7

I am looking at a presentation from MIT where they explain different types of ASLR implementations.

For example, they point out that for static ASLR, stack has 19-bits of entropy. In my understanding, this means the stack base address can only be randomized to take 2^19 different values.

I want to ask how to calculate that the stack has 19-bits of entropy ?

Edit:

After checking online, I found some explanation of stack ASLR on Linux. Learning from another question, the code I thought may be relevant is:

#ifndef STACK_RND_MASK
#define STACK_RND_MASK (0x7ff >> (PAGE_SHIFT - 12))     /* 8MB of VA */
#endif

static unsigned long randomize_stack_top(unsigned long stack_top)
{
    unsigned int random_variable = 0;

    if ((current->flags & PF_RANDOMIZE) &&
            !(current->personality & ADDR_NO_RANDOMIZE)) {
            random_variable = get_random_int() & STACK_RND_MASK;
            random_variable <<= PAGE_SHIFT;
    }
#ifdef CONFIG_STACK_GROWSUP
    return PAGE_ALIGN(stack_top) + random_variable;
#else
    return PAGE_ALIGN(stack_top) - random_variable;
#endif
}

I want to ask if this is the right place to reason about my question ?

Community
  • 1
  • 1
Jake
  • 16,329
  • 50
  • 126
  • 202

1 Answers1

7

Firstly, pages have to be aligned to 4096-byte boundaries, which effectively zeroes the lower 12 bits.

Next, the kernel splits the address space in to 0x00000000 - 0xbfffffff for user memory and 0xc0000000 - 0xffffffff for kernel memory. We only care about user memory here, so the kernel memory can be ignored.

If we further split up the user address space into three ranges:

       Range        | 2 MSBs 
--------------------+--------
00000000 - 3fffffff |   00
40000000 - 7fffffff |   01
80000000 - bfffffff |   10

Generally we don't want the stack in the first range, since that's where the heap lives. This means we only have two possible combinations for the 2 most significant bits, 01 and 10, effectively turning 2 bits into 1.

We have 32 bits in a 32-bit address, so we can get our 19-bits of stack entropy with:
32 - (page alignment bits) - (memory partitioning bits) = 32 - 12 - 1 = 19

小太郎
  • 5,510
  • 6
  • 37
  • 48
  • Thanks a lot, but one more question: So that means global variable segment maybe upon the stack or under the stack area? – roachsinai Jan 11 '20 at 08:05