Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 10 Dec 2014 13:27:24 -0500
From: Daniel Micay <danielmicay@...il.com>
To: Steve Grubb <sgrubb@...hat.com>, oss-security@...ts.openwall.com
Subject: Re: Offset2lib: bypassing full ASLR on 64bit Linux

On 10/12/14 11:11 AM, Steve Grubb wrote:
> On Tuesday, December 09, 2014 03:24:39 PM Daniel Micay wrote:
>>> I studied this area 2 years ago for a gray hat talk and in preparation to
>>> help  set the policy going forward for Fedora and RHEL. The general
>>> reason I've heard mentioned about why its not used as fully as possible
>>> is that it adds memory pages that can't be coalesced or consolidated
>>> because they are not the same.
>>
>> AFAIK, it doesn't cause a significant increase in memory usage. The
>> whole point of position independent code is that it can be reused across
>> processes. Dynamic libraries are already fully position independent.
> 
> This was the issue as I remember it, when you use PIE, it introduces a 
> writable memory segment for the indirection that is filled in lazily. Because 
> this is writeable it is per process. It is also per DSO. With desktop apps 
> linking against a 60 or so libraries and an average of 150 apps running at any 
> time, the memory used starts to really add up. Server workloads tend to have 
> apps with less libraries linked in but many more processes active.
> 
> Of course today systems are starting to ship with 16GB standard, but now we 
> add virtualization work loads and you have dozens more of the above. I think 
> this institutional memory of the old days kind of hinders any movement. We had 
> an internal debate of this on bz 786915 (which is not 100% open). The start up 
> performance never really a factor in the discussions. It was purely about 
> "wasted" memory.

The GOT/PLT is still there without PIE. You can blame features like
LD_PRELOAD for this, not ASLR. Every library is already paying the costs
of PIE and more (-fpie / -fPIE is a subset of -fpic / -fPIC).

http://www.macieira.org/blog/2012/01/sorry-state-of-dynamic-libraries-on-linux/

Before the recent GCC / binutils improvements, PIE would result in GOT
usage for every global just like PIC. The changes eliminate the need for
that so past measurements (which usually indicate a 0-3% perf hit) won't
be valid anymore.


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.