Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap.

[RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Ilya Smith <hidden> · 2018-03-22
[RFC PATCH v2 1/2] Randomization of address chosen by mmap. · Ilya Smith <hidden> · 2018-03-22
Re: [RFC PATCH v2 1/2] Randomization of address chosen by mmap. · Andrew Morton <akpm@linux-foundation.org> · 2018-03-22
Re: [RFC PATCH v2 1/2] Randomization of address chosen by mmap. · Ilya Smith <hidden> · 2018-03-23
[RFC PATCH v2 2/2] Architecture defined limit on memory region random shift. · Ilya Smith <hidden> · 2018-03-22
Re: [RFC PATCH v2 2/2] Architecture defined limit on memory region random shift. · Andrew Morton <akpm@linux-foundation.org> · 2018-03-22
Re: [RFC PATCH v2 2/2] Architecture defined limit on memory region random shift. · Ilya Smith <hidden> · 2018-03-23
Re: [RFC PATCH v2 2/2] Architecture defined limit on memory region random shift. · Ilya Smith <hidden> · 2018-03-23
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Andrew Morton <akpm@linux-foundation.org> · 2018-03-22
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Ilya Smith <hidden> · 2018-03-23
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Matthew Wilcox <willy@infradead.org> · 2018-03-23
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Ilya Smith <hidden> · 2018-03-23
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Michal Hocko <mhocko@kernel.org> · 2018-03-26
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Ilya Smith <hidden> · 2018-03-26
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Michal Hocko <mhocko@kernel.org> · 2018-03-27
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Ilya Smith <hidden> · 2018-03-27
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Michal Hocko <mhocko@kernel.org> · 2018-03-27
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Ilya Smith <hidden> · 2018-03-28
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · "Theodore Y. Ts'o" <tytso@mit.edu> · 2018-03-27
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Rich Felker <dalias@libc.org> · 2018-03-27
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Ilya Smith <hidden> · 2018-03-28
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Kees Cook <hidden> · 2018-03-27
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Matthew Wilcox <willy@infradead.org> · 2018-03-27
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Kees Cook <hidden> · 2018-03-27
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Rich Felker <dalias@libc.org> · 2018-03-28
RE: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · "Luck, Tony" <tony.luck@intel.com> · 2018-03-28
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Ilya Smith <hidden> · 2018-04-03
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Ilya Smith <hidden> · 2018-03-28
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Rich Felker <dalias@libc.org> · 2018-03-23
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Matthew Wilcox <willy@infradead.org> · 2018-03-23
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Rich Felker <dalias@libc.org> · 2018-03-23
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Matthew Wilcox <willy@infradead.org> · 2018-03-23
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Rich Felker <dalias@libc.org> · 2018-03-23
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Rob Landley <hidden> · 2018-03-28
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Pavel Machek <hidden> · 2018-03-30
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Ilya Smith <hidden> · 2018-03-30
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Pavel Machek <hidden> · 2018-03-30
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Ilya Smith <hidden> · 2018-03-30
Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. · Rich Felker <dalias@libc.org> · 2018-03-30

From: Kees Cook <hidden>
Date: 2018-03-27 22:53:53
Also in: linux-alpha, linux-mips, linux-mm, linux-s390, lkml

On Tue, Mar 27, 2018 at 6:51 AM, Ilya Smith [off-list ref] wrote:

quoted

On 27 Mar 2018, at 10:24, Michal Hocko [off-list ref] wrote:

On Mon 26-03-18 22:45:31, Ilya Smith wrote:

quoted

On 26 Mar 2018, at 11:46, Michal Hocko [off-list ref] wrote:

On Fri 23-03-18 20:55:49, Ilya Smith wrote:

quoted

On 23 Mar 2018, at 15:48, Matthew Wilcox [off-list ref] wrote=

quoted

On Thu, Mar 22, 2018 at 07:36:36PM +0300, Ilya Smith wrote:

quoted

Current implementation doesn't randomize address returned by mmap.
All the entropy ends with choosing mmap_base_addr at the process
creation. After that mmap build very predictable layout of address
space. It allows to bypass ASLR in many cases. This patch make
randomization of address on any mmap call.

Why should this be done in the kernel rather than libc?  libc is per=

fectly

quoted

capable of specifying random numbers in the first argument of mmap.

Well, there is following reasons:
1. It should be done in any libc implementation, what is not possible=

 IMO;

quoted

Is this really so helpful?

Yes, ASLR is one of very important mitigation techniques which are real=

ly used

quoted

to protect applications. If there is no ASLR, it is very easy to exploi=

quoted

vulnerable application and compromise the system. We can=E2=80=99t just=

 fix all the

quoted

vulnerabilities right now, thats why we have mitigations - techniques w=

hich are

quoted

makes exploitation more hard or impossible in some cases.

Thats why it is helpful.

I am not questioning ASLR in general. I am asking whether we really need
per mmap ASLR in general. I can imagine that some environments want to
pay the additional price and other side effects, but considering this
can be achieved by libc, why to add more code to the kernel?

I believe this is the only one right place for it. Adding these 200+ line=

s of

code we give this feature for any user - on desktop, on server, on IoT de=

vice,

on SCADA, etc. But if only glibc will implement =E2=80=98user-mode-aslr=

=E2=80=99 IoT and SCADA

devices will never get it.

I agree: pushing this off to libc leaves a lot of things unprotected.
I think this should live in the kernel. The question I have is about
making it maintainable/readable/etc.

The state-of-the-art for ASLR is moving to finer granularity (over
just base-address offset), so I'd really like to see this supported in
the kernel. We'll be getting there for other things in the future, and
I'd like to have a working production example for researchers to
study, etc.

-Kees

--=20
Kees Cook
Pixel Security

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help