Re: [PATCH 3/3] x86: kernel base offset ASLR

From: H. Peter Anvin
Date: Thu Apr 04 2013 - 17:02:08 EST

Next message: Eric Valette: "Re: Strange trace in dmesg on kernel 3.8.5"
Previous message: Eric Northup: "Re: [PATCH 3/3] x86: kernel base offset ASLR"
In reply to: Kees Cook: "Re: [PATCH 3/3] x86: kernel base offset ASLR"
Next in thread: Eric Northup: "Re: [PATCH 3/3] x86: kernel base offset ASLR"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

What system monitoring? Most systems don't have much...

Kees Cook <keescook@xxxxxxxxxxxx> wrote:

>On Thu, Apr 4, 2013 at 1:58 PM, H. Peter Anvin <hpa@xxxxxxxxx> wrote:
>> It seems to me that you are assuming that the attacker is targeting a
>specific system, but a bot might as well target 256 different systems
>and see what sticks...
>
>Certainly, but system monitoring will show 255 crashed machines, which
>is a huge blip on any radar. :)
>
>-Kees
>
>>
>> Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>>
>>>On Thu, Apr 4, 2013 at 1:12 PM, H. Peter Anvin <hpa@xxxxxxxxx> wrote:
>>>> On 04/04/2013 01:07 PM, Kees Cook wrote:
>>>>> However, the benefits of
>>>>> this feature in certain environments exceed the perceived
>>>weaknesses[2].
>>>>
>>>> Could you clarify?
>>>
>>>I would summarize the discussion of KASLR weaknesses into to two
>>>general observations:
>>>1- it depends on address location secrecy and leaks are common/easy.
>>>2- it has low entropy so attack success rates may be high.
>>>
>>>For "1", as Julien mentions, remote attacks and attacks from a
>>>significantly contained process (via seccomp-bpf) minimizes the leak
>>>exposure. For local attacks, cache timing attacks and other things
>>>also exist, but the ASLR can be improved to defend against that too.
>>>So, KASLR is useful on systems that are virtualization hosts,
>>>providing remote services, or running locally confined processes.
>>>
>>>For "2", I think that the comparison to userspace ASLR entropy isn't
>>>as direct. For userspace, most systems don't tend to have any kind of
>>>watchdog on segfaulting processes, so a remote attacker could just
>>>keep trying an attack until they got lucky, in which case low entropy
>>>is a serious problem. In the case of KASLR, a single attack failure
>>>means the system goes down, which makes mounting an attack much more
>>>difficult. I think 8 bits is fine to start with, and I think start
>>>with a base offset ASLR is a good first step. We can improve things
>in
>>>the future.
>>>
>>>-Kees
>>>
>>>--
>>>Kees Cook
>>>Chrome OS Security
>>
>> --
>> Sent from my mobile phone. Please excuse brevity and lack of
>formatting.
>
>
>
>--
>Kees Cook
>Chrome OS Security

--
Sent from my mobile phone. Please excuse brevity and lack of formatting.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Eric Valette: "Re: Strange trace in dmesg on kernel 3.8.5"
Previous message: Eric Northup: "Re: [PATCH 3/3] x86: kernel base offset ASLR"
In reply to: Kees Cook: "Re: [PATCH 3/3] x86: kernel base offset ASLR"
Next in thread: Eric Northup: "Re: [PATCH 3/3] x86: kernel base offset ASLR"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]