All of lore.kernel.org
 help / color / mirror / Atom feed
From: Topi Miettinen <toiwoton@gmail.com>
To: Matthew Wilcox <willy@infradead.org>
Cc: linux-hardening@vger.kernel.org, akpm@linux-foundation.org,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	Jann Horn <jannh@google.com>, Kees Cook <keescook@chromium.org>,
	Mike Rapoport <rppt@kernel.org>
Subject: Re: [PATCH v4] mm: Optional full ASLR for mmap() and mremap()
Date: Tue, 17 Nov 2020 22:21:30 +0200	[thread overview]
Message-ID: <19373af5-2272-7615-27a7-6734c584f8bd@gmail.com> (raw)
In-Reply-To: <20201117165455.GN29991@casper.infradead.org>

On 17.11.2020 18.54, Matthew Wilcox wrote:
> On Mon, Oct 26, 2020 at 06:05:18PM +0200, Topi Miettinen wrote:
>> Writing a new value of 3 to /proc/sys/kernel/randomize_va_space
>> enables full randomization of memory mappings created with mmap(NULL,
>> ...). With 2, the base of the VMA used for such mappings is random,
>> but the mappings are created in predictable places within the VMA and
>> in sequential order. With 3, new VMAs are created to fully randomize
>> the mappings. Also mremap(..., MREMAP_MAYMOVE) will move the mappings
>> even if not necessary.
> 
> Is this worth it?
> 
> https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/aslrcache-practical-cache-attacks-mmu/

Thanks, very interesting. The paper presents an attack (AnC) which can 
break ASLR even from JavaScript in browsers. In the process it compares 
the memory allocators of Firefox and Chrome. Firefox relies on Linux 
mmap() to randomize the memory location, but Chrome internally chooses 
the randomized address. The paper doesn't present exact numbers to break 
ASLR for Chrome case, but it seems to require more effort. Chrome also 
aggressively randomizes the memory on each allocation, which seems to 
enable further possibilities for AnC to probe the MMU tables.

Disregarding the difference in aggressiveness of memory allocators, I 
think with sysctl.kernel.randomize_va_space=3, the effort for breaking 
ASLR with Firefox should be increased closer to Chrome case since mmap() 
will use the address space more randomly.

I have used this setting now for a month without any visible performance 
issues, so I think the extra bits (for some additional effort to 
attackers) are definitely worth the low cost.

Furthermore, the paper does not describe in detail how the attack would 
continue after breaking ASLR. Perhaps there are assumptions which are 
not valid when the different memory areas are no longer sequential. For 
example, if ASLR is initially broken wrt. the JIT buffer but continuing 
the attack would require other locations to be determined (like stack, 
data segment for main exe or libc etc), further efforts may be needed to 
resolve these locations. With randomize_va_space=2, resolving any 
address (JIT buffer) can reveal the addresses of many other memory areas 
but this is not the case with 3.

-Topi

  reply	other threads:[~2020-11-17 20:22 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-26 16:05 [PATCH v4] mm: Optional full ASLR for mmap() and mremap() Topi Miettinen
2020-11-17 16:54 ` Matthew Wilcox
2020-11-17 20:21   ` Topi Miettinen [this message]
2020-11-18 17:40     ` Mike Rapoport
     [not found]     ` <6810b874c8df456b890d1092273b354a@pexch011a.vu.local>
2020-11-18 18:49       ` Cristiano Giuffrida
2020-11-19  9:59         ` Topi Miettinen
     [not found]         ` <0da9cb0a4d1a494d9ec15404f8decf01@pexch011a.vu.local>
2020-11-19 22:20           ` Cristiano Giuffrida
2020-11-20  8:38             ` Topi Miettinen
2020-11-20 15:27               ` Matthew Wilcox
     [not found]             ` <d7e759c8ac444aa4b0ba6932563aca00@pexch011a.vu.local>
2020-11-20 14:10               ` Cristiano Giuffrida
2020-11-20 19:37                 ` Topi Miettinen
2020-11-18 22:42   ` Jann Horn
2020-11-18 22:42     ` Jann Horn
2020-11-19  9:16     ` Topi Miettinen
2020-11-24 18:27 ` Vlastimil Babka

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=19373af5-2272-7615-27a7-6734c584f8bd@gmail.com \
    --to=toiwoton@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=jannh@google.com \
    --cc=keescook@chromium.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=rppt@kernel.org \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.