Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Aug 2016 18:19:19 +0000
From: "Roberts, William C" <>
To: 'Jason Cooper' <>
CC: "''" <>,
	"''" <>,
	<>, "''"
	<>, "''"
	<>, "''"
	<>, "''" <>,
	"''" <>, "''"
	<>, "''" <>
Subject: RE: [PATCH] [RFC] Introduce mmap randomization

> >
> > I would highly recommend studying those prior use cases and answering
> > those concerns before progressing too much further.  As I've mentioned
> > elsewhere, you'll need to quantify the increased difficulty to the
> > attacker that your patch imposes.  Personally, I would assess that first to see if
> it's worth the effort at all.
> Yes agreed.

For those following or those who care I have some preliminary results from a UML test bench. I need to set up better
testing, this I know :-P and test under constrained environments etc.

I ran 100,000 execs of bash and checked pmap for the location of libc's start address. I recorded this and kept track of the lowest
address it was loaded at as well as the highest, the range is aprox 37 bits of entropy. I calculated the Shannon entropy by calculating the frequency
of each address that libc was loaded at per 100,000 invocations, I am not sure if this is an abuse of that, considering Shannon's entropy is usually used
to calculate the entropy of byte sized units in a file (below you will find my city script). Plotting the data, it looked fairly random. Number theory is
not my strong suit, so if anyone has better ways of measuring entropy, I'm all ears, links appreciated.

I'm going to fire up some VMs in the coming weeks and test this more, ill post back with results if they differ from UML. Including ARM tablets running

low: 0x40000000
high: 0x401cb15000
range: 0x3fdcb15000
Shannon entropy: 10.514440

#!/usr/bin/env python

# modified from:

import math
import sys


if len(sys.argv) != 2: 
    print "Usage: [path]filename" 
d = {}
with open(sys.argv[1]) as f:
    for line in f:
	line = line.strip()
	line = line.lstrip("0")
	#print line
	items = items + 1
        if line not in d:
            d[line] = 1
            d[line] = d[line] + 1

	x = int("0x" + line, 16)
	if low == None:
		low = x
	if high == None:
		high = x

	if x < low:
		low = x

	if x > high:
		high = x

#print str(items)

#print d

print ("low: 0x%x" % low)
print ("high: 0x%x" % high)
print ("range: 0x%x" % (high - low))

# calculate the frequency of each address in the file
# XXX Should this really be in the 64 bit address space?
freqList = [] 
for k,v in d.iteritems(): 
    freqList.append(float(v) / items) 
#print freqList

# Shannon entropy 
ent = 0.0 
for freq in freqList: 
    if freq > 0: 
        ent = ent + freq * math.log(freq, 2) 
ent = -ent 
print ('Shannon entropy: %f' % ent  )


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.