linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mike Rapoport <rppt@kernel.org>
To: Topi Miettinen <toiwoton@gmail.com>
Cc: Cristiano Giuffrida <c.giuffrida@vu.nl>,
	Matthew Wilcox <willy@infradead.org>,
	linux-hardening@vger.kernel.org, akpm@linux-foundation.org,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	Jann Horn <jannh@google.com>, Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH v4] mm: Optional full ASLR for mmap() and mremap()
Date: Wed, 18 Nov 2020 19:40:30 +0200	[thread overview]
Message-ID: <20201118174030.GB8537@kernel.org> (raw)
In-Reply-To: <19373af5-2272-7615-27a7-6734c584f8bd@gmail.com>

(added one of the AnC paper authors)

On Tue, Nov 17, 2020 at 10:21:30PM +0200, Topi Miettinen wrote:
> On 17.11.2020 18.54, Matthew Wilcox wrote:
> > On Mon, Oct 26, 2020 at 06:05:18PM +0200, Topi Miettinen wrote:
> > > Writing a new value of 3 to /proc/sys/kernel/randomize_va_space
> > > enables full randomization of memory mappings created with mmap(NULL,
> > > ...). With 2, the base of the VMA used for such mappings is random,
> > > but the mappings are created in predictable places within the VMA and
> > > in sequential order. With 3, new VMAs are created to fully randomize
> > > the mappings. Also mremap(..., MREMAP_MAYMOVE) will move the mappings
> > > even if not necessary.
> > 
> > Is this worth it?
> > 
> > https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/aslrcache-practical-cache-attacks-mmu/
> 
> Thanks, very interesting. The paper presents an attack (AnC) which can break
> ASLR even from JavaScript in browsers. In the process it compares the memory
> allocators of Firefox and Chrome. Firefox relies on Linux mmap() to
> randomize the memory location, but Chrome internally chooses the randomized
> address. The paper doesn't present exact numbers to break ASLR for Chrome
> case, but it seems to require more effort. Chrome also aggressively
> randomizes the memory on each allocation, which seems to enable further
> possibilities for AnC to probe the MMU tables.
> 
> Disregarding the difference in aggressiveness of memory allocators, I think
> with sysctl.kernel.randomize_va_space=3, the effort for breaking ASLR with
> Firefox should be increased closer to Chrome case since mmap() will use the
> address space more randomly.
> 
> I have used this setting now for a month without any visible performance
> issues, so I think the extra bits (for some additional effort to attackers)
> are definitely worth the low cost.
> 
> Furthermore, the paper does not describe in detail how the attack would
> continue after breaking ASLR. Perhaps there are assumptions which are not
> valid when the different memory areas are no longer sequential. For example,
> if ASLR is initially broken wrt. the JIT buffer but continuing the attack
> would require other locations to be determined (like stack, data segment for
> main exe or libc etc), further efforts may be needed to resolve these
> locations. With randomize_va_space=2, resolving any address (JIT buffer) can
> reveal the addresses of many other memory areas but this is not the case
> with 3.
> 
> -Topi

-- 
Sincerely yours,
Mike.

  reply	other threads:[~2020-11-18 17:40 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-26 16:05 [PATCH v4] mm: Optional full ASLR for mmap() and mremap() Topi Miettinen
2020-11-17 16:54 ` Matthew Wilcox
2020-11-17 20:21   ` Topi Miettinen
2020-11-18 17:40     ` Mike Rapoport [this message]
     [not found]     ` <6810b874c8df456b890d1092273b354a@pexch011a.vu.local>
2020-11-18 18:49       ` Cristiano Giuffrida
2020-11-19  9:59         ` Topi Miettinen
     [not found]         ` <0da9cb0a4d1a494d9ec15404f8decf01@pexch011a.vu.local>
2020-11-19 22:20           ` Cristiano Giuffrida
2020-11-20  8:38             ` Topi Miettinen
2020-11-20 15:27               ` Matthew Wilcox
     [not found]             ` <d7e759c8ac444aa4b0ba6932563aca00@pexch011a.vu.local>
2020-11-20 14:10               ` Cristiano Giuffrida
2020-11-20 19:37                 ` Topi Miettinen
2020-11-18 22:42   ` Jann Horn
2020-11-19  9:16     ` Topi Miettinen
2020-11-24 18:27 ` Vlastimil Babka

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201118174030.GB8537@kernel.org \
    --to=rppt@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=c.giuffrida@vu.nl \
    --cc=jannh@google.com \
    --cc=keescook@chromium.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=toiwoton@gmail.com \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).