Home/ Questions/Q 8663509
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T17:00:04+00:00

Does anybody have a link to a documentation what exactly is randomized in what

  • 0

Does anybody have a link to a documentation what exactly is randomized in what cases for latest Mac OS (10.7) and iOS (6.0)?

I mean. I want to see a list (something like)

  • Code segment (in a case A,B,C)

  • Stack (always)

  • Heap

  • Data segment (never)

Preferably with how many bits of randomization each thing has.

All I can find is something like: “MacOS Lion implements full ASLR” and in other places “full ASLR is implemented different ways for different operation systems”, which is obviously not very informative.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The list you are looking for can easily be generated by you, as follows:

    int global_j = 0;

void main ()
{

    char *h = malloc(10);
    int j = 0;

    printf ("Globals are : %p, text is %p, stack is %p, heap is %p\n",
        &global_j, main, &j, h);

}

    On mountain lion, this yields:

    bash-3.2# ./a
Globals are : 0x10fa55020, text is 0x10fa54eb0, stack is 0x7fff501ab864, heap is 0x7f9b294000e0
bash-3.2# ./a
Globals are : 0x106bbe020, text is 0x106bbdeb0, stack is 0x7fff59042864, heap is 0x7f9752c000e0
bash-3.2# ./a
Globals are : 0x108673020, text is 0x108672eb0, stack is 0x7fff5758d864, heap is 0x7fecc34000e0
bash-3.2# ./a
Globals are : 0x1059d2020, text is 0x1059d1eb0, stack is 0x7fff5a22e864, heap is 0x7f8f81c000e0

    Showing ample randomization on all (note that due to alignment restrictions the offset within the page doesn’t get randomized, but you still get some 16-20-bit randomization, as implied by the 4-5 hex digits which change).

    • Kernel: As of Mountain Lion and iOS6, the kernel is randomized by “sliding” it with a value of vm_kernel_slide, on load. Not all vm pages are slid in this way, but for the most part this works by storing some constant value (which is also readable by System call #439, kas_info, on ML but not on iOS: Apple is struggling hard to keep the randomization value secret, and not leak it when reporting kernel addresses, so jailbreakers won’t figure out where they can jump to/overwrite – which works for them most of the time)

    Hope this helps,

    TG

    • 0