Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 06 Dec 2014 10:47:55 +0100
From: lazytyped <>
Subject: Re: How GNU/Linux distros deal with offset2lib attack?

On 06/12/2014 08:22, Shawn wrote:
> Hi guys,
> As you know Hector Marco disclosured a new attack targeting the
> GNU/Linux mitigation defensive technology earlier this week:
> It seems ASLRv3 is the best option we have? Or anything else?

I think there is quite a bit of sweating on very little.

This attack assumes that the attacker is capable of guessing the load
address of the PIE binary. It basically already bypassed ASLR. It then
"notices" that the PIE .text segment is loaded at a fixed offset from
the shared libraries (BTW: shared libraries are loaded at fixed offsets
among each others) and mounts a ROP attack using the shared library gadgets.

This "fixed offset" is IMHO very unlikely to be a security issue, since
in the vast majority of real life cases, the PIE .text itself will
already contain enough gadgets to mount the attack.

In other words, one may decide to separate the PIE .text from the rest
of the libraries .text, but I don't really see much of a security win there.

TL;DR: ASLR is a mitigation, if you have a chance to bruteforce or
infoleak -one- address from it, the mitigation is gone. Separating the
PIE .text or even libraries .text between each other won't buy you much.

      -  Enrico

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.