From: Daniel Micay <danielmicay@gmail.com>
To: Matthew Wilcox <willy@infradead.org>
Cc: Ilya Smith <blackzert@gmail.com>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Dan Williams <dan.j.williams@intel.com>,
Michal Hocko <mhocko@suse.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Jan Kara <jack@suse.cz>, Jerome Glisse <jglisse@redhat.com>,
Hugh Dickins <hughd@google.com>, Helge Deller <deller@gmx.de>,
Andrea Arcangeli <aarcange@redhat.com>,
Oleg Nesterov <oleg@redhat.com>, Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [RFC PATCH] Randomization of address chosen by mmap.
Date: Wed, 28 Feb 2018 16:02:40 -0500 [thread overview]
Message-ID: <CA+DvKQKoo1U7T_iOOLhfEf9c+K1pzD068au+kGtx0RokFFNKHw@mail.gmail.com> (raw)
In-Reply-To: <20180228183349.GA16336@bombadil.infradead.org>
The option to add at least one guard page would be useful whether or
not it's tied to randomization. It's not feasible to do that in
userspace for mmap as a whole, only specific users of mmap like malloc
and it adds significant overhead vs. a kernel implementation. It could
optionally let you choose a minimum and maximum guard region size with
it picking random sizes if they're not equal. It's important for it to
be an enforced gap rather than something that can be filled in by
another allocation. It will obviously help a lot more when it's being
used with a hardened allocator designed to take advantage of this
rather than glibc malloc or jemalloc.
I don't think it makes sense for the kernel to attempt mitigations to
hide libraries. The best way to do that is in userspace, by having the
linker reserve a large PROT_NONE region for mapping libraries (both at
initialization and for dlopen) including a random gap to act as a
separate ASLR base. If an attacker has library addresses, it's hard to
see much point in hiding the other libraries from them. It does make
sense to keep them from knowing the location of any executable code if
they leak non-library addresses. An isolated library region + gap is a
feature we implemented in CopperheadOS and it works well, although we
haven't ported it to Android 7.x or 8.x. I don't think the kernel can
bring much / anything to the table for it. It's inherently the
responsibility of libc to randomize the lower bits for secondary
stacks too.
Fine-grained randomized mmap isn't going to be used if it causes
unpredictable levels of fragmentation or has a high / unpredictable
performance cost. I don't think it makes sense to approach it
aggressively in a way that people can't use. The OpenBSD randomized
mmap is a fairly conservative implementation to avoid causing
excessive fragmentation. I think they do a bit more than adding random
gaps by switching between different 'pivots' but that isn't very high
benefit. The main benefit is having random bits of unmapped space all
over the heap when combined with their hardened allocator which
heavily uses small mmap mappings and has a fair bit of malloc-level
randomization (it's a bitmap / hash table based slab allocator using
4k regions with a page span cache and we use a port of it to Android
with added hardening features but we're missing the fine-grained mmap
rand it's meant to have underneath what it does itself).
The default vm.max_map_count = 65530 is also a major problem for doing
fine-grained mmap randomization of any kind and there's the 32-bit
reference count overflow issue on high memory machines with
max_map_count * pid_max which isn't resolved yet.
next prev parent reply other threads:[~2018-02-28 21:02 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-27 13:13 [RFC PATCH] Randomization of address chosen by mmap Ilya Smith
2018-02-27 20:52 ` Kees Cook
2018-02-27 21:31 ` lazytyped
2018-02-28 17:13 ` Ilya Smith
2018-02-28 18:33 ` Matthew Wilcox
2018-02-28 21:02 ` Daniel Micay [this message]
2018-03-03 13:58 ` Ilya Smith
2018-03-03 21:00 ` Daniel Micay
2018-03-04 3:47 ` Matthew Wilcox
2018-03-04 20:56 ` Matthew Wilcox
2018-03-05 13:09 ` Ilya Smith
2018-03-05 14:23 ` Daniel Micay
2018-03-05 16:05 ` Ilya Smith
2018-03-05 16:23 ` Matthew Wilcox
2018-03-05 19:27 ` Ilya Smith
2018-03-05 19:47 ` Matthew Wilcox
2018-03-05 20:20 ` Ilya Smith
2018-03-02 20:30 ` Ilya Smith
2018-03-02 20:48 ` Matthew Wilcox
2018-03-03 15:13 ` Ilya Smith
2018-02-28 19:54 ` Kees Cook
2018-03-01 13:52 ` Ilya Smith
2018-03-02 7:17 ` 097eb0af45: kernel_BUG_at_mm/hugetlb.c kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+DvKQKoo1U7T_iOOLhfEf9c+K1pzD068au+kGtx0RokFFNKHw@mail.gmail.com \
--to=danielmicay@gmail.com \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=blackzert@gmail.com \
--cc=dan.j.williams@intel.com \
--cc=deller@gmx.de \
--cc=hughd@google.com \
--cc=jack@suse.cz \
--cc=jglisse@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=oleg@redhat.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).