OpenBSD’s ASLR: Weak, Not Very Random and Not Truly ASLR

Many of the red neck BSD supporters have slashed out by our report on the BSD’s lack of security. Many of them argue that OpenBSD has it’s own ASLR implementation and thus BSD as a whole is somehow more secure that Linux.

We’ve decided to test extent of OpenBSD’s ASLR implementation and compare them with Linux 2.6. We achieve this by running an executable which prints out the location of the stack pointer (ESP). The code for this executable is found in “Gray Hat Hacking” by Shon Harris, Allen Harper, Chris Eagle and Jonathan Ness. This code is:

############################

#include <stdio.h>

unsigned long get_sp(void){
__asm__(“movl %esp, %eax”);
}

int main(){
printf(“Stack pointer (ESP): 0x%xn”, get_sp());
}

############################

This code was executed, 19 times in both OpenBSD 5.4 and CentOS 5.5 (Linux 2.6). Here are the results:

For CentOS 5.5 (Linux 2.6),

#############################

[buxley@localhost HAE]$ uname -a
Linux localhost.localdomain 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:35 EDT 2010 i686 i686 i386 GNU/Linux
[buxley@localhost HAE]$ for i in {1..19}; do ./get_sp; done
Stack pointer (ESP): 0xbf82c528
Stack pointer (ESP): 0xbfbdd478
Stack pointer (ESP): 0xbfa0d9e8
Stack pointer (ESP): 0xbfaf53c8
Stack pointer (ESP): 0xbfe4a318
Stack pointer (ESP): 0xbfa260f8
Stack pointer (ESP): 0xbfe4cac8
Stack pointer (ESP): 0xbf8ba5f8
Stack pointer (ESP): 0xbf8c49b8
Stack pointer (ESP): 0xbffe42c8
Stack pointer (ESP): 0xbfe33a88
Stack pointer (ESP): 0xbfa28cc8
Stack pointer (ESP): 0xbfab8e18
Stack pointer (ESP): 0xbfc42718
Stack pointer (ESP): 0xbfb6d5f8
Stack pointer (ESP): 0xbf945458
Stack pointer (ESP): 0xbfe2a388
Stack pointer (ESP): 0xbfd83d68
Stack pointer (ESP): 0xbfda20c8
[buxley@localhost HAE]$

#############################

For OpenBSD 5.4

#############################

$ uname -a
OpenBSD WorkStation.my.domain 5.4 GENERIC.MP#41 amd64
$ for i in 1 2 3 4 5 6 7 8 9 10 12 13 14 15 16 17 18 19 20; do ./get_sp; done
Stack pointer (ESP): 0xfffdd080
Stack pointer (ESP): 0xfffddaf0
Stack pointer (ESP): 0xffff5810
Stack pointer (ESP): 0xfffdc560
Stack pointer (ESP): 0xfffd20e0
Stack pointer (ESP): 0xfffd06f0
Stack pointer (ESP): 0xfffcf3b0
Stack pointer (ESP): 0xfffbda20
Stack pointer (ESP): 0xfffe1b00
Stack pointer (ESP): 0xfffd81e0
Stack pointer (ESP): 0xfffd7a50
Stack pointer (ESP): 0xfffec200
Stack pointer (ESP): 0xfffde5b0
Stack pointer (ESP): 0xffff9610
Stack pointer (ESP): 0xfffbc6b0
Stack pointer (ESP): 0xffff6df0
Stack pointer (ESP): 0xfffe3940
Stack pointer (ESP): 0xffff5c70
Stack pointer (ESP): 0xffff6cd0
$

#############################

As one can see, OpenBSD’s ASLR implementation is not as random as Linux’s and worst, it appears to follow a vague pattern thus make it not truly random. Thus it can be said that OpenBSD has an “ASLR-like” implementation that is not truly ASLR and not as effective.

Linus Torvalds:

I think the OpenBSD crowd is a bunch of masturbating monkeys…

 

About these ads
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to OpenBSD’s ASLR: Weak, Not Very Random and Not Truly ASLR

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s