Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1762971Ab3DDVBn (ORCPT ); Thu, 4 Apr 2013 17:01:43 -0400 Received: from mail-wg0-f42.google.com ([74.125.82.42]:41145 "EHLO mail-wg0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1762570Ab3DDVBl (ORCPT ); Thu, 4 Apr 2013 17:01:41 -0400 MIME-Version: 1.0 In-Reply-To: References: <1365106055-22939-1-git-send-email-keescook@chromium.org> <1365106055-22939-4-git-send-email-keescook@chromium.org> <515DDEC0.9000109@zytor.com> Date: Thu, 4 Apr 2013 14:01:39 -0700 Message-ID: Subject: Re: [PATCH 3/3] x86: kernel base offset ASLR From: Eric Northup To: "H. Peter Anvin" Cc: Kees Cook , LKML , "kernel-hardening@lists.openwall.com" , Thomas Gleixner , Ingo Molnar , "x86@kernel.org" , Jarkko Sakkinen , Matthew Garrett , Matt Fleming , Dan Rosenberg , Julien Tinnes , Will Drewry Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2497 Lines: 56 On Thu, Apr 4, 2013 at 1:58 PM, H. Peter Anvin wrote: > It seems to me that you are assuming that the attacker is targeting a specific system, but a bot might as well target 256 different systems and see what sticks... The alarm signal from the ones that don't stick is, in my opinion, the primary benefit from this work -- it makes certain classes of attack much less economical. A crash dump from a panic'd machine may include enough information to diagnose the exploited vulnerability - and once diagnosed and fixed, knowledge about the vulnerability is much less valuable. > > Kees Cook wrote: > >>On Thu, Apr 4, 2013 at 1:12 PM, H. Peter Anvin wrote: >>> On 04/04/2013 01:07 PM, Kees Cook wrote: >>>> However, the benefits of >>>> this feature in certain environments exceed the perceived >>weaknesses[2]. >>> >>> Could you clarify? >> >>I would summarize the discussion of KASLR weaknesses into to two >>general observations: >>1- it depends on address location secrecy and leaks are common/easy. >>2- it has low entropy so attack success rates may be high. >> >>For "1", as Julien mentions, remote attacks and attacks from a >>significantly contained process (via seccomp-bpf) minimizes the leak >>exposure. For local attacks, cache timing attacks and other things >>also exist, but the ASLR can be improved to defend against that too. >>So, KASLR is useful on systems that are virtualization hosts, >>providing remote services, or running locally confined processes. >> >>For "2", I think that the comparison to userspace ASLR entropy isn't >>as direct. For userspace, most systems don't tend to have any kind of >>watchdog on segfaulting processes, so a remote attacker could just >>keep trying an attack until they got lucky, in which case low entropy >>is a serious problem. In the case of KASLR, a single attack failure >>means the system goes down, which makes mounting an attack much more >>difficult. I think 8 bits is fine to start with, and I think start >>with a base offset ASLR is a good first step. We can improve things in >>the future. >> >>-Kees >> >>-- >>Kees Cook >>Chrome OS Security > > -- > Sent from my mobile phone. Please excuse brevity and lack of formatting. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/