DYNAMICBASE option for Address Space Layout Randomization (ASLR)

[cbruce]

I would like to enable Address Space Layout Randomization (ASLR) for my Windows FB program - (ASLR is the default for programs compiled on Linux). This requires the Windows /DYNAMICBASE option being added to the link process.

I've tried the Compiler Option -Wl to pass options to linker...
-Wl /DYNAMICBASE

...but that just gives me a "linking failed: terminated with exit code 1" message.

So the security gearheads don't jump in here... I'm not looking to use this for ROP attack security reasons. I know it doesn't really do any good for that unless all DLLs accessed by the program are linked for ASLR also. I want ASLR because I can use the rebased-on-every-run addresses of functions and variables as another source of entropy for seeding RNGs.

Is it possible to pass the /DYNAMICBASE option to the linker somehow?

[caseih]

/DYNAMICBASE is an option for the MS Linker. FB uses the GNU linker, so the option is going to be different, if it's supported at all. It's possible that the flag is -dynamicbase, or --dynamicbase, but I'm not sure. I see references to it in a google search, but I can't tell for sure.

[cbruce]

Ok, thanks to caseih I got headed down the right path to enable ASLR. I needed this option...

Code: Select all

-Wl -dynamicbase

After compiling I went into Process Explorer, launched the properties for my app and can see that ASLR is enabled... sort of...

Code: Select all

Address Space Load Randomization (ASLR) shows as "Enabled (permanent)Disabled"

My app still never gets dynamically rebased when loaded - it shows the same memory address on every run.

PE sort of says that my app has ASLR enabled... so I asked on the PE forum what the strange ASLR description is about. If I get an answer and find out what is going on, I'll update this thread.

[cbruce]

Without any ASLR, relocatable, -pie position-independent type options added to the fbc.exe command line... using Process Explorer, ASLR shows "Disabled" for myapp.exe.

After adding this option to fbc.exe command line...
(linker option) -Wl -dynamicbase
... myapp.exe ASLR shows "Enabled (permanent)Disabled".

After adding the position-independant options...
(compiler options) -gen gcc -Wc -fPIE
(linker options) -Wl -dynamicbase,-pie
... myapp.exe runs but immediately exits - (so nobody knows what ASLR would show).

After looking at all (not very much or very detailed) of the GCC docs about the -pie options...

It appears to me that at run time, since FB is linking in its pre-built libraries (which are not -pie enabled), the FB libs and myapp.exe disagree about where each other's addresses are and say "we quit".

Since I would have to rebuild a version of FB with -pie enabled FB libs in order to check this hypothesis - and since I only wanted ASLR for some RNG entropy - and since no one else would be using "Bruce's ASLR enabled fbc.exe version" to compile their own apps... ... ...

I'm just going to let this one go.

[TeeEmCee]

Well, you seem to understand everything already...
I made FB respect the -pic flag when building executables too, to do build PIE, but I never put in a pull request for those changes, because they're in my unmerged branch for android support (in recent versions of android, all binaries much be PIE... note that apps are not binaries on Android)

Even without those changes, as you figured out, on Unix you can get fbc to compile PIC objects and then forcibly link the PIC libraries, but the PIC libraries aren't even built/distributed in Windows builds of FB, so you would have to compile them yourself.