2

I have a question about Address Space Layout Randomization (ALSR) on macOS. According to Apple (2016), "If you are compiling an executable that targets macOS 10.7 and later or iOS 4.3 and later, the necessary flags [for ASLR] are enabled by default”. In the spirit of science, I decided to test this on Xcode 11.3 and macOS Catalina 10.15.2 with the following program:

#include <stdio.h>

int main(int argc, const char * argv[]) {
    int stack = 0;
    printf("%p\n", &stack);
    return 0;
}

According to Arpaci-Dusseau & Arpaci-Dusseau (2018), with ASLR enabled, this program should produce a different virtual address on every run (p. 16). However, every time I run the program in Xcode, the output is the same, for example:

0x7ffeefbff52c
Program ended with exit code: 0

What am I missing?

References

Apple. (2017). Avoiding buffer overflows and underflows. Retrieved from https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/BufferOverflows.html

Arpaci-Dusseau, R. H., & Arpaci-Dusseau, A. C. (2018). Complete virtual memory systems. In Operating systems: Three easy pieces. Retrieved from http://pages.cs.wisc.edu/~remzi/OSTEP/vm-complete.pdf

Rudolf Adamkovič
  • 31,030
  • 13
  • 103
  • 118
  • Did you try compiling without optimizations? – gstukelj Dec 29 '19 at 23:24
  • 1
    According to [this answer](https://stackoverflow.com/a/12829939), ASLR should cover globals, text, stack, and heap (although not many bits are randomized). Can you check if libc functions are getting relocated randomly? – nanofarad Dec 29 '19 at 23:25
  • Docs are squirrely about it, independent reviewers complain about ASLR implementations like farmers complain about the weather. Reboot the machine between tests. – Hans Passant Dec 29 '19 at 23:38
  • 2
    Try running it outside of Xcode (or any debugger). There's an excellent chance that the debugger or some of Xcode's other diagnostic features effectively disable ASLR. – Ken Thomases Dec 29 '19 at 23:39
  • @KenThomases That did the trick. Would you mind to write an answer so that I can accept it? – Rudolf Adamkovič Dec 30 '19 at 00:32

1 Answers1

3

The apparent ineffectiveness of ASLR is an artifact of running within Xcode. Either its use of the debugger or some other diagnostic feature effectively disables ASLR for the process.

Running the program outside of Xcode will show the ASLR behavior you expect.

Ken Thomases
  • 88,520
  • 7
  • 116
  • 154