Strengthening ASLR: BSS Randomization

TL;DR

Address Space Layout Randomisation (ASLR) is a key cyber security technique to make exploiting software harder. By randomising the base addresses of program sections, we disrupt predictable attack patterns. This guide focuses on improving ASLR by specifically randomising the Base Section (BSS), which often isn’t randomised by default and can be a weak point for attackers. We’ll cover checking your current setup, enabling BSS randomization if needed, and verifying it works.

Improving ASLR: Randomizing the BSS

1. Understand the Base Section (BSS)
   • The BSS section holds uninitialised global and static variables.
   • Unlike other sections like code (.text) or data (.data), it’s often zero-filled, making its starting address predictable if ASLR isn’t applied to it.
   • Attackers can exploit this predictability to gain control of the program.
2. Check Current ASLR Status

   You need to see if BSS randomization is already enabled on your system. The method varies depending on your operating system.

   • Linux: Use getconf.

     getconf PAGE_SIZE

     cat /proc/sys/kernel/randomize_va_space

     A value of ‘2’ means full ASLR is enabled, including BSS. ‘1’ enables only stack randomization. ‘0’ disables ASLR.

   • Windows: Use PowerShell.

     Get-Process -Id $PID | Format-List EnableASLR

     If EnableASLR is True, ASLR is enabled. Further checks are needed to confirm BSS randomization specifically (see step 3).

   • macOS: Use the command line.

     sysctl -a | grep vm.map_randomize_base

     A value greater than 0 indicates some level of ASLR is enabled, but doesn’t guarantee BSS randomization.

3. Enable BSS Randomization (If Necessary)
   • Linux: Edit /etc/sysctl.conf as root.

     sudo nano /etc/sysctl.conf

     Ensure the following line is present and set to ‘2’:

     kernel.randomize_va_space = 2

     Apply the changes:

     sudo sysctl -p

   • Windows: BSS randomization is typically enabled by default with modern Windows versions and Data Execution Prevention (DEP). Ensure DEP is active. You can check this in System Properties -> Advanced system settings -> Performance Settings.
     
     For older systems, you might need to adjust the ASLR configuration via Group Policy or registry edits (advanced users only – incorrect changes can destabilize your system!).
   • macOS: BSS randomization is generally enabled by default. You may not have direct control over it without recompiling the kernel, which isn’t recommended for most users.
4. Verify BSS Randomization

   After enabling ASLR (or confirming it’s already on), you need to check that the BSS section is actually being randomized.

   • Linux: Compile a simple program with global variables.

     gcc -o test test.c

     Run it multiple times and inspect the addresses of the global variables using gdb or similar debugger.

     gdb ./test

     break main

     run

     print &global_variable

     The address should change on each run.

   • Windows: Use a debugger like x64dbg or Visual Studio.
     
     Attach the debugger to your program, set a breakpoint at the start of main, and inspect the addresses of global variables in the memory view. The addresses should vary between runs.
5. Consider Compiler Options
   • Using Position Independent Executables (PIE) with compilers like GCC or Clang further enhances ASLR.

     gcc -o test test.c -fPIE -pie

   • Ensure your code doesn’t rely on fixed addresses for global variables, as this defeats the purpose of randomization.