Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap.

From: Michal Hocko
Date: Tue Mar 27 2018 - 03:24:43 EST


On Mon 26-03-18 22:45:31, Ilya Smith wrote:
>
> > On 26 Mar 2018, at 11:46, Michal Hocko <mhocko@xxxxxxxxxx> wrote:
> >
> > On Fri 23-03-18 20:55:49, Ilya Smith wrote:
> >>
> >>> On 23 Mar 2018, at 15:48, Matthew Wilcox <willy@xxxxxxxxxxxxx> wrote:
> >>>
> >>> On Thu, Mar 22, 2018 at 07:36:36PM +0300, Ilya Smith wrote:
> >>>> Current implementation doesn't randomize address returned by mmap.
> >>>> All the entropy ends with choosing mmap_base_addr at the process
> >>>> creation. After that mmap build very predictable layout of address
> >>>> space. It allows to bypass ASLR in many cases. This patch make
> >>>> randomization of address on any mmap call.
> >>>
> >>> Why should this be done in the kernel rather than libc? libc is perfectly
> >>> capable of specifying random numbers in the first argument of mmap.
> >> Well, there is following reasons:
> >> 1. It should be done in any libc implementation, what is not possible IMO;
> >
> > Is this really so helpful?
>
> Yes, ASLR is one of very important mitigation techniques which are really used
> to protect applications. If there is no ASLR, it is very easy to exploit
> vulnerable application and compromise the system. We canât just fix all the
> vulnerabilities right now, thats why we have mitigations - techniques which are
> makes exploitation more hard or impossible in some cases.
>
> Thats why it is helpful.

I am not questioning ASLR in general. I am asking whether we really need
per mmap ASLR in general. I can imagine that some environments want to
pay the additional price and other side effects, but considering this
can be achieved by libc, why to add more code to the kernel?

> >
> >> 2. User mode is not that layer which should be responsible for choosing
> >> random address or handling entropy;
> >
> > Why?
>
> Because of the following reasons:
> 1. To get random address you should have entropy. These entropy shouldnât be
> exposed to attacker anyhow, the best case is to get it from kernel. So this is
> a syscall.

/dev/[u]random is not sufficient?

> 2. You should have memory map of your process to prevent remapping or big
> fragmentation. Kernel already has this map.

/proc/self/maps?

> You will got another one in libc.
> And any non-libc user of mmap (via syscall, etc) will make hole in your map.
> This one also decrease performance cause you any way call syscall_mmap
> which will try to find some address for you in worst case, but after you already
> did some computing on it.

I do not understand. a) you should be prepared to pay an additional
price for an additional security measures and b) how would anybody punch
a hole into your mapping?

> 3. The more memory you use in userland for these proposal, the easier for
> attacker to leak it or use in exploitation techniques.

This is true in general, isn't it? I fail to see how kernel chosen and
user chosen ranges would make any difference.

> 4. It is so easy to fix Kernel function and so hard to support memory
> management from userspace.

Well, on the other hand the new layout mode will add a maintenance
burden on the kernel and will have to be maintained for ever because it
is a user visible ABI.

> >> 3. Memory fragmentation is unpredictable in this case
> >>
> >> Off course user mode could use random âhintâ address, but kernel may
> >> discard this address if it is occupied for example and allocate just before
> >> closest vma. So this solution doesnât give that much security like
> >> randomization address inside kernel.
> >
> > The userspace can use the new MAP_FIXED_NOREPLACE to probe for the
> > address range atomically and chose a different range on failure.
> >
>
> This algorithm should track current memory. If he doesnât he may cause
> infinite loop while trying to choose memory. And each iteration increase time
> needed on allocation new memory, what is not preferred by any libc library
> developer.

Well, I am pretty sure userspace can implement proper free ranges
tracking...

--
Michal Hocko
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-alpha" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html