Re: Randomize offset between program segments?

[Topi Miettinen <toiwoton@gmail.com>]

On 21.10.2020 12.54, Siddhesh Poyarekar wrote:
> On 10/21/20 3:04 PM, Topi Miettinen wrote:
>> Why can't the dynamic linker calculate the offset?
>>
> 
> It can calculate, but to be able to patch the pc-relative load
> instructions it will need the executable section to also be writable and
> is a really bad idea.

Agreed, I didn't consider that.

> The alternative (which is what PIC does for global variables) is to have
> a GOT-like indirection, where instead of the single pc-relative load,
> the compiler emits a load from that table and a subsequent load from the
> address in GOT.  Here, patching by the dynamic linker is safe since the
> offset table is rw, but you will have doubled the number of instructions
> needed to access your data.

Also size of GOT will increase. Otherwise this seems a better approach.

> Hence the question: how much benefit does this provide on top of what is
> achieved by randomizing the base address and does it justify doubling
> the number of instructions to access static variables?

I don't know. What would be the method to quantify such benefits? This 
applies to a specific case where the attacker is able to determine an 
address in one segment but needs to find an address in another segment 
in order to win, and without ASLR the offset between the addresses would 
be always known by the attacker (for example, because the distro and the 
version for the program or library is known). Without ASLR, chance of 
winning is 100%. With ASLR, this could be related to number of bits in 
randomization. In the 32 bit offset case this would be 20 bits (assuming 
12 bits page size), so the chances of guessing would be 2^-20 and brute 
forcing the offset would be expected to take 2^20/2 attempts.

For the large model, ASLR could use 44 - 12 = 32 bits, so numbers would 
be 2^-32 and 2^32/2.

-mcmodel=large increases number of instructions by a factor of 5, so 
doubling would still be an improvement:
0000000000000000 <setter>:
    0:   48 8d 05 f9 ff ff ff    lea    -0x7(%rip),%rax        # 0 <setter>
    7:   49 bb 00 00 00 00 00    movabs $0x0,%r11
    e:   00 00 00
   11:   4c 01 d8                add    %r11,%rax
   14:   48 ba 00 00 00 00 00    movabs $0x0,%rdx
   1b:   00 00 00
   1e:   48 89 3c 02             mov    %rdi,(%rdx,%rax,1)
   22:   c3                      retq

Normal model, extern variable should be similar to GOT access:
0000000000000000 <setter>:
    0:   48 8b 05 00 00 00 00    mov    0x0(%rip),%rax        # 7 
<setter+0x7>
    7:   48 89 38                mov    %rdi,(%rax)
    a:   c3                      retq

Normal model, static variable:
0000000000000000 <setter>:
    0:   48 89 3d 00 00 00 00    mov    %rdi,0x0(%rip)        # 7 
<setter+0x7>
    7:   c3                      retq

But I suppose the extra memory access in GOT version is worse for 
performance than the extra instructions which don't access memory in 
-mcmodel=large.

-Topi