如何判断当前LINUX系统启用了ASLR

内核参数randomize_va_space用于控制系统级ASLR

0 关闭ASLR

1 mmap base、stack、vdso page将随机化。这意味着.so文件将被加载到随机地址。链接时指定了-pie选项的可执行程序，其代码段加载地址将被随机化。配置内核时如果指定了CONFIG_COMPAT_BRK，randomize_va_space缺省为1。此时heap没有随机化。

2 在1的基础上增加了heap随机化。配置内核时如果禁用CONFIG_COMPAT_BRK，randomize_va_space缺省为2。

查询randomize_va_space当前设置

# sysctl -n kernel.randomize_va_space
1
# cat /proc/sys/kernel/randomize_va_space
1

关闭ASLR:

# sysctl -w kernel.randomize_va_space=0
# echo 0 > /proc/sys/kernel/randomize_va_space

可以用ldd快速判断当前系统是否启用了ASLR:

$ ldd `which col`
        linux-gate.so.1 =>  (0xffffe000)
        libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7ded000)
        /lib/ld-linux.so.2 (0x80000000)

$ ldd `which col`
        linux-gate.so.1 =>  (0xffffe000)
        libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7db5000)
        /lib/ld-linux.so.2 (0x80000000)

$ ldd `which col`
        linux-gate.so.1 =>  (0xffffe000)
        libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7db0000)
        /lib/ld-linux.so.2 (0x80000000)

注意，本例中有两个so的加载基址未被随机化。

$ cat /proc/self/maps > 1.txt

$ cat /proc/self/maps > 2.txt

$ diff 1.txt 2.txt

4,15c4,15

< b7bb1000-b7db1000 r--p 00000000 08:01 98130 /usr/lib/locale/locale-archive

< b7db1000-b7db2000 rw-p b7db1000 00:00 0

< b7db2000-b7ef2000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

< b7ef2000-b7ef4000 r--p 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

< b7ef4000-b7ef5000 rw-p 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

< b7ef5000-b7ef8000 rw-p b7ef5000 00:00 0

< b7f09000-b7f0b000 rw-p b7f09000 00:00 0

< b7f0b000-b7f0c000 r-xp b7f0b000 00:00 0 [vdso]

< b7f0c000-b7f27000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so

< b7f27000-b7f28000 r--p 0001a000 08:01 1046552 /lib/ld-2.11.2.so

< b7f28000-b7f29000 rw-p 0001b000 08:01 1046552 /lib/ld-2.11.2.so

< bfe27000-bfe3d000 rw-p bfe27000 00:00 0 [stack]

---

b7bfa000-b7dfa000 r--p 00000000 08:01 98130 /usr/lib/locale/locale-archive

b7dfa000-b7dfb000 rw-p b7dfa000 00:00 0

b7dfb000-b7f3b000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7f3b000-b7f3d000 r--p 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7f3d000-b7f3e000 rw-p 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7f3e000-b7f41000 rw-p b7f3e000 00:00 0

b7f52000-b7f54000 rw-p b7f52000 00:00 0

b7f54000-b7f55000 r-xp b7f54000 00:00 0 [vdso]

b7f55000-b7f70000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so

b7f70000-b7f71000 r--p 0001a000 08:01 1046552 /lib/ld-2.11.2.so

b7f71000-b7f72000 rw-p 0001b000 08:01 1046552 /lib/ld-2.11.2.so

bfa6e000-bfa83000 rw-p bfa6e000 00:00 0 [stack]

diff输出表明stack、vsdo page、一些so的地址均被随机化。

$ cat 1.txt

08048000-0804f000 r-xp 00000000 08:01 196226 /bin/cat

0804f000-08050000 rw-p 00006000 08:01 196226 /bin/cat

08050000-08071000 rw-p 08050000 00:00 0 [heap]

b7bb1000-b7db1000 r--p 00000000 08:01 98130 /usr/lib/locale/locale-archive

b7db1000-b7db2000 rw-p b7db1000 00:00 0

b7db2000-b7ef2000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7ef2000-b7ef4000 r--p 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7ef4000-b7ef5000 rw-p 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7ef5000-b7ef8000 rw-p b7ef5000 00:00 0

b7f09000-b7f0b000 rw-p b7f09000 00:00 0

b7f0b000-b7f0c000 r-xp b7f0b000 00:00 0 [vdso]

b7f0c000-b7f27000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so

b7f27000-b7f28000 r--p 0001a000 08:01 1046552 /lib/ld-2.11.2.so

b7f28000-b7f29000 rw-p 0001b000 08:01 1046552 /lib/ld-2.11.2.so

bfe27000-bfe3d000 rw-p bfe27000 00:00 0 [stack]

$ cat 2.txt

08048000-0804f000 r-xp 00000000 08:01 196226 /bin/cat

0804f000-08050000 rw-p 00006000 08:01 196226 /bin/cat

08050000-08071000 rw-p 08050000 00:00 0 [heap]

b7bfa000-b7dfa000 r--p 00000000 08:01 98130 /usr/lib/locale/locale-archive

b7dfa000-b7dfb000 rw-p b7dfa000 00:00 0

b7dfb000-b7f3b000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7f3b000-b7f3d000 r--p 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7f3d000-b7f3e000 rw-p 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7f3e000-b7f41000 rw-p b7f3e000 00:00 0

b7f52000-b7f54000 rw-p b7f52000 00:00 0

b7f54000-b7f55000 r-xp b7f54000 00:00 0 [vdso]

b7f55000-b7f70000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so

b7f70000-b7f71000 r--p 0001a000 08:01 1046552 /lib/ld-2.11.2.so

b7f71000-b7f72000 rw-p 0001b000 08:01 1046552 /lib/ld-2.11.2.so

bfa6e000-bfa83000 rw-p bfa6e000 00:00 0 [stack]

