{"id":3368,"date":"2021-07-31T14:13:20","date_gmt":"2021-07-31T12:13:20","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=3368"},"modified":"2025-03-20T09:15:45","modified_gmt":"2025-03-20T08:15:45","slug":"aslr-address-space-layout-randomization","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=3368","title":{"rendered":"<span class=\"caps\">ASLR<\/span> Address Space Layout Randomization"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><span class=\"caps\">ASLR<\/span> Address Space Lay\u00adout Ran\u00addom\u00adiza\u00adtion is a tech\u00adnique which ran\u00addom\u00adizes address\u00ades in the stack and heap. If address\u00ades of func\u00adtions are ran\u00addom\u00adized (e.g. from shared libraries like libc), then an attack\u00ader can\u00adnot use a pre\u00adde\u00adfined exploit with hard-cod\u00aded addresses.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Linux<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Dis\u00adable&nbsp;<span class=\"caps\">ASLR<\/span>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo 0 &gt; \/proc\/sys\/kernel\/randomize_va_space<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enable <span class=\"caps\">ASLR<\/span>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo 2 &gt; \/proc\/sys\/kernel\/randomize_va_space<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">In <span class=\"caps\">GDB<\/span>, <span class=\"caps\">ASLR<\/span> is deac\u00adti\u00advat\u00aded by default. Use <code>aslr on<\/code> to acti\u00advate&nbsp;it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Windows<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">On Win\u00addows, <span class=\"caps\">ASLR<\/span> loads a library at a ran\u00addom posi\u00adtion in the mem\u00ado\u00adry \u2014 but (accord\u00ading to a lec\u00adtur\u00ader at <span class=\"caps\">IR<\/span> March 2025) this is the same for each exe\u00adcute\u00adable as long as there is no reboot. That means that if a process ana\u00adlyzes his own mem\u00ado\u00adry and detect e.g. a library, it can cal\u00adcu\u00adlate there it would be in anoth\u00ader prozess.<\/p>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"caps\">ASLR<\/span> Address Space Lay\u00adout Ran\u00addom\u00adiza\u00adtion is a tech\u00adnique which ran\u00addom\u00adizes address\u00ades in the stack and heap. If address\u00ades of func\u00adtions are ran\u00addom\u00adized (e.g. from shared libraries like libc), then an attack\u00ader can\u00adnot use a pre\u00adde\u00adfined exploit with hard-cod\u00aded address\u00ades. Lin\u00adux Dis\u00adable&nbsp;<span class=\"caps\">ASLR<\/span>: echo 0 &gt; \/proc\/sys\/kernel\/randomize_va_space Enable <span class=\"caps\">ASLR<\/span>: echo 2 &gt; \/proc\/sys\/kernel\/randomize_va_space In <span class=\"caps\">GDB<\/span>, <span class=\"caps\">ASLR<\/span>&nbsp;is&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[355],"tags":[432,433,409,429],"class_list":["post-3368","post","type-post","status-publish","format-standard","hentry","category-reverse-engineering","tag-aslr","tag-heap-protection","tag-reverse-engineering","tag-stack-protection"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3368","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3368"}],"version-history":[{"count":4,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3368\/revisions"}],"predecessor-version":[{"id":4737,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3368\/revisions\/4737"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3368"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3368"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3368"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}