Hey David, I'm responding inline. On Thu, Jun 09, 2016 at 09:18:40AM +0100, David Chisnall wrote: > If this paper is the one that I think it is, then I was one of the reviewers. Their attack is neat, but it depends quite a lot on being able to deterministically trigger deduplication. Their proof-of-concept exploit was on Windows (and JavaScript attack was really fun) and I???m not convinced that it would work reliably on Linux or VMWare ESX, which both defer deduplication for as long as possible to avoid NUMA-related overheads. > > We don???t currently have a FreeBSD implementation, but if someone wanted to provide one then a defence against this attack would be fairly simple: count the number of CoW faults that a process is receiving and if it reaches a certain threshold then remove all of its memory from the set of eligible pages. The attack relies on being able to repeatedly trigger CoW faults and time whether they occur, with the same set of pages. At least some existing implementations will make this impossible as these pages will repeatedly be deduplicated and then duplicated and this is already a pathological case that most memory deduplication implementations need to handle (as well as being a security hole, it???s also a big performance killer). Competely agreed. This is a "nothing to see here" situation. The paper simply doesn't apply to FreeBSD. > > Kib has been working on ASLR for FreeBSD (I think it???s in 11?), but at this point it???s more of a checkbox item than a serious mitigation technique. It adds a little bit of work for attackers, but there are so many attacks that can bypass ASLR even with strong entropy that it just increases the work factor slightly. If you???re running code written in C, then you???re better off relying on Capscium compartmentalisation to limit what the attacker can do once they???ve compromised it. Kib's ASR implementation hasn't made it to HEAD, yet. It differs from ASLR in pretty drastic ways. Using heap spraying attacks, an attacker will easily be able to disable the ASR implementation Kib has proposed. The same does not hold true for the proper ASLR implementation that has existed for a number of years--HardenedBSD's. Simply forcing address space fragmentation should not disable ASLR, which is the case for FreeBSD's ASR. Kib's implementation requires a lot of further work, especially in regards to stack and shared page randomization, which doesn't exist in his patch. He views stack and shared page randomization outside the scope of ASR and I have no clue why as no explanation has been given. While ASLR bypasses exist (ROP, SROP, JROP, etc.), they require a number of additional vulnerabilities to be able to effectively control [ER]IP. Just like any security technology, ASLR isn't meant to be the end-all-be-all of security, but just one more layer in a defense-in-depth strategy. The more layers an attacker has to punch through, the higher the burden. Capsicum would indeed be something to look into, but is heavy-handed and requires modification of source code. Capsicum cannot be applied to proprietary applications without coordination from the vendor, whereas ASLR can be. I like Capsicum, but integrating "ALL THE THINGS!" with it takes a lot of work. Thanks, -- Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEEReceived on Thu Jun 09 2016 - 11:02:56 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:05 UTC