Announcement

**starshipeleven** · 18 June 2017, 05:42 AM

Originally posted by sdack View Post

It is. It's purely build on hope and buys security a little bit of time at best. It only helps against old malware. There are already hacks around, which work around address space randomization.

That's a fault in the implementation of address space randomization though, not a design issue.

**GrayShade** · 18 June 2017, 06:04 AM

Originally posted by starshipeleven View Post

That's a fault in the implementation of address space randomization though, not a design issue.

Just curious, do you have a source for this? I've seen ASLR bypasses before, but I never read them properly, as they go a bit over my head.

**starshipeleven** · 18 June 2017, 07:03 AM

Originally posted by GrayShade View Post

Just curious, do you have a source for this? I've seen ASLR bypasses before, but I never read them properly, as they go a bit over my head.

The most understandable thing I read about what ASLR can actually do and what are its main limitations is from grsecurity https://forums.grsecurity.net/viewtopic.php?f=7&t=3367
Most papers start talking of highly-technical stuff and lack the top-view of what is the thing they are doing.

It basically boils down to saying that yes ASLR randomizes userspace addresses, but the kernel addresses can't be randomized because it would not be practical.
So without some additional security measures on kernel itself to keep in check infoleak bugs (that can be abused to get addresses to where stuff is), it's relatively easy to bypass ASLR by exploiting such kernel information leakage bugs.

And this is true anywhere, not just on Linux.

The info leaks are called "side-channel information" or similar in most papers. Google turns up a bunch.

**GrayShade** · 18 June 2017, 07:58 AM

Originally posted by starshipeleven View Post

The most understandable thing I read about what ASLR can actually do and what are its main limitations is from grsecurity https://forums.grsecurity.net/viewtopic.php?f=7&t=3367
Most papers start talking of highly-technical stuff and lack the top-view of what is the thing they are doing.

It basically boils down to saying that yes ASLR randomizes userspace addresses, but the kernel addresses can't be randomized because it would not be practical.
So without some additional security measures on kernel itself to keep in check infoleak bugs (that can be abused to get addresses to where stuff is), it's relatively easy to bypass ASLR by exploiting such kernel information leakage bugs.

And this is true anywhere, not just on Linux.

The info leaks are called "side-channel information" or similar in most papers. Google turns up a bunch.

I'm not fully convinced. The article concedes that KASLR can still be useful against remote exploits. No mitigation is completely effective, is it?

**starshipeleven** · 18 June 2017, 08:16 AM

Originally posted by GrayShade View Post

I'm not fully convinced. The article concedes that KASLR can still be useful against remote exploits. No mitigation is completely effective, is it?

Sure, but then it should be labeled as such.

Main targets for remote exploits are servers, while main target for local exploits are desktops (because users download and run stuff, not just executables, website stuff, documents, media and whatever else).

So yeah, it's much less useful on desktops, without other hardening to prevent kernel side channel attacks. Really it is just part of a multi-layer defence, each layer relies on the others to cover his ass.

**MoonMoon** · 18 June 2017, 01:34 PM

Originally posted by starshipeleven View Post

Main targets for remote exploits are servers, while main target for local exploits are desktops (because users download and run stuff, not just executables, website stuff, documents, media and whatever else).

That is not how it works. Attackers make use of both types of exploits on both types of systems. For example. an attacker could use a remote exploit to get access to an unprivileged shell and then a local exploit to get root access.

**starshipeleven** · 18 June 2017, 04:22 PM

Originally posted by MoonMoon View Post

That is not how it works. Attackers make use of both types of exploits on both types of systems. For example. an attacker could use a remote exploit to get access to an unprivileged shell and then a local exploit to get root access.

For desktops local exploits are more used and can be used even alone as it's much easier to get the user to download/open/use whatever infected stuff (not as root) that then does tricks to escalate privileges.

On a server there is no user to trick into opening files.

**Luke** · 18 June 2017, 08:07 PM

Originally posted by reimar View Post

For any TL;DR on my other long comment: PIE/PIC - at least on non-hardened Linux - does NOT require "free of .text relocations", thus invalidating that whole comment and others like it.

Than what is behind the mess with the Android/ffmpeg issue?

**tomtomme** · 19 June 2017, 02:35 AM

Originally posted by starshipeleven View Post

sounds like ffmpeg won't run anymore in Tumbleweed.

Instead of assuming things, how about asking your fellow forum members.
Happy ffmpeg-using Tumbleweed-user here.

**reimar** · 19 June 2017, 03:35 AM

Originally posted by Luke View Post

Than what is behind the mess with the Android/ffmpeg issue?

You'll have to start by explaining what "issue" you are talking about, since a Google search doesn't find anything.
Obviously things like Android's reinvention of the build system and it's non-support of pure C applications sure doesn't make it easy to use, but that's all I could find. Also Android isn't Linux, even the kernel part is a badly hacked variant.

Announcement

OpenSUSE Tumbleweed Is Now Built With PIE

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment