Date: Wed, 17 Feb 2016 19:37:57 -0500 From: Daniel Micay <danielmicay@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Address Sanitizer local root > The use-after-free and double-free detection is based on the same > quarantine technique in Valgrind. It can only detect the issues before > allocations are flushed out of the quarantine by memory pressure. It > does mitigate many vulnerabilities but comparable double-free > detection > could be done in malloc without the drawbacks (two flat arrays > providing > a ring buffer for a FIFO quarantine + a hash table). The same thing > applies to write-after-free but not use-after-free, since that would > require instrumentation in the code. A write-after-free can be > detected > by filling allocations with junk and then checking for it when it's > flushed from the quarantine rather than instrumentation. It doesn't > need > to do the whole allocation to be useful, so there's a large range of > tuning for performance. The junk data could come from a stream cipher > seeded from the address if desired, but it doesn't seem important. There's an initial implementation of this in CopperheadOS if anyone is curious about it. FIFO quarantine: https://github.com/CopperheadOS/platform_bionic/commit/bf8248f5644bc5f1fef36e8d9fd011334d08b994 Double-free detection via an open-addressed hash table: https://github.com/CopperheadOS/platform_bionic/commit/aa2038b668ace4546207e674850abbb3d6e1f392 Junk validation (upstreamed): https://github.com/robertbachmann/openbsd-libc/commit/00d2b970cb5791312ff38817feb1f8e015cca564 Remaining portion of the junk validation feature: https://github.com/CopperheadOS/platform_bionic/commit/49fb2a0464a3e93fcf138802b1691dcccc4816f7 It would mix well with a dynamic bounds checking implementation like Intel MPX since it covers the lifetime issues fairly well. There would need to be the ability to extend the default quarantine size to make it more useful but that's simple enough. There's also the standard OpenBSD randomized quarantine, which it doesn't interfere with. Detecting read- after-free beyond cases where a pointer to protected data (from the junk filling) will guarantee a crash really needs some form of hardware acceleration too. I think the cost of having huge memory usage via enormous deterministic mappings is too high. Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