How does the "Address Space Randomization (ASLR)" actually work

[Tommi Prami 123]

Delphi help is little bit vague, and all other pages gives lot of stuff but not easy nuts and bolts. explanation.

I have thought that if ASLR is on, windows will randomize the Memory start address of the process each time you run it, but I might be wildly wrong in my assumption.,

 

Asking because of this bug report: https://quality.embarcadero.com/browse/RSP-40130 

 

-Tee-

Edited December 7, 2022 by Tommi Prami

[Stefan Glienke 1905]

https://security.stackexchange.com/questions/18556/how-do-aslr-and-dep-work

[Tommi Prami 123]

On 12/7/2022 at 5:53 PM, Stefan Glienke said:

https://security.stackexchange.com/questions/18556/how-do-aslr-and-dep-work

Did not get from that will it affect into the the Delphi Image base setting or not:

 

Maybe I did not ask clearly enough. What I am actually asking is:

I get (from bugreport above)  that if ASLR is on, the address in Access Violation can't be checked from MAP file as is. Because there is not enough info to do that. So that if there is Access violation at Customer, they send the Address/Screenshot, that I could not get the actual error location from map-file, because it could not know the where ASLR has actually located the code, so I would need the ASLR offset or something like that also?

And reading those ASLR articles did not help much, so I could be sure is my impression wrong or not. I googled how ASLR works and there was lot of low level descriptions, but not sure will it affect to AV and/or map-file investigation. 

 

-Tee-

Edited December 9, 2022 by Tommi Prami

[Fr0sT.Brutal 897]

Here https://quality.embarcadero.com/browse/RSP-40130

the following change is suggested to calculate

SModuleAccessViolation = 'Access violation in module ''%s'' (+%s). %s of address %p';

Result := EAccessViolation.CreateFmt(sModuleAccessViolation,
        [ExtractFileName(ModName),
         IntToHex (IntPtr (P^.ExceptionAddress) - IntPtr (MemInfo.AllocationBase), 1),
         AccessOp,
         AccessAddress])

I have no D11 at hand and I couldn't find that MemInfo in docs.

[Vandrovnik 202]

4 hours ago, Fr0sT.Brutal said:

I have no D11 at hand and I couldn't find that MemInfo in docs.

This is in Winapi.Windows.pas:

type
  PMemoryBasicInformation = ^TMemoryBasicInformation;
  _MEMORY_BASIC_INFORMATION = record
    BaseAddress : Pointer;
    AllocationBase : Pointer;
    AllocationProtect : DWORD;
    RegionSize : SIZE_T;
    State : DWORD;
    Protect : DWORD;
    Type_9 : DWORD;
  end;
  {$EXTERNALSYM _MEMORY_BASIC_INFORMATION}
  TMemoryBasicInformation = _MEMORY_BASIC_INFORMATION;
  MEMORY_BASIC_INFORMATION = _MEMORY_BASIC_INFORMATION;

MemInfo is just a local variable in System.SysUtils, function GetExceptionObject.

[Stefan Glienke 1905]

5 hours ago, Tommi Prami said:

I get (from bugreport above)  that if ASLR is on, the address in Access Violation can't be checked from MAP file as is. Because there is not enough info to do that. So that if there is Access violation at Customer, they send the Address/Screenshot, that I could not get the actual error location from map-file, because it could not know the where ASLR has actually located the code, so I would need the ASLR offset or something like that also?

That's why you use things like madExcept or EurekaLog - even with ASLR enabled I get a proper call stack from an AV with madExcept.

[Fr0sT.Brutal 897]

Hmm, I tried building a sample console app in XE2 with {$SETPEOPTFLAGS $140} or {$DYNAMICBASE ON} but didn't get any relocations on W7 and W8. How to experience ASLR without D11?

Edited December 9, 2022 by Fr0sT.Brutal

[Tommi Prami 123]

On 12/9/2022 at 2:10 PM, Stefan Glienke said:

That's why you use things like madExcept or EurekaLog - even with ASLR enabled I get a proper call stack from an AV with madExcept.