检查原始输出，主映像、heap未被随机化。

关闭ASLR之后再测试一遍:

sysctl -w kernel.randomize_va_space=0

kernel.randomize_va_space = 0

cat /proc/self/maps > 1.txt

cat /proc/self/maps > 2.txt

diff 1.txt 2.txt

diff无输出，表示各内存区域基址未被随机化。

cat 1.txt

08048000-0804f000 r-xp 00000000 08:01 196226 /bin/cat

0804f000-08050000 rw-p 00006000 08:01 196226 /bin/cat

08050000-08071000 rw-p 08050000 00:00 0 [heap]

b7c8a000-b7e8a000 r--p 00000000 08:01 98130 /usr/lib/locale/locale-archive

b7e8a000-b7e8b000 rw-p b7e8a000 00:00 0

b7e8b000-b7fcb000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7fcb000-b7fcd000 r--p 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7fcd000-b7fce000 rw-p 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7fce000-b7fd1000 rw-p b7fce000 00:00 0

b7fe2000-b7fe4000 rw-p b7fe2000 00:00 0

b7fe4000-b7fe5000 r-xp b7fe4000 00:00 0 [vdso]

b7fe5000-b8000000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so

b8000000-b8001000 r--p 0001a000 08:01 1046552 /lib/ld-2.11.2.so

b8001000-b8002000 rw-p 0001b000 08:01 1046552 /lib/ld-2.11.2.so

bffeb000-c0000000 rw-p bffeb000 00:00 0 [stack]

内核参数randomize_va_space置0会关闭整个系统的ASLR，有时候只想关闭单个进程

的ASLR，可以用setarch命令实现这点。

$ setarch uname -m -R cat /proc/self/maps > 1.txt

$ setarch uname -m -R cat /proc/self/maps > 2.txt

$ diff 1.txt 2.txt

diff无输出，表示各内存区域基址未被随机化。

$ cat 1.txt

08048000-0804f000 r-xp 00000000 08:01 196226 /bin/cat

0804f000-08050000 rw-p 00006000 08:01 196226 /bin/cat

08050000-08071000 rw-p 08050000 00:00 0 [heap]

b7c8a000-b7e8a000 r--p 00000000 08:01 98130 /usr/lib/locale/locale-archive

b7e8a000-b7e8b000 rw-p b7e8a000 00:00 0

b7e8b000-b7fcb000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7fcb000-b7fcd000 r--p 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7fcd000-b7fce000 rw-p 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7fce000-b7fd1000 rw-p b7fce000 00:00 0

b7fe2000-b7fe4000 rw-p b7fe2000 00:00 0

b7fe4000-b7fe5000 r-xp b7fe4000 00:00 0 [vdso]

b7fe5000-b8000000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so

b8000000-b8001000 r--p 0001a000 08:01 1046552 /lib/ld-2.11.2.so

b8001000-b8002000 rw-p 0001b000 08:01 1046552 /lib/ld-2.11.2.so

bffea000-c0000000 rw-p bffea000 00:00 0 [stack]

---

奇怪的是，setarch关闭单个进程ASLR时，stack的地址有时会变，并不总是固定的，

这是什么情况？而内核参数randomize_va_space置0时，就没有观察到这种现象。

$ setarch uname -m -R cat /proc/self/maps > 1.txt

$ setarch uname -m -R cat /proc/self/maps > 2.txt

$ diff 1.txt 2.txt

15c15

< bffeb000-c0000000 rw-p bffeb000 00:00 0 [stack]

---

bffea000-c0000000 rw-p bffea000 00:00 0 [stack]

$ cat 1.txt

08048000-0804f000 r-xp 00000000 08:01 196226 /bin/cat

0804f000-08050000 rw-p 00006000 08:01 196226 /bin/cat

08050000-08071000 rw-p 08050000 00:00 0 [heap]

b7c8a000-b7e8a000 r--p 00000000 08:01 98130 /usr/lib/locale/locale-archive

b7e8a000-b7e8b000 rw-p b7e8a000 00:00 0

b7e8b000-b7fcb000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7fcb000-b7fcd000 r--p 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7fcd000-b7fce000 rw-p 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so

b7fce000-b7fd1000 rw-p b7fce000 00:00 0

b7fe2000-b7fe4000 rw-p b7fe2000 00:00 0

b7fe4000-b7fe5000 r-xp b7fe4000 00:00 0 [vdso]

b7fe5000-b8000000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so

b8000000-b8001000 r--p 0001a000 08:01 1046552 /lib/ld-2.11.2.so

b8001000-b8002000 rw-p 0001b000 08:01 1046552 /lib/ld-2.11.2.so

bffeb000-c0000000 rw-p bffeb000 00:00 0 [stack]