Expanding the list of "Hardened Packages"
Steve Grubb
sgrubb at redhat.com
Sat Apr 13 15:38:35 UTC 2013
On Friday, April 12, 2013 06:44:33 AM Josh Bressers wrote:
> On Thu, Apr 11, 2013 at 12:54 PM, Reindl Harald <h.reindl at thelounge.net>
wrote:
> > which is exactly the goal ASLR is desigend for
>
> It's designed to make certain types of attacks more difficult. It
> doesn't make them impossible, just much harder.
>
> Here is an example.
>
> When you write a security exploit, you generally have to do things
> like call into system libraries to do useful things. Generally you
> have a limited amount of room for your exploit's "payload", so the
> idea is to just leverage what the system can already do. Calling
> system() would be an example of this. Now long ago, before things like
> ASLR, if you had access to the binary you wanted to attack, you could
> inspect the binary to see what the address of system() was. It didn't
> change between runs of the binary, so I could hard code that address
> into my exploit. With ASLR, every time you run the binary the address
> of various system calls is now basically random (it's not exactly, but
> that's an exercise for the reader to figure out).
I would like to point out that a non-PIE 64 bit application will only get 14
bits of randomization of the heap. In my opinion, this must be fixed since this
is very predictable. Even jemalloc provides 19 bits of heap randomization -
which is not ideal, but is better than our current default.
-Steve
More information about the devel
mailing list