From: Siddhesh Poyarekar <siddhesh@gotplt.org>
To: Topi Miettinen <toiwoton@gmail.com>, libc-alpha@sourceware.org
Subject: Re: Randomize offset between program segments?
Date: Thu, 29 Oct 2020 13:34:37 +0530 [thread overview]
Message-ID: <7e9c9068-917b-5bb6-1500-f2be9786bd1b@gotplt.org> (raw)
In-Reply-To: <c6599480-e8ee-0782-086f-e7d0750c8b97@gmail.com>
On 10/21/20 4:14 PM, Topi Miettinen wrote:
>> The alternative (which is what PIC does for global variables) is to have
>> a GOT-like indirection, where instead of the single pc-relative load,
>> the compiler emits a load from that table and a subsequent load from the
>> address in GOT. Here, patching by the dynamic linker is safe since the
>> offset table is rw, but you will have doubled the number of instructions
>> needed to access your data.
>
> Also size of GOT will increase. Otherwise this seems a better approach.
You shouldn't use GOT (because it's the *global* offset table) but a
similar idea. A rose by another name...
> I don't know. What would be the method to quantify such benefits? This
> applies to a specific case where the attacker is able to determine an
> address in one segment but needs to find an address in another segment
> in order to win, and without ASLR the offset between the addresses would
First build evidence for this possibility, i.e. how easy is it to
determine the address of one segment in a binary and how much
*incremental* effort does it take to determine the address of other
segments?
> be always known by the attacker (for example, because the distro and the
> version for the program or library is known). Without ASLR, chance of
> winning is 100%. With ASLR, this could be related to number of bits in
> randomization. In the 32 bit offset case this would be 20 bits (assuming
> 12 bits page size), so the chances of guessing would be 2^-20 and brute
> forcing the offset would be expected to take 2^20/2 attempts.
Question is, would it really be an additional 2^20 tries at all times?
For example, the offset table has to be at a known offset from the code
and hence could be computed once you know the address of the code
segment. From there, the final address for the data access is just an
indirection away.
Siddhesh
next prev parent reply other threads:[~2020-10-29 8:04 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-19 15:31 Topi Miettinen
2020-10-21 2:21 ` Siddhesh Poyarekar
2020-10-21 7:40 ` Topi Miettinen
2020-10-21 9:14 ` Siddhesh Poyarekar
2020-10-21 9:34 ` Topi Miettinen
2020-10-21 9:54 ` Siddhesh Poyarekar
2020-10-21 10:44 ` Topi Miettinen
2020-10-29 8:04 ` Siddhesh Poyarekar [this message]
2020-10-30 15:37 ` Topi Miettinen
2020-10-21 5:33 ` Florian Weimer
2020-10-21 8:02 ` Topi Miettinen
2020-10-21 8:06 ` Florian Weimer
2020-10-21 9:28 ` Topi Miettinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7e9c9068-917b-5bb6-1500-f2be9786bd1b@gotplt.org \
--to=siddhesh@gotplt.org \
--cc=libc-alpha@sourceware.org \
--cc=toiwoton@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).