Linux ASLR: Separate Library Randomisation

TL;DR

By default, some Linux distributions don’t randomise library base addresses independently of each other. This weakens Address Space Layout Randomisation (ASLR), making exploitation easier. We’ll show you how to enable separate library randomisation for better cyber security.

Improving ASLR Library Randomisation

1. Check Current ASLR Status: First, see what’s currently enabled.
   • Run the following command:

     cat /proc/sys/kernel/randomize_va_space

   • Values mean:
     • 0: No ASLR.
     • 1: Randomise stack, mmap(), brk().
     • 2: Also randomise heap.
2. Check Library Randomisation: Determine if libraries are randomised independently.
   • Use the following command to check the entropy of library base addresses:

     cat /proc/self/maps | awk '{print $6}' | sort -u | wc -l

     This counts unique library load addresses. A low number suggests poor randomisation.

3. Enable Separate Library Randomisation: This is the core step.
   • Edit /etc/sysctl.conf as root (using your favourite editor, e.g., sudo nano /etc/sysctl.conf).
   • Add or modify these lines:

     kernel.randomize_va_space = 2

     kernel.kstack_pages_min = 4096

     kernel.sysvipc_shmall = 4096

4. Apply the Changes: Reload the sysctl configuration.
   • Run:

     sudo sysctl -p

   • Verify the change:

     cat /proc/sys/kernel/randomize_va_space

     It should now show 2.

5. Reboot (Recommended): A full reboot ensures all processes benefit from the new ASLR settings. While not always *strictly* necessary, it’s best practice.
   • Run:

     sudo reboot

6. Verify After Reboot: Confirm that library randomisation is improved after the reboot.
   • Repeat step 2 (using

     cat /proc/self/maps | awk '{print $6}' | sort -u | wc -l

     ) to check the number of unique library addresses. You should see a significantly higher count than before, indicating better randomisation.

Important Considerations

• Compatibility: While generally safe, very old applications might have issues with stronger ASLR. Test thoroughly after making changes.
• Performance: Stronger ASLR can introduce a small performance overhead, but it’s usually negligible on modern hardware.