strangerRidingCaml

11. Kernel Address Space Layout Randomization KASLR 본문

Linux kernel exploit

11. Kernel Address Space Layout Randomization KASLR

woddlwoddl 2024. 5. 13. 18:46
728x90
Kernel Address Space Layout Randomization <span class="MathJax_Preview" style="color: inherit;"><span class="MJXp-math" id="MJXp-Span-35"><span class="MJXp-mi MJXp-italic" id="MJXp-Span-36">K</span><span class="MJXp-mi MJXp-italic" id="MJXp-Span-37">A</span><span class="MJXp-mi MJXp-italic" id="MJXp-Span-38">S</span><span class="MJXp-mi MJXp-italic" id="MJXp-Span-39">L</span><span class="MJXp-mi MJXp-italic" id="MJXp-Span-40">R</span></span></span><script type="math/tex" id="MathJax-Element-14">KASLR</script>

Kernel Address Space Layout Randomization KASLR

Kernel Address Space Layout Randomization KASLR is a security feature implemented in modern operating systems, including Linux, to mitigate memory-based attacks by randomizing the location of kernel memory.

Lab Activity: Demonstrating KASLR Impact

In this lab activity, we'll demonstrate the impact of KASLR by attempting to exploit a vulnerability without and with KASLR enabled.

Without KASLR Enabled


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>

#define VULN_ADDR 0xdeadbeef  // Vulnerable function address without KASLR

void vulnerable_function() {
    printf("Vulnerable function called!\n");
}

int main() {
    vulnerable_function();  // Exploiting vulnerable function
    return 0;
}

With KASLR Enabled


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>

#define VULN_ADDR 0xdeadbeef  // Vulnerable function address with KASLR

void vulnerable_function() {
    printf("Vulnerable function called!\n");
}

int main() {
    void *mapped_addr = mmap((void *)VULN_ADDR, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (mapped_addr == MAP_FAILED) {
        perror("mmap failed");
        exit(EXIT_FAILURE);
    }

    vulnerable_function();  // Exploiting vulnerable function
    return 0;
}

In the second code snippet, we attempt to mmap the vulnerable function at a fixed address. However, with KASLR enabled, the address space layout is randomized, and the mmap operation may fail.

'Linux kernel exploit' 카테고리의 다른 글

13. Bypassing Kernel Self-Protection Mechanisms  0 2024.05.13
12. Segregation of Kernel Memory from Userspace Memory  0 2024.05.13
10. Return-to-Direct-Mapped Memory ret2dir Attacks  0 2024.05.12
9. Use-After-Free UAF Vulnerabilities feat.structcred,ttystruct  0 2024.05.12
8. Null Pointer Dereference Exploits  0 2024.05.12
'Linux kernel exploit' Related Articles more