ASLR (Address space layout randomization)技术和匿名页

转载请注明出处，并保留以上所有对文章内容、图片、表格的来源的描述。

一、ASLR的问题

ASLR（Address Space Layout Randomization），可以通过/proc/sys/kernel/randomize_va_space修改。但是较新的内核版本该值默认为2（在3.2.0如此），老版本为1（在2.6.18如此）。至少可以知道为0的时候是关闭，为1和为2有什么差别还不知道。

可以在Documentation/sysctl/kernel.txt中找到如下一段话：

==============================================================

randomize_va_space:

This option can be used to select the type of process address

space randomization that is used in the system, for architectures

that support this feature.

0 - Turn the process address space randomization off.  This is the

    default for architectures that do not support this feature anyways,

    and kernels that are booted with the "norandmaps" parameter.

1 - Make the addresses of mmap base, stack and VDSO page randomized.

    This, among other things, implies that shared libraries will be

    loaded to random addresses.  Also for PIE-linked binaries, the

    location of code start is randomized.  This is the default if the

    CONFIG_COMPAT_BRK option is enabled.

2 - Additionally enable heap randomization.  This is the default if

    CONFIG_COMPAT_BRK is disabled.

    There are a few legacy applications out there (such as some ancient

    versions of libc.so.5 from 1996) that assume that brk area starts

    just after the end of the code+bss.  These applications break when

    start of the brk area is randomized.  There are however no known

    non-legacy applications that would be broken this way, so for most

    systems it is safe to choose full randomization.

    Systems with ancient and/or broken binaries should be configured

    with CONFIG_COMPAT_BRK enabled, which excludes the heap from process

    address space randomization.

==============================================================

这段话中有几个名词需要解释：

• VDSO page randomized：Virtual Dynamically linked Shared Objects。是一种在用户态调用内核态的方法。参考：http://en.wikipedia.org/wiki/VDSO
• PIE-linked binaries：PIE（Position-Independent-Executable），是一种介于共享库和普通可执行程序之间的一种可执行文件。参考资料：http://www.linuxfromscratch.org/~manuel/hlfs-book/glibc-2.4/chapter02/pie.html
• CONFIG_COMPAT_BRK：内核中brk相关的变量很多指的都是堆（heap），这个配置选项 “CONFIG_COMPAT_BRK=y means that heap randomization is turned off, so it's *always* a safe choice.  I assume the help text is trying to say that if one does not run ancient binaries, then enabling heap randomization is safe.”所以该配置=y指的是关闭堆地址空间随机化技术来支持一些老的binary（COMPAT选项一般都是向后兼容的选项）。

所以，在/proc/sys/kernel/randomize_va_space中的值如果为0则表示关闭所有的随机化，如果为1，表示打开mmap base、栈、VDSO页面随机化，如果为2则表示在1的基础上进一步打开堆地址随机化。在打开堆地址随机化之前，堆的起始位置是紧接着应用程序bss段之后的。

二、匿名页

There are two type of pages: anonymous pages and file-backed pages. A file-backed page originates from mmap()-ing a file in disk, whereas an anonymous page is the kind you get when doing malloc(). It has no relationship with any files at all. When the RAM becomes tight, the kernel swaps out anonymous pages to swap space and flushes file-backed pages to the file to give room for current requests. In other words, anonymous pages may consume swap area while file-backed pages don't. The only exception is for files mmap()-ed using the MAP_PRIVATE flag. In this case, file modification occurs in RAM only.

From: http://linuxdevcenter.com/pub/a/linux/2006/11/30/linux-out-of-memory.html