# ASLR Entropy Bits for Stack on Linux

I am looking at a presentation from MIT where they explain different types of ASLR implementations.

For example, they point out that for static ASLR, stack has 19-bits of entropy. In my understanding, this means the stack base address can only be randomized to take 2^19 different values.

I want to ask how to calculate that the stack has 19-bits of entropy ?

**Edit:**

After checking online, I found some explanation of stack ASLR on Linux. Learning from another question, the code I thought may be relevant is:

#ifndef STACK_RND_MASK #define STACK_RND_MASK (0x7ff >> (PAGE_SHIFT - 12)) /* 8MB of VA */ #endif static unsigned long randomize_stack_top(unsigned long stack_top) { unsigned int random_variable = 0; if ((current->flags & PF_RANDOMIZE) && !(current->personality & ADDR_NO_RANDOMIZE)) { random_variable = get_random_int() & STACK_RND_MASK; random_variable <<= PAGE_SHIFT; } #ifdef CONFIG_STACK_GROWSUP return PAGE_ALIGN(stack_top) + random_variable; #else return PAGE_ALIGN(stack_top) - random_variable; #endif }

I want to ask if this is the right place to reason about my question ?

## Answers

Firstly, pages have to be aligned to 4096-byte boundaries, which effectively zeroes the lower 12 bits.

Next, the kernel splits the address space in to 0x00000000 - 0xbfffffff for user memory and 0xc0000000 - 0xffffffff for kernel memory. We only care about user memory here, so the kernel memory can be ignored.

If we further split up the user address space into three ranges:

Range | 2 MSBs --------------------+-------- 00000000 - 3fffffff | 00 40000000 - 7fffffff | 01 80000000 - bfffffff | 10

Generally we don't want the stack in the first range, since that's where the heap lives. This means we only have two possible combinations for the 2 most significant bits, 01 and 10, effectively turning 2 bits into 1.

We have 32 bits in a 32-bit address, so we can get our 19-bits of stack entropy with: 32 - (page alignment bits) - (memory partitioning bits) = 32 - 12 - 1 = 19