Hey David,

I'm responding inline.

On Thu, Jun 09, 2016 at 09:18:40AM +0100, David Chisnall wrote:
> If this paper is the one that I think it is, then I was one of the reviewers. 
>  Their attack is neat, but it depends quite a lot on being able to 
> deterministically trigger deduplication.  Their proof-of-concept exploit was 
> on Windows (and JavaScript attack was really fun) and I???m not convinced 
> that it would work reliably on Linux or VMWare ESX, which both defer 
> deduplication for as long as possible to avoid NUMA-related overheads.
> We don???t currently have a FreeBSD implementation, but if someone wanted to 
> provide one then a defence against this attack would be fairly simple: count 
> the number of CoW faults that a process is receiving and if it reaches a 
> certain threshold then remove all of its memory from the set of eligible 
> pages.  The attack relies on being able to repeatedly trigger CoW faults and 
> time whether they occur, with the same set of pages.  At least some existing 
> implementations will make this impossible as these pages will repeatedly be 
> deduplicated and then duplicated and this is already a pathological case that 
> most memory deduplication implementations need to handle (as well as being a 
> security hole, it???s also a big performance killer).

Competely agreed. This is a "nothing to see here" situation. The paper
simply doesn't apply to FreeBSD.

> Kib has been working on ASLR for FreeBSD (I think it???s in 11?), but at this 
> point it???s more of a checkbox item than a serious mitigation technique.  It 
> adds a little bit of work for attackers, but there are so many attacks that 
> can bypass ASLR even with strong entropy that it just increases the work 
> factor slightly.  If you???re running code written in C, then you???re better 
> off relying on Capscium compartmentalisation to limit what the attacker can 
> do once they???ve compromised it.

Kib's ASR implementation hasn't made it to HEAD, yet. It differs from
ASLR in pretty drastic ways. Using heap spraying attacks, an attacker
will easily be able to disable the ASR implementation Kib has proposed.
The same does not hold true for the proper ASLR implementation that has
existed for a number of years--HardenedBSD's. Simply forcing address
space fragmentation should not disable ASLR, which is the case for
FreeBSD's ASR. Kib's implementation requires a lot of further work,
especially in regards to stack and shared page randomization, which
doesn't exist in his patch. He views stack and shared page randomization
outside the scope of ASR and I have no clue why as no explanation has
been given.

While ASLR bypasses exist (ROP, SROP, JROP, etc.), they require a number
of additional vulnerabilities to be able to effectively control [ER]IP.
Just like any security technology, ASLR isn't meant to be the
end-all-be-all of security, but just one more layer in a
defense-in-depth strategy. The more layers an attacker has to punch
through, the higher the burden.

Capsicum would indeed be something to look into, but is heavy-handed and
requires modification of source code. Capsicum cannot be applied to
proprietary applications without coordination from the vendor, whereas
ASLR can be. I like Capsicum, but integrating "ALL THE THINGS!" with it
takes a lot of work.


Shawn Webb
Cofounder and Security Engineer

GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
freebsd-current@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Reply via email to