Hi,
On Mon, Jan 23, 2017 at 4:55 AM, Samuli Seppänen <sam...@openvpn.net> wrote:
>
>> Checked this on win7. Process explorer shows ASLR flag is set on the
>> executable. But ASLR is not really active. The GUI is loaded at the same
>> address each time (as per vmmap from sysinternals). I see no address
>> randomization.
>>
>> Recompiling by exporting at least one function fixes this so the linker
>> is indeed not adding reloc section to the exe otherwise.
>>
>> The build option does make ASLR work for openssl dll so the only thing
>> missing there was the flag in the header. Not so for the executables.
>>
>> We need to find some fix for this, else I fear this will be ASLR in name
>> only.
>>
>> Selva
>>
>
> So we need a small code change in OpenVPN to get ASLR actually working,
> like in OpenVPN GUI?
>
> <https://github.com/OpenVPN/openvpn-gui/pull/123/>
>
> In particular something like this:
>
> <https://github.com/OpenVPN/openvpn-gui/pull/123/files#diff-
> 2045016cb90d1e65d71c2407a2570927R72>
>
> Correct?
There are many suggestions online including add --export-all-symbols to
LDFLAGS, mark main() with dllexport etc. I thought --export-all-symbols is
an overkill and suggested to just export a dummy variable for the GUI.
I don't fully understand how ASLR is implemented on Windows but my tests
show code, stack, heap and PEB addresses are randomized if dynamicbase flag
is on and there is a .reloc section in the exec (ld appears to add this
only if something is exported). So I can only say this works, not sure its
the best workaround.
I wrote a small program to see ASLR in action: it prints some
representative pointers to code, stack, heap etc to see how they change
between runs. The program and test results are here <
https://gist.github.com/selvanair/c8ffa0fe60710e05c0e38f7d0097468d>
Selva
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
