<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, Apr 11, 2013 at 6:32 PM, John Reiser <span dir="ltr"><<a href="mailto:jreiser@bitwagon.com" target="_blank">jreiser@bitwagon.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 04/11/2013 08:19 AM, Miloslav Trmač wrote:<br>
> (I'll call "mutating ASLR" a setup where the addresses change frequently,<br>
> and "static ASLR" a setup where the addresses change only sometimes<br>
> but differ between systems.)<br>
><br>
> * Servers that accept outside connections definitely should have mutating ASLR<br>
> (attackers can make millions of connection attempts and outguess static ASLR).<br>
> So PIE and prelink unused or ineffective (== current policy).<br>
<br>
</div>What does it mean "So PIE and prelink unused or ineffective"?<br>
That phrase lacks a verb.<br></blockquote><div><br></div><div>Sorry. "So, let's keep the current policy: a) PIE enabled, b) prelink unused/ineffective for these executables". It's not that prelink is ineffective against attackers, it's that as currently implemented, prelink does nothing when the executable is a PIE, so prelink does not disrupt "mutating ASLR".<br>
</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
A process that is invoked by xinetd in response to a particular packet,<br>
and which terminates after serving only one logical connection, and whose<br>
executable is built using "gcc -pie -FPIE, and not pre-inked,<br>
then operates with short-lived, high-frequency, mutating ASLR.<br>
That's one case of a "server" process invoked by xinetd.<br></blockquote><div><br></div><div>Which of the major and frequently deployed servers actually use xinetd as their execution method? Yes, xinetd is there; AFAIK it's by far not the common case; we usually have a separate long-running daemon (perhaps forking a child for each connection) instead.<br>
</div><div> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">If "server" is a whole system which lasts at least one day (tens or hundreds<br>
of thousands of processes, or more) then "all executables -pie and -fPIE;<br>
and no prelink" is a highest-frequency mutating ASLR. It also has the<br>
highest direct cost for performing all that randomized relocation.<br></blockquote><div> </div>Again, with PIE, prelink currently does nothing, so prelink/no prelink does not currently make a difference in this case.<br>
</div><div class="gmail_quote"> Mirek<br></div></div></div>