How can I temporarily disable ASLR (Address space layout randomization)?
772
I am using Ubuntu 12.04 32-bits, for some experiment I need to disable ASLR; how do I accomplish that? What should I do after that to enable ASLR again?
The /proc/sys/kernel/randomize_va_space interface controls ASLR system-wide.
If you don't want a system-wide change, use ADDR_NO_RANDOMIZEpersonality flag to temporarily disable ASLR. Controlling of this flag can be done with setarch and its -R option, like
setarch `uname -m` -R /bin/bash
This will open a new Bash shell for you with ASLR disabled, including all child processes run from this shell. Just exit the shell once you're done.
By the way, on i386, ulimit -s unlimited can effectively "disable" ASLR.
EDIT (Apr 2016): The ulimit -s unlimited was fixed and assigned CVE-2016-3672.
The more permanent ways of disabling ASLR should be kept in a VM for obvious reasons.
to test the ability to overwrite stack frame return addresses etcetera, you'll need to compile without stack canaries -fno-stack-protector, while to allow you to execute code on the stack you need to compile with -z execstack, making
If you want to construct a program which disables ASLR for itself when it runs, you can use the personality system call on Linux. Here's a recipe:
#include <stdio.h>
#include <sys/personality.h>
int main(int argc, char **argv) {
const int old_personality = personality(ADDR_NO_RANDOMIZE);
if (!(old_personality & ADDR_NO_RANDOMIZE)) {
const int new_personality = personality(ADDR_NO_RANDOMIZE);
if (new_personality & ADDR_NO_RANDOMIZE) {
execv(argv[0], argv);
}
}
printf("&argc == %p\n", (void *) &argc);
}
If you look at the source for setarch, it calls personality twice in roughly this pattern. The major difference is that setarch calls exec on some other program, whereas my recipe execs itself. It's important that you use non-zero-ness of & ADDR_NO_RANDOMIZE and not equality tests: else you can go into an infinite exec loop if you e.g. compile with -z execstack.
According to an article How Effective is ASLR on Linux Systems?, you can configure ASLR in Linux using the
/proc/sys/kernel/randomize_va_spaceinterface.So, to disable it, run
and to enable it again, run
This won't survive a reboot, so you'll have to configure this in
sysctl. Add a file/etc/sysctl.d/01-disable-aslr.confcontaining:should permanently disable this.
The
/proc/sys/kernel/randomize_va_spaceinterface controls ASLR system-wide.If you don't want a system-wide change, use
ADDR_NO_RANDOMIZEpersonality flag to temporarily disable ASLR. Controlling of this flag can be done withsetarchand its-Roption, likeThis will open a new Bash shell for you with ASLR disabled, including all child processes run from this shell. Just
exitthe shell once you're done.By the way, on i386,
ulimit -s unlimitedcan effectively "disable" ASLR.EDIT (Apr 2016): The
ulimit -s unlimitedwas fixed and assigned CVE-2016-3672.The more permanent ways of disabling ASLR should be kept in a VM for obvious reasons.
to test the ability to overwrite stack frame return addresses etcetera, you'll need to compile without stack canaries
-fno-stack-protector, while to allow you to execute code on the stack you need to compile with-z execstack, makingYou can use the following command to temporarily disable ASLR.
If you want to construct a program which disables ASLR for itself when it runs, you can use the
personalitysystem call on Linux. Here's a recipe:If you look at the source for
setarch, it callspersonalitytwice in roughly this pattern. The major difference is thatsetarchcallsexecon some other program, whereas my recipeexecs itself. It's important that you use non-zero-ness of& ADDR_NO_RANDOMIZEand not equality tests: else you can go into an infiniteexecloop if you e.g. compile with-z execstack.See also the man page for
personality.