91

I am using Ubuntu 12.04 32-bits, for some experiment I need to disable ASLR; how do I accomplish that? What should I do after that to enable ASLR again?

Am1rr3zA
  • 3,582
  • 2
    For self only: http://stackoverflow.com/questions/11238457/disable-and-re-enable-address-space-layout-randomization-only-for-mysef || http://unix.stackexchange.com/questions/15881/disable-address-space-layout-randomization-aslr-for-my-processes – Ciro Santilli OurBigBook.com Jul 28 '15 at 13:28

5 Answers5

128

According to an article How Effective is ASLR on Linux Systems?, you can configure ASLR in Linux using the /proc/sys/kernel/randomize_va_space interface.

The following values are supported:

  • 0 – No randomization. Everything is static.
  • 1 – Conservative randomization. Shared libraries, stack, mmap(), VDSO and heap are randomized.
  • 2 – Full randomization. In addition to elements listed in the previous point, memory managed through brk() is also randomized.

So, to disable it, run

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

and to enable it again, run

echo 2 | sudo tee /proc/sys/kernel/randomize_va_space

This won't survive a reboot, so you'll have to configure this in sysctl. Add a file /etc/sysctl.d/01-disable-aslr.conf containing:

kernel.randomize_va_space = 0

should permanently disable this.

mpliax
  • 3
gertvdijk
  • 67,947
  • 1
    What exactly is "Full randomization"? Does that include the executable itself? And what is brk()? – Shuzheng Feb 15 '19 at 16:13
  • @Shuzheng brk() is the break address during memory allocation https://stackoverflow.com/questions/6988487/what-does-the-brk-system-call-do – Niklas Rosencrantz May 20 '20 at 17:42
  • @Niklas - Does any of the above levels include the executable core itself? – Shuzheng May 20 '20 at 17:55
  • @Shuzheng I think so, meaning that I needed to turn it off in order to succeed in provoking a buffer overflow. If ASLR is enabled then an attacker cannot easily calculate memory addresses of the running process even if he can inject and hijack the program flow. At level 1, if I understand it correctly, both the absolute and relative addresses of the process will be randomized and at level 2 also dynamic memory addresses will be randomized. There are example programs you can experiment with in a VM or container where you disable the ASLR and try to hijack the process (search for overflow) – Niklas Rosencrantz May 20 '20 at 18:04
  • @Shuzheng If you mean that ASLR can be disabled and enabled for the Linux Kernel itself, then that is more than I know... but surely it will be in the manual somewhere about this – Niklas Rosencrantz May 20 '20 at 18:05
  • @Niklas, it is still not clear whether the base address of the code segment will be loaded at a random address, only that libraries etc. are loaded at random addresses. – Shuzheng May 20 '20 at 18:09
  • @Shuzheng: only PIE executables can have their text/data/bss randomized. (That's why Ubuntu and other modern distros configure GCC to build PIEs by default, and build binary packages that way). Traditional ELF executables contain absolute addresses, and don't have metadata to relocate them with runtime fixups even if anyone wanted to attempt to make the kernel do that. why non-pic code can't be totally ASLR using run-time fixups?. – Peter Cordes Dec 07 '21 at 05:13
  • A PIE executable counts as a shared library, and should have its text/data/BSS ASLRed at randomize_va_space = 1. (It literally is an ELF shared object with an entry point; that was historically a silly computer trick that happened to work; now it's the standard way to build executables.) – Peter Cordes Dec 07 '21 at 05:14
46

The /proc/sys/kernel/randomize_va_space interface controls ASLR system-wide.

If you don't want a system-wide change, use ADDR_NO_RANDOMIZE personality flag to temporarily disable ASLR. Controlling of this flag can be done with setarch and its -R option, like

setarch `uname -m` -R /bin/bash

This will open a new Bash shell for you with ASLR disabled, including all child processes run from this shell. Just exit the shell once you're done.

By the way, on i386, ulimit -s unlimited can effectively "disable" ASLR.

EDIT (Apr 2016): The ulimit -s unlimited was fixed and assigned CVE-2016-3672.

youfu
  • 569
9

If you want to construct a program which disables ASLR for itself when it runs, you can use the personality system call on Linux. Here's a recipe:

#include <stdio.h>
#include <sys/personality.h>

int main(int argc, char *argv) {
    const int old_personality = personality(ADDR_NO_RANDOMIZE);
    if (!(old_personality & ADDR_NO_RANDOMIZE)) {
        const int new_personality = personality(ADDR_NO_RANDOMIZE);
        if (new_personality & ADDR_NO_RANDOMIZE) {
            execv(argv[0], argv);
        }
    }
    printf("&argc == %p\n", (void ) &argc);
}

If you look at the source for setarch, it calls personality twice in roughly this pattern. The major difference is that setarch calls exec on some other program, whereas my recipe execs itself. It's important that you use non-zero-ness of & ADDR_NO_RANDOMIZE and not equality tests: else you can go into an infinite exec loop if you e.g. compile with -z execstack.

See also the man page for personality.

Jonas Kölker
  • 311
4

The more permanent ways of disabling ASLR should be kept in a VM for obvious reasons.

to test the ability to overwrite stack frame return addresses etcetera, you'll need to compile without stack canaries -fno-stack-protector, while to allow you to execute code on the stack you need to compile with -z execstack, making

$ gcc -fno-stack-protector -z execstack -o <my_program> my_code.c
Mark
  • 228
NewPerson
  • 51
  • 3
  • It isn't so easy to disable aslr in the vm when it is enabled on the host. I find it better to always temporary disable aslr – GuiTaek Oct 20 '23 at 16:31
4

You can use the following command to temporarily disable ASLR.

sudo sysctl kernel.randomize_va_space=0
galoget
  • 2,963
lzutao
  • 141