ASLR and Linux personality syscall

In the previous article we talk about ASLR and how to disable it. There was a way to disable ASLR for a single process using setarch command. Now we are going to understand how setarch command do that. Lets use strace command to trace all system calls of setarch command with and without -R option

	$ strace -o 1 setarch x86_64 -R ls
	1 2 a.out aslr.c
	$ strace -o 2 setarch x86_64 ls
	1 2 a.out aslr.c
	$ diff 1 2
	...
	a lot of differences
	...

view raw shell.personality.1.log hosted with ❤ by GitHub

There are a lot of differences, because of the ASLR: In the log there are a lot memory addresses and they will be different. Now lets disable it for all processes and then do above steps again to filter out memory differences.

	$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
	$ strace -o 1 setarch x86_64 -R ls
	1 2 a.out aslr.c
	$ strace -o 2 setarch x86_64 ls
	1 2 a.out aslr.c
	$ diff 1 2
	1c1
	< execve("/usr/bin/setarch", ["setarch", "x86_64", "-R", "ls"], [/* 38 vars */]) = 0
	---
	> execve("/usr/bin/setarch", ["setarch", "x86_64", "ls"], [/* 38 vars */]) = 0
	33c33
	< personality(0x40000 /* PER_??? */) = 0
	---
	> personality(PER_LINUX) = 0
	123c123
	< set_tid_address(0x7ffff7fdaa70) = 4718
	---
	> set_tid_address(0x7ffff7fdaa70) = 4720
	$

view raw shell.personality.2.log hosted with ❤ by GitHub

Now we see that there is a system call named personality. It is difficult to understand from the man personality what this syscall actually do. So we can get a information from include file of personality syscall(in case of Ubuntu 10.10 it located at /usr/include/sys/personality.h). Here it is:
There is enum ADDR_NO_RANDOMIZE equal to 0x0040000 which passed in as an argument in personality in above difference logs. So we understand that we can disable the process's ASLR by calling personality syscall with ADDR_NO_RANDOMIZE argument. Lets modify the program from previous article and check is this works.

	#include <stdio.h> // printf
	#include <string.h> // strerror
	#include <errno.h> // errno
	#include <unistd.h> // execl
	#include <sys/ptrace.h> // ptrace
	#include <sys/user.h> // user_regs_struct
	#include <sys/personality.h> // personality
	int
	main() {
	// create a child process
	int pid = fork();
	// if error occurs
	if (0 > pid) {
	printf("Error during forking: %s\n", strerror(errno));
	return 1;
	}
	// child process
	if (0 == pid) {
	ptrace(PTRACE_TRACEME, 0, 0, 0);
	personality(ADDR_NO_RANDOMIZE);
	execl("/bin/ls", "ls", NULL);
	}
	// parent process
	int status;
	struct user_regs_struct regs;
	wait(&status);
	while(1407 == status) {
	// get registers
	if (0 != ptrace(PTRACE_GETREGS, pid, 0, &regs))
	printf("Error during ptrace: %s\n", strerror(errno));
	// if the syscall is close(for example)
	// wait so we can get memory maps.
	if (3 == regs.orig_rax) {
	// This scanf is for waiting for input,
	// while we cat /proc/pid/maps
	// to see if it differs from
	// previous /proc/pid/maps
	scanf("1");
	}
	// lets the child to continue his work until next sys call or sys exit
	if (0 != ptrace(PTRACE_SYSCALL, pid, 0, 0) != 0)
	printf("Error during ptrace: %s\n", strerror(errno));
	wait(&status);
	}
	return 0;
	}

view raw aslr.c hosted with ❤ by GitHub

Enable ASLR by echo 2 | sudo tee /proc/sys/kernel/randomize_va_space. Run above code twice and when they wait for input, dump the memory maps (get pid from htop and then cat /proc/pid/maps) and compare them: it works, the maps are the same. You can also comment out the line containing personality and get different memory maps.