Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 09 Dec 2014 20:03:10 -0500
From: Daniel Micay <danielmicay@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Offset2lib: bypassing full ASLR on 64bit Linux

On 09/12/14 11:18 AM, Steve Grubb wrote:
> 
> 4) Then I started wondering about the heap when you use other memory manager 
> libraries such as jemalloc. This turned out to be interesting. You get about 
> 19 bits of randomness using it. Its not as bad as non-PIE glibc but not as 
> good as PIE glibc. You also got the same amount of randomness whether the app 
> was PIE or not. This is an area ripe for more experimenting, exploiting, and 
> patching. Supposedly some of these heap managers use mmap as the underlying 
> allocator. So, why aren't they getting 29 bits, too? :-)

Your measurement of the difference is quite accurate.

The page multiple constraint zaps 12 potential bits of entropy, but
jemalloc's 4M chunk alignment increases that to 22 bits. I'm not sure
what can be done about it because there's a very strong performance case
for the design.

I sent in a fix for the MALLOC_CONF part of this at least, so an
attacker won't be able to reduce it further:

https://github.com/jemalloc/jemalloc/pull/174


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.