We use madExcept, but that is not the point. Point is will it effect to the AV-address or not?

[Tommi Prami 123]

On 12/9/2022 at 2:21 PM, Fr0sT.Brutal said:

Hmm, I tried building a sample console app in XE2 with {$SETPEOPTFLAGS $140} or {$DYNAMICBASE ON} but didn't get any relocations on W7 and W8. How to experience ASLR without D11?

There are some limitations which Windows versions ASLR supported and which variant. High entropy one needed quite new version (Win10 if I recall)

[Fr0sT.Brutal 897]

1 hour ago, Tommi Prami said:

There are some limitations which Windows versions ASLR supported and which variant. High entropy one needed quite new version (Win10 if I recall)

However the simple variant should be working with older versions

[FredS 138]

6 hours ago, Fr0sT.Brutal said:

should be working with older versions

This hasn't worked for at least 11 years: https://www.codenewsfast.com/cnf/articles

[Tommi Prami 123]

13 hours ago, FredS said:

This hasn't worked for at least 11 years: https://www.codenewsfast.com/cnf/articles

Seems to be active on our App:

 

Edited December 13, 2022 by Tommi Prami

[Fr0sT.Brutal 897]

16 hours ago, FredS said:

This hasn't worked for at least 11 years: https://www.codenewsfast.com/cnf/articles

That's weird. Isn't executable flag enough to support ASLR?

[FredS 138]

13 hours ago, Tommi Prami said:

Seems to be active on our App:

I don't have 11.2, but the fact that madExcept needed an update to deal with ASLR tells me its finally working.

 

Redux:

https://blog.marcocantu.com/blog/rad111_pe_security.html

 

[DelphiUdIT 132]

In Delphi 11.2 ASLR (and High Entropy too) may be used and is working.

But when i tested it in a real running environment, there were some glitches (AV, memory leak, ....) that don't show up if I simply turn off ASLR. I've noticed that the use of 3rd party dlls (SDK or whatever) even if recent plays a role in this. All of course in a 64-bit environment.

I didn't go into depth because I'm busy on several fronts, but in the near future I'd like to go into it further.

For now I don't use ASLR and High Entropy.

Bye

[Stefan Glienke 1905]

If stuff blows up with ASLR under 64bit then this is almost certainly because some code is calculating addresses wrong or unintentionally using 32bit data types where 64bit is needed which did not blow up without ASLR because it never had values higher than maxint. Often this can be caused by incorrect Winapi usage such as this

Edited December 22, 2022 by Stefan Glienke

[DelphiUdIT 132]

13 hours ago, Stefan Glienke said:

If stuff blows up with ASLR under 64bit then this is almost certainly because some code is calculating addresses wrong or unintentionally using 32bit data types where 64bit is needed which did not blow up without ASLR because it never had values higher than maxint. Often this can be caused by incorrect Winapi usage such as this

This may be, but to enable 64 bit ASLR you must enable "HIGH ENTROPY". Enable only ASLR and disable HE should not produce pointer with 64 bit data ..... or i misunderstand ASLR ?

With my test i try the two combination (ASLR or ASLR + HE) and i had some problems anyway.

Edited December 22, 2022 by DelphiUdIT

[Fr0sT.Brutal 897]

On 12/22/2022 at 8:06 PM, DelphiUdIT said:

nable only ASLR and disable HE should not produce pointer with 64 bit data ....

From what I've read about ASLR, addresses could be any even without additional options. And even without ASLR you can achieve 64-bit pointers by occupying all 4 Gb RAM (swap file should be disabled). Btw this is pretty good test for valid pointer operations, especially estimating huge heap of legacy 32-bit code with quite desperate pointer<=>number manipulations that was converted to 64-bit but probably never thoroughly tested

Edited December 26, 2022 by Fr0sT.Brutal