Date: Sat, 06 Dec 2014 10:47:55 +0100 From: lazytyped <lazytyped@...il.com> To: oss-security@...ts.openwall.com Subject: Re: How GNU/Linux distros deal with offset2lib attack? On 06/12/2014 08:22, Shawn wrote: > Hi guys, > > As you know Hector Marco disclosured a new attack targeting the > GNU/Linux mitigation defensive technology earlier this week: > http://www.openwall.com/lists/oss-security/2014/12/04/19 > http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html [...] > It seems ASLRv3 is the best option we have? Or anything else? I think there is quite a bit of sweating on very little. This attack assumes that the attacker is capable of guessing the load address of the PIE binary. It basically already bypassed ASLR. It then "notices" that the PIE .text segment is loaded at a fixed offset from the shared libraries (BTW: shared libraries are loaded at fixed offsets among each others) and mounts a ROP attack using the shared library gadgets. This "fixed offset" is IMHO very unlikely to be a security issue, since in the vast majority of real life cases, the PIE .text itself will already contain enough gadgets to mount the attack. In other words, one may decide to separate the PIE .text from the rest of the libraries .text, but I don't really see much of a security win there. TL;DR: ASLR is a mitigation, if you have a chance to bruteforce or infoleak -one- address from it, the mitigation is gone. Separating the PIE .text or even libraries .text between each other won't buy you much. - Enrico
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.