Randomize address space after each fork

From: cerberus cerberus
Date: Wed Oct 31 2018 - 21:27:01 EST


Randomize address space after each fork
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I might be entirely wrong with what I write
and the solution proposed thereafter, yet I
want to raise awareness that with current linux
kernels it is possible to leak (at least) heap
addresses in an attempt to weaken address space
layout randomization. The listed example shows [1]
code, it completely identifies three bytes of
the heap memory mappings, that is enough to weaken
aslr in a way to make it unusable over time.

One idea is to disallow a process to use the
same addresses after a fork and randomize them
after each fork just as during execution stage,
this will render the attack unusable. I know
this sounds nuts but is most probably the most
straightforward way to fix the issue.

real mapping:
55b118238000-55b11827b000 rw-p [heap]


linux kernel leaking the addresses partial:

Discover first byte in offset

Try Offsets 10ffff to ffffff ...

Try Offsets 20ffff to ffffff ...

Offset 239000 Survived ...

Offset 24d000 Survived ...

Offset 251000 Survived ...

Offset 261000 Survived ...

Offset 27d000 Survived ...

Offset 281000 Survived ...

That's quite exact the heap start to end address.


My apologies for suggesting only the solution,
I'm too stupid to implement this in real life in,
i.e. linux itself :)


[1] testcase: https://www.exploit-db.com/exploits/45671/
(referring to version 4.4.0-116, x86_64)

Have a nice day!