Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1031329AbbKDWUE (ORCPT ); Wed, 4 Nov 2015 17:20:04 -0500 Received: from out01.mta.xmission.com ([166.70.13.231]:34099 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1031128AbbKDWT6 (ORCPT ); Wed, 4 Nov 2015 17:19:58 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: Daniel Cashman Cc: Andrew Morton , linux-kernel@vger.kernel.org, linux@arm.linux.org.uk, keescook@chromium.org, mingo@kernel.org, linux-arm-kernel@lists.infradead.org, corbet@lwn.net, dzickus@redhat.com, xypron.glpk@gmx.de, jpoimboe@redhat.com, kirill.shutemov@linux.intel.com, n-horiguchi@ah.jp.nec.com, aarcange@redhat.com, mgorman@suse.de, tglx@linutronix.de, rientjes@google.com, linux-mm@kvack.org, linux-doc@vger.kernel.org, salyzyn@android.com, jeffv@google.com, nnk@google.com, dcashman References: <1446574204-15567-1-git-send-email-dcashman@android.com> <20151103160410.34bbebc805c17d2f41150a19@linux-foundation.org> <87k2pyppfk.fsf@x220.int.ebiederm.org> <20151103173156.9ca17f52.akpm@linux-foundation.org> <563A5D0D.9030109@android.com> Date: Wed, 04 Nov 2015 16:10:43 -0600 In-Reply-To: <563A5D0D.9030109@android.com> (Daniel Cashman's message of "Wed, 4 Nov 2015 11:31:25 -0800") Message-ID: <87r3k5mn4s.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-AID: U2FsdGVkX18pdwklujqVxI69H2cMaMtKIK7GhV/t+t0= X-SA-Exim-Connect-IP: 67.3.201.231 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.7 XMSubLong Long Subject * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 1.3 XMBlogspot URI: Link to something.blogspot.com * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa04 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject * 0.0 T_TooManySym_02 5+ unique symbols in subject X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: *;Daniel Cashman X-Spam-Relay-Country: X-Spam-Timing: total 430 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 4.1 (1.0%), b_tie_ro: 3.1 (0.7%), parse: 0.70 (0.2%), extract_message_metadata: 22 (5.0%), get_uri_detail_list: 3.8 (0.9%), tests_pri_-1000: 9 (2.0%), tests_pri_-950: 1.12 (0.3%), tests_pri_-900: 0.97 (0.2%), tests_pri_-400: 43 (9.9%), check_bayes: 41 (9.5%), b_tokenize: 9 (2.1%), b_tok_get_all: 14 (3.3%), b_comp_prob: 4.3 (1.0%), b_tok_touch_all: 11 (2.5%), b_finish: 0.95 (0.2%), tests_pri_0: 312 (72.5%), tests_pri_500: 36 (8.3%), poll_dns_idle: 26 (6.1%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH v2 1/2] mm: mmap: Add new /proc tunable for mmap_base ASLR. X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4214 Lines: 88 Daniel Cashman writes: > On 11/3/15 5:31 PM, Andrew Morton wrote: >> On Tue, 03 Nov 2015 18:40:31 -0600 ebiederm@xmission.com (Eric W. Biederman) wrote: >> >>> Andrew Morton writes: >>> >>>> On Tue, 3 Nov 2015 10:10:03 -0800 Daniel Cashman wrote: >>>> >>>>> ASLR currently only uses 8 bits to generate the random offset for the >>>>> mmap base address on 32 bit architectures. This value was chosen to >>>>> prevent a poorly chosen value from dividing the address space in such >>>>> a way as to prevent large allocations. This may not be an issue on all >>>>> platforms. Allow the specification of a minimum number of bits so that >>>>> platforms desiring greater ASLR protection may determine where to place >>>>> the trade-off. >>>> >>>> Can we please include a very good description of the motivation for this >>>> change? What is inadequate about the current code, what value does the >>>> enhancement have to our users, what real-world problems are being solved, >>>> etc. >>>> >>>> Because all we have at present is "greater ASLR protection", which doesn't >>>> really tell anyone anything. >>> >>> The description seemed clear to me. >>> >>> More random bits, more entropy, more work needed to brute force. >>> >>> 8 bits only requires 256 tries (or a 1 in 256) chance to brute force >>> something. >> >> Of course, but that's not really very useful. >> >>> We have seen in the last couple of months on Android how only having 8 bits >>> doesn't help much. >> >> Now THAT is important. What happened here and how well does the >> proposed fix improve things? How much longer will a brute-force attack >> take to succeed, with a particular set of kernel parameters? Is the >> new duration considered to be sufficiently long and if not, are there >> alternative fixes we should be looking at? >> >> Stuff like this. >> >>> Each additional bit doubles the protection (and unfortunately also >>> increases fragmentation of the userspace address space). >> >> OK, so the benefit comes with a cost and people who are configuring >> systems (and the people who are reviewing this patchset!) need to >> understand the tradeoffs. Please. > > The direct motivation here was in response to the libstagefright > vulnerabilities that affected Android, specifically to information > provided by Google's project zero at: > > http://googleprojectzero.blogspot.com/2015/09/stagefrightened.html > > The attack there specifically used the limited randomness used in > generating the mmap base address as part of a brute-force-based exploit. > In this particular case, the attack was against the mediaserver process > on Android, which was limited to respawning every 5 seconds, giving the > attacker an average expected success rate of defeating the mmap ASLR > after over 10 minutes (128 tries at 5 seconds each). With change to the > maximum proposed value of 16 bits, this would change to over 45 hours > (32768 tries), which would make the user of such a system much more > likely to notice such an attack. > > I understand the desire for this clarification, and will happily try to > improve the explanation for this change, especially so that those > considering use of this option understand the tradeoffs, but I also view > this as one particular hardening change which is a component of making > attacks such as these harder, rather than the only solution. As for the > clarification itself, where would you like it? I could include a cover > letter for this patch-set, elaborate more in the commit message itself, > add more to the Kconfig help description, or some combination of the above. Unless I am mistaken this there is no cross over between different processes of this randomization. Would it make sense to have this as an rlimit so that if you have processes on the system that are affected by the tradeoff differently this setting can be changed per process? Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/