From: Mike Rapoport <rppt@kernel.org>
To: Topi Miettinen <toiwoton@gmail.com>
Cc: Cristiano Giuffrida <c.giuffrida@vu.nl>,
Matthew Wilcox <willy@infradead.org>,
linux-hardening@vger.kernel.org, akpm@linux-foundation.org,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Jann Horn <jannh@google.com>, Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH v4] mm: Optional full ASLR for mmap() and mremap()
Date: Wed, 18 Nov 2020 19:40:30 +0200 [thread overview]
Message-ID: <20201118174030.GB8537@kernel.org> (raw)
In-Reply-To: <19373af5-2272-7615-27a7-6734c584f8bd@gmail.com>
(added one of the AnC paper authors)
On Tue, Nov 17, 2020 at 10:21:30PM +0200, Topi Miettinen wrote:
> On 17.11.2020 18.54, Matthew Wilcox wrote:
> > On Mon, Oct 26, 2020 at 06:05:18PM +0200, Topi Miettinen wrote:
> > > Writing a new value of 3 to /proc/sys/kernel/randomize_va_space
> > > enables full randomization of memory mappings created with mmap(NULL,
> > > ...). With 2, the base of the VMA used for such mappings is random,
> > > but the mappings are created in predictable places within the VMA and
> > > in sequential order. With 3, new VMAs are created to fully randomize
> > > the mappings. Also mremap(..., MREMAP_MAYMOVE) will move the mappings
> > > even if not necessary.
> >
> > Is this worth it?
> >
> > https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/aslrcache-practical-cache-attacks-mmu/
>
> Thanks, very interesting. The paper presents an attack (AnC) which can break
> ASLR even from JavaScript in browsers. In the process it compares the memory
> allocators of Firefox and Chrome. Firefox relies on Linux mmap() to
> randomize the memory location, but Chrome internally chooses the randomized
> address. The paper doesn't present exact numbers to break ASLR for Chrome
> case, but it seems to require more effort. Chrome also aggressively
> randomizes the memory on each allocation, which seems to enable further
> possibilities for AnC to probe the MMU tables.
>
> Disregarding the difference in aggressiveness of memory allocators, I think
> with sysctl.kernel.randomize_va_space=3, the effort for breaking ASLR with
> Firefox should be increased closer to Chrome case since mmap() will use the
> address space more randomly.
>
> I have used this setting now for a month without any visible performance
> issues, so I think the extra bits (for some additional effort to attackers)
> are definitely worth the low cost.
>
> Furthermore, the paper does not describe in detail how the attack would
> continue after breaking ASLR. Perhaps there are assumptions which are not
> valid when the different memory areas are no longer sequential. For example,
> if ASLR is initially broken wrt. the JIT buffer but continuing the attack
> would require other locations to be determined (like stack, data segment for
> main exe or libc etc), further efforts may be needed to resolve these
> locations. With randomize_va_space=2, resolving any address (JIT buffer) can
> reveal the addresses of many other memory areas but this is not the case
> with 3.
>
> -Topi
--
Sincerely yours,
Mike.
next prev parent reply other threads:[~2020-11-18 17:40 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-26 16:05 [PATCH v4] mm: Optional full ASLR for mmap() and mremap() Topi Miettinen
2020-11-17 16:54 ` Matthew Wilcox
2020-11-17 20:21 ` Topi Miettinen
2020-11-18 17:40 ` Mike Rapoport [this message]
[not found] ` <6810b874c8df456b890d1092273b354a@pexch011a.vu.local>
2020-11-18 18:49 ` Cristiano Giuffrida
2020-11-19 9:59 ` Topi Miettinen
[not found] ` <0da9cb0a4d1a494d9ec15404f8decf01@pexch011a.vu.local>
2020-11-19 22:20 ` Cristiano Giuffrida
2020-11-20 8:38 ` Topi Miettinen
2020-11-20 15:27 ` Matthew Wilcox
[not found] ` <d7e759c8ac444aa4b0ba6932563aca00@pexch011a.vu.local>
2020-11-20 14:10 ` Cristiano Giuffrida
2020-11-20 19:37 ` Topi Miettinen
2020-11-18 22:42 ` Jann Horn
2020-11-19 9:16 ` Topi Miettinen
2020-11-24 18:27 ` Vlastimil Babka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201118174030.GB8537@kernel.org \
--to=rppt@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=c.giuffrida@vu.nl \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=toiwoton@gmail.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).