From: Paul Eggert <eggert@cs.ucla.edu>
To: Zack Weinberg <zackw@panix.com>, Florian Weimer <fweimer@redhat.com>
Cc: GNU C Library <libc-alpha@sourceware.org>,
Carlos O'Donell <carlos@redhat.com>,
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Subject: Re: [PATCH 0/3] explicit_bzero v5
Date: Wed, 16 Nov 2016 21:38:00 -0000 [thread overview]
Message-ID: <a07333cf-71d0-bf69-2b1f-5aa6f0e5f012@cs.ucla.edu> (raw)
In-Reply-To: <545c2830-c00c-7eb9-65c0-cb8042a5069d@panix.com>
On 11/16/2016 06:56 AM, Zack Weinberg wrote:
> On 11/15/2016 02:35 PM, Paul Eggert wrote:
>> On 11/15/2016 10:54 AM, Zack Weinberg wrote:
>>> If the adversary can read the stack at all, I suspect they've
>>> already won, no matter what we do.
>> That will likely be true in many applications, but not in all.
> An adversary who can read the stack has access
> to at least one pointer into the executable image (i.e. a return
> address) and that is sufficient to walk the entire address space,
> including all static data and the complete contents of the heap.
Sorry, I'm not following. Typically searching a stack is much cheaper
than searching all of address space. ASLR is about increasing the
adversary's cost; it is not about creating a perfect defense. If ASLR
can force an adversary to search all of address space instead of
searching just the stack, then that is a win.
Another way to put it: Even if an adversary can obtain the address of
one object, that doesn't mean that ASLR is useless thereafter. ASLR can
still make it hard for the adversary to obtain the addresses of other
objects, and this can still make the program harder to attack overall.
So, even if the adversary can read the stack, ASLR can still be useful
if the password buffer is on the heap and if no addresses in the stack
point to the password buffer.
>
>> It's worth documenting the issue for applications that put sensitive
>> objects in the heap, as they might not expose these object addresses
>> to the stack now
> How on earth are they to operate on sensitive objects on the heap
> without holding their addresses in function-local variables, which one
> must assume do from time to time get spilled onto the stack?
Yes, one must assume that if one is considering a worst-case compiler.
But there are other possibilities. Perhaps the addresses are not spilled
in code that calls memset or uses inline code, whereas the addresses do
get spilled in the code that calls explicit_bzero. So, in practice,
changing C code to call explicit_bzero can create spills that didn't
exist before, which means that in practice the machine code can be less
secure than before.
next prev parent reply other threads:[~2016-11-16 21:38 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-15 15:55 Zack Weinberg
2016-11-15 15:55 ` [PATCH 1/3] New string function explicit_bzero (from OpenBSD) Zack Weinberg
2016-11-15 15:55 ` [PATCH 2/3] Add fortification and inline optimization of explicit_bzero Zack Weinberg
2016-11-15 15:55 ` [PATCH 3/3] Use explicit_bzero where appropriate Zack Weinberg
2016-11-16 18:38 ` [PATCH 1/3] New string function explicit_bzero (from OpenBSD) Michael Kerrisk (man-pages)
2016-11-15 16:20 ` [PATCH 0/3] explicit_bzero v5 Paul Eggert
2016-11-15 17:46 ` Zack Weinberg
2016-11-15 18:02 ` Paul Eggert
2016-11-15 18:42 ` Florian Weimer
2016-11-15 18:54 ` Zack Weinberg
2016-11-15 19:35 ` Paul Eggert
2016-11-16 14:56 ` Zack Weinberg
2016-11-16 21:38 ` Paul Eggert [this message]
2016-11-16 18:34 ` Michael Kerrisk (man-pages)
2016-11-15 19:35 ` Paul Eggert
2016-11-16 14:58 ` Zack Weinberg
2016-11-15 21:12 ` Richard Henderson
2016-11-16 14:45 ` Zack Weinberg
2016-11-16 14:58 ` Andreas Schwab
2016-11-16 15:00 ` Zack Weinberg
2016-11-16 15:09 ` Andreas Schwab
2016-11-16 15:14 ` Zack Weinberg
2016-11-16 15:22 ` Andreas Schwab
2016-11-16 20:06 ` Richard Henderson
2016-11-16 2:03 ` Joseph Myers
2016-11-16 15:06 ` Zack Weinberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a07333cf-71d0-bf69-2b1f-5aa6f0e5f012@cs.ucla.edu \
--to=eggert@cs.ucla.edu \
--cc=carlos@redhat.com \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=mtk.manpages@gmail.com \
--cc=zackw@panix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).