017 06:27
-
-
Save safiire/c20591bc3169070c60533c788b78ab7d to your computer and use it in GitHub Desktop.
How many bits are random on Linux ASLR?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <stdlib.h> | |
#include <stdint.h> | |
#include <unistd.h> | |
#include <sys/types.h> | |
#include <sys/wait.h> | |
/* | |
* A fork() doesn't (and shouldn't) re-randomize the address space | |
* but that happens properly after the exec() | |
*/ | |
// Return the stack pointer | |
int64_t return_rsp(void){ | |
__asm__("movq %rsp, %rax"); | |
} | |
// Print out the stack pointer | |
int main(int argc, char **argv){ | |
printf("[+] My pid is %d\n", getpid()); | |
printf("[+] My rsp = 0x%016lx\n", return_rsp()); | |
if(argc < 2){ | |
printf("[+] Forking a child process...\n"); | |
pid_t pid = fork(); | |
if(pid == 0){ | |
printf("[+] Forked process rsp = 0x%016lx\n", return_rsp()); | |
printf("[+] Re-executing myself...\n"); | |
const char *child_argv[] = {"no", "fork", '\0'}; | |
execv(argv[0], child_argv); | |
perror("Wat?"); | |
exit(1); | |
}else{ | |
waitpid(pid, 0, 0); | |
} | |
} | |
return 0; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env ruby | |
## Hold our bit counts | |
counts = 64.times.map do | |
[] | |
end | |
## Sample some stack addresses | |
sample_addresses = 10_000.times do | |
md = `./print_rsp`.match(/0x([0-9a-f]+)/) | |
value = md[1].to_i(16) | |
bit_vector = sprintf("%064b", value).split(//) | |
bit_vector.each_with_index do |bit, index| | |
counts[index] << bit | |
end | |
end | |
## Which bits stay the same? | |
result = counts.map do |bits| | |
bits.uniq.size == 1 ? 0 : 1 | |
end | |
final_mask = result.join.to_i(2) | |
printf("Mask of bits which change are: %016x\n", final_mask) | |
## Any favouritism for bits? | |
probability = counts.map do |bits| | |
probability = bits.map(&:to_i).inject(0){|a,b| a + b} / bits.size.to_f | |
sprintf("%d%%", (probability * 100).round) | |
end | |
puts "Probability of 1 is:" | |
p probability |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <stdint.h> | |
/* | |
* Answers the question: how random is the stack after ASLR? | |
* | |
* Linux 4.10.0-19-generic #21-Ubuntu x86_64 | |
* | |
* The result of running this many times shows that only these | |
* bits ever change on the stack with ASLR | |
* 0000000000000000000000000000001111111111111111111111111111110000 | |
* Mask = 0x00000003fffffff0 | |
* | |
* That is 2^30 or 1,073,741,824 possibilities | |
* | |
* Probability of a 1 is always *very* close to 50/50 for those that change | |
* 0%, 0%, 0%, 0%, 0%, 0%, 0%, 0%, | |
* 0%, 0%, 0%, 0%, 0%, 0%, 0%, 0%, | |
* 0%, 100%, 100%, 100%, 100%, 100%, 100%, 100%, | |
* 100%, 100%, 100%, 100%, 100%, 100%, 50%, 50%, | |
* 49%, 50%, 50%, 51%, 50%, 51%, 49%, 50%, | |
* 50%, 50%, 51%, 50%, 50%, 49%, 50%, 50%, | |
* 50%, 49%, 50%, 50%, 50%, 50%, 50%, 49%, | |
* 50%, 50%, 50%, 50%, 0%, 0%, 0%, 0% | |
* | |
* Examples: | |
* 0x00000003fffffff0 | |
* ------------------ | |
* 0x00007ffe9feabf90 | |
* 0x00007ffe77320c60 | |
* 0x00007ffdc7cbb260 | |
* 0x00007ffdab117000 | |
* 0x00007fff649c64c0 | |
* 0x00007ffffc8eea60 | |
* 0x00007ffec9afb2c0 | |
* 0x00007fff6aa198a0 | |
* 0x00007ffec28af610 | |
* 0x00007ffc694e86a0 | |
* 0x00007ffcf15f80b0 | |
* ------------------ | |
* 0x00007ff[cdef]???????0 | |
*/ | |
// Return the stack pointer | |
int64_t return_rsp(void){ | |
__asm__("movq %rsp, %rax"); | |
} | |
// Print out the stack pointer | |
int main(int argc, char **argv){ | |
uint64_t address = return_rsp(); | |
printf("rsp = 0x%016lx\n", address); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment