ASLR: Limited Randomness on 32-bit Systems

TL;DR

On a typical 32-bit system, Address Space Layout Randomisation (ASLR) usually only randomises the base address to within a 16MB boundary. This is because of the limited address space available and how it’s used for things like kernel memory and other important structures. This means fewer bits are actually randomised compared to 64-bit systems, making ASLR less effective.

Understanding ASLR

ASLR is a cyber security technique that makes it harder for attackers to reliably exploit vulnerabilities. It works by randomly positioning key areas of memory – like the base of executables, libraries, and the stack – each time a program runs. If an attacker knows where these things are in memory, they can more easily inject malicious code.

Why Only 12 Bits on 32-bit?

The limitation comes down to the size of the address space and how it’s divided up. Here’s a breakdown:

1. 32-bit Address Space: A 32-bit system has an address space of 2³² bytes, which is 4GB.
2. Kernel Space Reservation: The operating system kernel needs a dedicated portion of memory that *isn’t* randomised. This typically occupies the higher addresses (e.g., above 3GB or 2GB depending on the OS).
3. ASLR Granularity: To allow for effective ASLR, the base address must be aligned to a certain boundary – usually a multiple of 16KB or larger. This is because code and data structures need to start at specific offsets within memory pages.
4. Randomisation Range: Because of the kernel space reservation and alignment requirements, only a portion of the 4GB address space is available for randomising user-space components. A common setup reserves the top 2GB for the kernel, leaving 2GB for ASLR.
5. Calculating Randomised Bits: If you have 2GB (2³¹ bytes) available for randomisation and need to align to a 16KB boundary (2¹⁴ bytes), the number of randomised bits is approximately log₂(2³¹ / 2¹⁴) = 17. However, practical implementations often use only 12 bits due to other constraints and historical reasons.

Practical Implications

With only 12 bits of randomness, there are 2¹² (4096) possible base addresses for each library or executable. This significantly reduces the effectiveness of ASLR compared to a 64-bit system where you have many more bits available.

Checking ASLR Entropy

You can check how much randomness is being used on your system using tools like /proc/sys/kernel/randomize_va_space. This file controls the level of ASLR:

• 0: No ASLR
• 1: Randomise stack, mmap(), brk()
• 2: Full ASLR (libraries and executables randomised)

cat /proc/sys/kernel/randomize_va_space

To see the actual entropy used, you can inspect the /proc//maps file for a running process. Look at the addresses of loaded libraries and executables to get an idea of how much they are shifting.

cat /proc/12345/maps | grep rwxp

Mitigation Strategies

1. Upgrade to 64-bit: The most effective solution is to move to a 64-bit system, which provides a much larger address space and more bits for ASLR.
2. Compile with Position Independent Executable (PIE): PIE randomises the base address of the main executable itself, adding another layer of protection. Use compiler flags like -fpie -pie when building your software.
3. Use Address Space Layout Randomisation (ASLR) hardening techniques: Some compilers and linkers offer additional ASLR features that can improve randomness.
4. Data Execution Prevention (DEP): DEP prevents code from being executed in data segments, making it harder for attackers to inject malicious code even if they bypass ASLR.