(added one of the AnC paper authors) On Tue, Nov 17, 2020 at 10:21:30PM +0200, Topi Miettinen wrote: > On 17.11.2020 18.54, Matthew Wilcox wrote: > > On Mon, Oct 26, 2020 at 06:05:18PM +0200, Topi Miettinen wrote: > > > Writing a new value of 3 to /proc/sys/kernel/randomize_va_space > > > enables full randomization of memory mappings created with mmap(NULL, > > > ...). With 2, the base of the VMA used for such mappings is random, > > > but the mappings are created in predictable places within the VMA and > > > in sequential order. With 3, new VMAs are created to fully randomize > > > the mappings. Also mremap(..., MREMAP_MAYMOVE) will move the mappings > > > even if not necessary. > > > > Is this worth it? > > > > https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/aslrcache-practical-cache-attacks-mmu/ > > Thanks, very interesting. The paper presents an attack (AnC) which can break > ASLR even from JavaScript in browsers. In the process it compares the memory > allocators of Firefox and Chrome. Firefox relies on Linux mmap() to > randomize the memory location, but Chrome internally chooses the randomized > address. The paper doesn't present exact numbers to break ASLR for Chrome > case, but it seems to require more effort. Chrome also aggressively > randomizes the memory on each allocation, which seems to enable further > possibilities for AnC to probe the MMU tables. > > Disregarding the difference in aggressiveness of memory allocators, I think > with sysctl.kernel.randomize_va_space=3, the effort for breaking ASLR with > Firefox should be increased closer to Chrome case since mmap() will use the > address space more randomly. > > I have used this setting now for a month without any visible performance > issues, so I think the extra bits (for some additional effort to attackers) > are definitely worth the low cost. > > Furthermore, the paper does not describe in detail how the attack would > continue after breaking ASLR. Perhaps there are assumptions which are not > valid when the different memory areas are no longer sequential. For example, > if ASLR is initially broken wrt. the JIT buffer but continuing the attack > would require other locations to be determined (like stack, data segment for > main exe or libc etc), further efforts may be needed to resolve these > locations. With randomize_va_space=2, resolving any address (JIT buffer) can > reveal the addresses of many other memory areas but this is not the case > with 3. > > -Topi -- Sincerely yours, Mike.
