Linked by Dareka on Fri 19th Apr 2013 10:40 UTC
BeOS & Derivatives "Starting with hrev45522, address space layout randomization (ASLR) and data execution prevention (DEP) are available in Haiku. These two features, which have actually become a standard in any modern OS, make it much harder to exploit any vulnerability that may be present in an application running on Haiku, thus generally improving system security."
Thread beginning with comment 559441
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Funny
by Alfman on Mon 22nd Apr 2013 09:50 UTC in reply to "RE: Funny"
Alfman
Member since:
2011-01-28

WereCatf,


"Problem one, right there: all applications get their own, private address mappings, it's not a global one."

It doesn't need to be that way. I was talking to neolander a while back and a global mapping has some advantages when pages are shared because the pointers contained within those pages are valid in any process.

There are security implications depending on how it's used, but it's no worse than sharing pages at relocatable addresses since untrusted offsets would still need to be bounds checked
anyways. Trusted processes would have a much easier time sharing actual objects between them (and not just serializing objects to/from the shared page).

"Problem two: it's not only the base location of the executable code itself that's randomized, it also applies to libraries, data, heap and such."

It sounded to me sort of implied that his version of malloc did that. Maybe I read it too optimistically, but I don't think the post was worthy of the downvotes. (It didn't have the religious overtones like some of the other comments).

Edited 2013-04-22 09:52 UTC

Reply Parent Score: 2

RE[3]: Funny
by WereCatf on Mon 22nd Apr 2013 10:35 in reply to "RE[2]: Funny"
WereCatf Member since:
2006-02-15

It doesn't need to be that way. I was talking to neolander a while back and a global mapping has some advantages when pages are shared because the pointers contained within those pages are valid in any process.


If all processes shared a global mapping it would immediately counter the whole point of ASLR: if your process couldn't access or allocate a certain memory location you'd immediately know that it's in use. Virtual address mappings are a security feature designed exactly for this as the application can request ANY address whatsoever and it wouldn't know if it is physically at that location or not or if that physical location is used by something else and the application was instead given a virtual mapping.

There are security implications depending on how it's used, but it's no worse than sharing pages at relocatable addresses since untrusted offsets would still need to be bounds checked
anyways. Trusted processes would have a much easier time sharing actual objects between them (and not just serializing objects to/from the shared page).


You do realize that you can still share the same, physical location between multiple applications even with private, virtual address mappings? Most OSes do provide facilities for this -- the OS only needs to map the same, physical address to some random private address on the processes' sides and then let the processes know which address to use.

It sounded to me sort of implied that his version of malloc did that. Maybe I read it too optimistically, but I don't think the post was worthy of the downvotes.


I wasn't the one downvoting him, so that's irrelevant wrt. my comment. But I didn't interpret his comment as you did, I interpreted it that he simply randomizes the base location he mallocs for the process and places it all there.

Reply Parent Score: 2

RE[4]: Funny
by Alfman on Mon 22nd Apr 2013 21:33 in reply to "RE[3]: Funny"
Alfman Member since:
2011-01-28

WereCatf,

"Virtual address mappings are a security feature designed exactly for this as the application can request ANY address whatsoever and it wouldn't know if it is physically at that location or not or if that physical location is used by something else and the application was instead given a virtual mapping."

Virtual mappings don't need to match the physical ones in order to have a global mapping. In fact it helps reduce multi-page fragmentation when they don't.

Just because all processes share the global page map doesn't imply all processes know which pages are used by which processes, nor even which pages are allocated at all unless you have functions that leak this sort of information.


"You do realize that you can still share the same, physical location between multiple applications even with private, virtual address mappings? Most OSes do provide facilities for this -- the OS only needs to map the same, physical address to some random private address on the processes' sides and then let the processes know which address to use."

Data pointers use logical addresses, not physical ones. Creating two different logical mappings to the same physical address isn't the same as two processes sharing logical mappings. It's an interesting (unconventional) use case, but it could facilitate the sharing of objects between processes of similar permissions.

While linux's version of mmap allows virtual address hints, it's hit or miss whether the processes that want to share the region will be able to map at the same location because they use a local page map.

I wouldn't actually use the technique myself, but I don't see any reason it'd be incompatible with ASLR.

Reply Parent Score: 2