Developer's Guide to Oracle® Solaris 11 Security

Exit Print View

Updated: July 2014

Address Space Layout Randomization (ASLR)

ASLR is a feature of the Oracle Solaris system that randomizes the starting address of key portions of the process address space such as stack, libraries, and brk-based heap. By default, ASLR is enabled for binaries explicitly tagged to request ASLR. The following command provides information about the status of ASLR:

% sxadm info
EXTENSION        STATUS                   CONFIGURATION 
aslr             enable (tagged-files)    enable (tagged-files)   

The –z option to the ld(1) command is used to tag a newly created object with an ASLR requirement. The usage is as shown below:

ld -z aslr[=mode]

where mode can be set to enable or disable. If mode is not specified, enable is assumed.

The following example demonstrates the use of the –z option to create an executable with ASLR enabled:

% cat hello.c
#include <stdio.h>
main(int argc, char **argv) 
  (void) printf("Hello World!\n");
  return (0);
% cc hello.c -z aslr

ASLR tagging is provided by an entry in the object's dynamic section, which can be inspected with elfdump(1).

% elfdump -d a.out | grep ASLR
[28]  SUNW_ASLR   0x2   ENABLE

The elfedit(1) command can be used to add or modify the ASLR dynamic entry in an existing object.

% cc hello.c
% elfedit -e 'dyn:sunw_aslr enable' a.out
% elfdump -d a.out | grep ASLR
[29]  SUNW_ASLR  0x2  ENABLE
% elfedit -e 'dyn:sunw_aslr disable' a.out
% elfdump -d a.out | grep ASLR
[29]  SUNW_ASLR   0x1  DISABLE

The ASLR requirements for a given process are established at process startup, and cannot be modified once the process has started. For this reason, the ASLR tagging is only meaningful for the primary executable object in the process.

The pmap(1) utility can be used to examine the address mappings for a process. When used to observe the mappings for an executable which has ASLR enabled, the specific addresses used for the stack, library mappings, and the brk-based heap will differ for every invocation.

The sxadm(1) command is used to control the default ASLR default behavior for the system. Binaries that are explicitly tagged to disable ASLR take precedence over the system default behavior established by sxadm.

Debugging and ASLR

Address Space Randomization may be problematic during debugging. Some debugging situations require that repeated invocations of the program use the same address mappings. You can temporarily disable ASLR in one of the following ways:

  • Temporarily disable ASLR system wide

    % sxadm exec -s aslr=disable /bin/bash
  • Use ld or elfedit commands to tag the associate binary to disable ASLR

  • Establish an ASLR disabled shell in which to carry out debugging

    % sxadm exec -s aslr=disable /bin/bash 

    Note - This ASLR modification cannot be applied to SUID or privileged binaries.

See the sxadm(1M) man page and Chapter 2, Configuring Oracle Solaris Security, in Oracle Solaris 11 Security Guidelines for more information.