Excellent work, thank you! We are not using Gentoo but your results will benefit us (and everyone) since the vulnerable projects will be fixed upstream. Please let us know what feedback you receive at Fosdem.
asan is indeed primarily a testing tool. As a mitigation technique it is somewhat weak, although it can reliably protect from some of the bug classes (fixed offset buffer overflows, at lest). You may want to emphasise that running asan in production is not (just) a hardening technique, but a way to find more bugs and get them fixed. This is exactly what we see in Chromium: no matter how good our fuzzers are, running asan-ified Chrome as a primary browser will eventually find more bugs. If you need a stronger protection, have a look at http://clang.llvm.org/docs/ControlFlowIntegrity.html and http://clang.llvm.org/docs/SafeStack.html (Hm, Tor folks may be interested :) --kcc On Tue, Jan 26, 2016 at 5:16 AM, Hanno Böck <[email protected]> wrote: > On Tue, 26 Jan 2016 04:44:31 -0800 (PST) > [email protected] wrote: > > > That sounds interesting for sure, but I doubt that ASan can be used to > > prevent security exploits. Some classes of bugs I would assume are > > nearly impossible to exploit with ASan in place, but e.g. > > use-after-free can still be exploited, you just need more allocations > > to force the memory to be reallocated. > > Yes, actually Chris Evans has analyzed this in more detail a while back: > http://scarybeastsecurity.blogspot.dk/2014/09/using-asan-as-protection.html > > (I've linked that in my blogpost) > tl;dr asan prevents some bugs from being exploited, but not all :-) > > Preventing UAF exploitation in the ASAN model seems complicated. > > > There is some other tool that aims to achieve > > that:http://www.cs.rutgers.edu/~santosh.nagarakatte/softbound/ > > > > However, I think it never went into the production stage and it only > > supports C, not C++. I think it would be worthwhile to pursue that > > approach for high security environments. > > Actually I had a look at softbound longer ago. But the two don't really > compare. > > Softbound tries to guarantee a very strong notion of memory safety. But > the price for that is that it's always been incomplete and thus it's > esentially impossible to compile any real world applications with it. > > I once tried to get OpenSSL compiled with Softbound, I ended finding > out that it doesn't support varargs. And with "doesn't support" it > doesn't mean it doesn't protect them, it means if you use them in > certain ways your code will just not work with Softbound. > > The impressive thing about asan is that it "really works", in "you can > compile real software with it and in most cases it will just work". > > Thus I came to the conclusion that Softbound is interesting research, > but in its current state not usable for real software. > > -- > Hanno Böck > http://hboeck.de/ > > mail/jabber: [email protected] > GPG: BBB51E42 > > -- > You received this message because you are subscribed to the Google Groups > "address-sanitizer" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "address-sanitizer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
