ASLR

From The iPhone Wiki
Revision as of 07:45, 2 June 2012 by Morpheus (talk | contribs) (updated kernel space ASLR for iOS 6)
Jump to: navigation, search

ASLR (Address Space Layout Randomization) is a form of data security used to randomize data on the Template:Wp to help prevent exploits from taking control of the system. It first appeared in Template:Wp.

Program and dyld

  • On program load, the address space offset of the program is randomized between 0x0 and 0x100000
  • It always falls on a 0x1000 page boundary
  • dyld is included in this sliding section

Kernel space ASLR

Mountain Lion boasts a xnu 2150 kernel, which includes, for the first time, ASLR in kernel space. Because OS X and iOS are so closely tied together, it is safe to assume that iOS 6 (which is not yet released at the time of this writing, but will probably have a greater equal version of XNU) will likely have ASLR. In reply to i0nic, this is the lowdown of ASLR:

  • When the kernel boots, i386_vm_init (iOS: arm_vm_init) initializes the value of vm_kernel_slide
  • The kernel supports a new system call (#439 on Mountain Lion, likely #440 on iOS 6), called kas_info. This will return the value of vm_kernel_slide, but only for a privileged process.
  • kld is updated to reflect the slide in symbols. Likewise OSKext::LoadExecutable and friends
  • stackshot and other kernel functions take the vm_kernel_slide into consideration and subtract it from the actual positions of functions/symbols.

dyld_shared_cache

  • The system libraries are now stored in a big cache file, see
  • This address randomized at boot time, in many possible places, higher in the address space than the program
  • The functions retain a fixed offset to each other.

External Links