This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH 0/3] explicit_bzero v5

From: Paul Eggert <eggert at cs dot ucla dot edu>
To: Zack Weinberg <zackw at panix dot com>, Florian Weimer <fweimer at redhat dot com>
Cc: GNU C Library <libc-alpha at sourceware dot org>, Carlos O'Donell <carlos at redhat dot com>, "Michael Kerrisk (man-pages)" <mtk dot manpages at gmail dot com>
Date: Wed, 16 Nov 2016 13:38:12 -0800
Subject: Re: [PATCH 0/3] explicit_bzero v5
Authentication-results: sourceware.org; auth=none
References: <20161115155509.12692-1-zackw@panix.com> <677c23f1-d10a-890d-b875-039d32a3d228@cs.ucla.edu> <CAKCAbMhHRH-+ZV7sChor3Xdt5TNqNmwqAcfgYMPsCZBB8jOJBA@mail.gmail.com> <03bf455b-7dc9-663b-a748-8f1da9cfcfd3@cs.ucla.edu> <388972da-c60c-6314-b39d-db5fc818fdb8@redhat.com> <CAKCAbMg+=K4ix28_wTEdAtPhr2PC5HHELvTeaHSJCKHTPScu6g@mail.gmail.com> <b3064916-a082-9bb3-8715-9252d1fdecae@cs.ucla.edu> <545c2830-c00c-7eb9-65c0-cb8042a5069d@panix.com>

On 11/16/2016 06:56 AM, Zack Weinberg wrote:

On 11/15/2016 02:35 PM, Paul Eggert wrote:

On 11/15/2016 10:54 AM, Zack Weinberg wrote:

If the adversary can read the stack at all, I suspect they've
already won, no matter what we do.

That will likely be true in many applications, but not in all.

An adversary who can read the stack has access
to at least one pointer into the executable image (i.e. a return
address) and that is sufficient to walk the entire address space,
including all static data and the complete contents of the heap.

Sorry, I'm not following. Typically searching a stack is much cheaperthan searching all of address space. ASLR is about increasing theadversary's cost; it is not about creating a perfect defense. If ASLRcan force an adversary to search all of address space instead ofsearching just the stack, then that is a win.

Another way to put it: Even if an adversary can obtain the address ofone object, that doesn't mean that ASLR is useless thereafter. ASLR canstill make it hard for the adversary to obtain the addresses of otherobjects, and this can still make the program harder to attack overall.So, even if the adversary can read the stack, ASLR can still be usefulif the password buffer is on the heap and if no addresses in the stackpoint to the password buffer.

It's worth documenting the issue for applications that put sensitive
objects in the heap, as they might not expose these object addresses
to the stack now

How on earth are they to operate on sensitive objects on the heap
without holding their addresses in function-local variables, which one
must assume do from time to time get spilled onto the stack?

Yes, one must assume that if one is considering a worst-case compiler.But there are other possibilities. Perhaps the addresses are not spilledin code that calls memset or uses inline code, whereas the addresses doget spilled in the code that calls explicit_bzero. So, in practice,changing C code to call explicit_bzero can create spills that didn'texist before, which means that in practice the machine code can be lesssecure than before.

References:
- [PATCH 0/3] explicit_bzero v5
  - From: Zack Weinberg
- Re: [PATCH 0/3] explicit_bzero v5
  - From: Paul Eggert
- Re: [PATCH 0/3] explicit_bzero v5
  - From: Zack Weinberg
- Re: [PATCH 0/3] explicit_bzero v5
  - From: Paul Eggert
- Re: [PATCH 0/3] explicit_bzero v5
  - From: Florian Weimer
- Re: [PATCH 0/3] explicit_bzero v5
  - From: Zack Weinberg
- Re: [PATCH 0/3] explicit_bzero v5
  - From: Paul Eggert
- Re: [PATCH 0/3] explicit_bzero v5
  - From: Zack Weinberg

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]