Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5482D0CB.80903@gmail.com>
Date: Sat, 06 Dec 2014 10:47:55 +0100
From: lazytyped <lazytyped@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: How GNU/Linux distros deal with offset2lib attack?

On 06/12/2014 08:22, Shawn wrote:
> Hi guys,
> 
> As you know Hector Marco disclosured a new attack targeting the
> GNU/Linux mitigation defensive technology earlier this week:
> http://www.openwall.com/lists/oss-security/2014/12/04/19
> http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html
[...]
> It seems ASLRv3 is the best option we have? Or anything else?

I think there is quite a bit of sweating on very little.

This attack assumes that the attacker is capable of guessing the load
address of the PIE binary. It basically already bypassed ASLR. It then
"notices" that the PIE .text segment is loaded at a fixed offset from
the shared libraries (BTW: shared libraries are loaded at fixed offsets
among each others) and mounts a ROP attack using the shared library gadgets.

This "fixed offset" is IMHO very unlikely to be a security issue, since
in the vast majority of real life cases, the PIE .text itself will
already contain enough gadgets to mount the attack.

In other words, one may decide to separate the PIE .text from the rest
of the libraries .text, but I don't really see much of a security win there.

TL;DR: ASLR is a mitigation, if you have a chance to bruteforce or
infoleak -one- address from it, the mitigation is gone. Separating the
PIE .text or even libraries .text between each other won't buy you much.


      -  Enrico

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.