Documented way to disable ASLR on OS X?

Question

On OS X 10.9 (Mavericks), it's possible to disable address space layout randomization for a single process if you launch the process by calling posix_spawn() and passing the undocumented attribute 0x100. Like this:

extern char **environ;
pid_t pid;
posix_spawnattr_t attr;

posix_spawnattr_init(&attr);
posix_spawnattr_setflags(&attr, 0x100);
posix_spawn(&pid, argv[0], NULL, &attr, argv, environ);

(This is reverse-engineered from Apple's GDB sources.)

The trouble with undocumented features like this is that they tend to disappear without notice. According to this Stack Overflow answer the dynamic linker dyld used to consult the environment variable DYLD_NO_PIE, but this does not work in 10.9; similarly the static linker apparently used to take a --no-pie option, but this is no longer the case.

So is there a documented way to disable ASLR?

(The reason why I need to disable ASLR is to ensure repeatability, when testing and debugging, of code whose behaviour depends on the addresses of objects, for example address-based hash tables and BIBOP-based memory managers.)

Certainly seems like something not intended to be overridden. That's why it would be undocumented. What are you trying to do that you need this? — uchuugaka, Jun 14 '14 at 10:47

score 48 · Accepted Answer · edited Jul 28 '20 at 14:30

Actually, there still is a -no_pie linker flag, but you might have thought it is actually called --no-pie.

Lets have a small test program:

#include <stdio.h>

const char *test = "test";

int main() {
  printf("%p\n", (void*)test);
  return 0;
}

And compile as usual first:

cc -o test-pie test-pie.c

And check the flags

$ otool -hv test-pie
test-pie:
Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
MH_MAGIC_64  X86_64        ALL LIB64     EXECUTE    16       1376   NOUNDEFS DYLDLINK TWOLEVEL PIE

Alright there is a PIE flag in there, let's verify

$ for x in $(seq 1 5); do echo -n "$x "; ./test-pie; done
1 0x10a447f96
2 0x10e3cbf96
3 0x1005daf96
4 0x10df50f96
5 0x104e63f96

That looks random enough.

Now, lets tell the linker we don't want PIE using -Wl,-no_pie:

cc -o test-nopie test-pie.c -Wl,-no_pie

Sure enough the PIE flag is gone:

$ otool -hv test-nopie
test-pie:
Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
MH_MAGIC_64  X86_64        ALL LIB64     EXECUTE    16       1376   NOUNDEFS DYLDLINK TWOLEVEL

And test:

$ for x in $(seq 1 5); do echo -n "$x "; ./test-nopie; done
1 0x100000f96
2 0x100000f96
3 0x100000f96
4 0x100000f96
5 0x100000f96

So we make the linker not add the PIE flag, and my Mavericks system seems to still abide by it.

FWIW, the PIE flag is defined and documented in /usr/include/mach-o/loader.h as MH_PIE.

There are tools all over the Internet to clear the PIE flag from existing binaries, e.g. http://src.chromium.org/svn/trunk/src/build/mac/change_mach_o_flags.py

While I cannot offer you a documented way to start a PIE-flagged binary without ASLR, since you want to test code, presumably your own, just linking your test programs with -no_pie or removing the PIE flag afterwards from your test binaries should suffice?

`change_mach_o_flags.py` set `MH_NO_HEAP_EXECUTION` bit by default. If you do want to change the PIE flag only, use `python change_mach_o_flags.py --executable-heap --no-pie ` — youfu, May 31 '16 at 21:14

Documented way to disable ASLR on OS X?

1 Answers1