Originally posted by sdack
View Post
Announcement
Collapse
No announcement yet.
OpenSUSE Tumbleweed Is Now Built With PIE
Collapse
X
-
-
Originally posted by GrayShade View PostJust curious, do you have a source for this? I've seen ASLR bypasses before, but I never read them properly, as they go a bit over my head.
Most papers start talking of highly-technical stuff and lack the top-view of what is the thing they are doing.
It basically boils down to saying that yes ASLR randomizes userspace addresses, but the kernel addresses can't be randomized because it would not be practical.
So without some additional security measures on kernel itself to keep in check infoleak bugs (that can be abused to get addresses to where stuff is), it's relatively easy to bypass ASLR by exploiting such kernel information leakage bugs.
And this is true anywhere, not just on Linux.
The info leaks are called "side-channel information" or similar in most papers. Google turns up a bunch.
Comment
-
Originally posted by starshipeleven View PostThe most understandable thing I read about what ASLR can actually do and what are its main limitations is from grsecurity https://forums.grsecurity.net/viewtopic.php?f=7&t=3367
Most papers start talking of highly-technical stuff and lack the top-view of what is the thing they are doing.
It basically boils down to saying that yes ASLR randomizes userspace addresses, but the kernel addresses can't be randomized because it would not be practical.
So without some additional security measures on kernel itself to keep in check infoleak bugs (that can be abused to get addresses to where stuff is), it's relatively easy to bypass ASLR by exploiting such kernel information leakage bugs.
And this is true anywhere, not just on Linux.
The info leaks are called "side-channel information" or similar in most papers. Google turns up a bunch.
Comment
-
Originally posted by GrayShade View PostI'm not fully convinced. The article concedes that KASLR can still be useful against remote exploits. No mitigation is completely effective, is it?
Main targets for remote exploits are servers, while main target for local exploits are desktops (because users download and run stuff, not just executables, website stuff, documents, media and whatever else).
So yeah, it's much less useful on desktops, without other hardening to prevent kernel side channel attacks. Really it is just part of a multi-layer defence, each layer relies on the others to cover his ass.Last edited by starshipeleven; 18 June 2017, 11:02 AM.
Comment
-
Originally posted by starshipeleven View PostMain targets for remote exploits are servers, while main target for local exploits are desktops (because users download and run stuff, not just executables, website stuff, documents, media and whatever else).
Comment
-
Originally posted by MoonMoon View PostThat is not how it works. Attackers make use of both types of exploits on both types of systems. For example. an attacker could use a remote exploit to get access to an unprivileged shell and then a local exploit to get root access.
On a server there is no user to trick into opening files.
Comment
-
-
Originally posted by Luke View Post
Than what is behind the mess with the Android/ffmpeg issue?
Obviously things like Android's reinvention of the build system and it's non-support of pure C applications sure doesn't make it easy to use, but that's all I could find. Also Android isn't Linux, even the kernel part is a badly hacked variant.
Comment
Comment