Concept: Virtual Memory

Modern architectures use virtual memory to separate process memory spaces. There are a number of resources online to catch up on the basics [1,2]. This page deals with virtual memory concepts relevant to cybersecurity.

Mapping Memory

Memory is mapped in a number of ways:

In modern systems, most allocations are at random addresses for security purposes (see [3]). Fixed addresses are still used for two purposes:

Fixed mapping is accomplished by passing the MAP_FIXED argument to mmap or mmap2 [4].

Memory Pages

Memory is mapped in pages [5]. Normal pages are 0x1000 bytes (4096 in decimal) in size, though other sizes are possible [6].

Aside from being 0x1000 in size, pages are also aligned to 0x1000. That is, the base address of any page will always end in three null nibbles. For example, potential page addresses are:

You can look at what pages a process has mapped by doing:

Weaknesses in Page Address Selection

While modern systems tend to map pages at random locations, recent research has shed light on a problem: the random location is chosen once per process, and, by default, other pages tend to be mapped contiguously to that location [10]. This is a problem for all shared libraries, and many other types of mapped pages, though typically, the main PIE binary itself does not have this issue.

At any rate, this enables a set of potential attacks:

Page Permissions

Modern operating systems are careful about protecting process memory [8]. Each page has three permission bits:

A page that is both writable and executable could allow an attacker to perform inject and execute shellcode. Page permissions can be modified with mprotect [9].