Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1455755877.23003.33.camel@gmail.com>
Date: Wed, 17 Feb 2016 19:37:57 -0500
From: Daniel Micay <danielmicay@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Address Sanitizer local root

> The use-after-free and double-free detection is based on the same
> quarantine technique in Valgrind. It can only detect the issues before
> allocations are flushed out of the quarantine by memory pressure. It
> does mitigate many vulnerabilities but comparable double-free
> detection
> could be done in malloc without the drawbacks (two flat arrays
> providing
> a ring buffer for a FIFO quarantine + a hash table). The same thing
> applies to write-after-free but not use-after-free, since that would
> require instrumentation in the code. A write-after-free can be
> detected
> by filling allocations with junk and then checking for it when it's
> flushed from the quarantine rather than instrumentation. It doesn't
> need
> to do the whole allocation to be useful, so there's a large range of
> tuning for performance. The junk data could come from a stream cipher
> seeded from the address if desired, but it doesn't seem important.

There's an initial implementation of this in CopperheadOS if anyone is
curious about it.

FIFO quarantine:

https://github.com/CopperheadOS/platform_bionic/commit/bf8248f5644bc5f1fef36e8d9fd011334d08b994

Double-free detection via an open-addressed hash table:

https://github.com/CopperheadOS/platform_bionic/commit/aa2038b668ace4546207e674850abbb3d6e1f392

Junk validation (upstreamed):

https://github.com/robertbachmann/openbsd-libc/commit/00d2b970cb5791312ff38817feb1f8e015cca564

Remaining portion of the junk validation feature:

https://github.com/CopperheadOS/platform_bionic/commit/49fb2a0464a3e93fcf138802b1691dcccc4816f7

It would mix well with a dynamic bounds checking implementation like
Intel MPX since it covers the lifetime issues fairly well. There would
need to be the ability to extend the default quarantine size to make it
more useful but that's simple enough. There's also the standard OpenBSD
randomized quarantine, which it doesn't interfere with. Detecting read-
after-free beyond cases where a pointer to protected data (from the junk
filling) will guarantee  a crash really needs some form of hardware
acceleration too. I think the cost of having huge memory usage via
enormous deterministic mappings is too high.
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.