Date: Wed, 19 Oct 2016 13:01:18 -0700 From: Conrad Meyer <cem@freebsd.org> To: Beach Geek <labeachgeek@gmail.com> Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: Attacking Branch Predictors to Bypass ASLR Message-ID: <CAG6CVpWU_Kt2-FaD=-VpoFH7=uAKXtCVAu27aZ-4TT-1MnDV0A@mail.gmail.com> In-Reply-To: <CA%2BCmbW=L5fj3pJ0VYbhcHdqVfenhOKt9ZmNpfmOaLqzVpAt9Ow@mail.gmail.com> References: <CA%2BCmbWmNtwz%2BDfpEt5Gc0Ww3-eTT5DiMVczXgnXgoqc9KfUsxA@mail.gmail.com> <CA%2BCmbW=pOc-McyHrFS8QQy1zxByF4BUO=jqQdsf=J8d_kRi_jw@mail.gmail.com> <CA%2BCmbW=MRGHPRFjX4a_LQveyP80-1wLf44a9Jz2QGvy2KhDOcA@mail.gmail.com> <CA%2BCmbW=a06oqVZnW4uM9ijQWsnbUJq%2B95oLEbef2tZOQRWejeA@mail.gmail.com> <CA%2BCmbWkGyePScePpVgXSZDZOz1fyUsmrrR9ozR5X9Zoin5a-oQ@mail.gmail.com> <CA%2BCmbWkz9iFco_k5AEkh8dCdFxOkwJY-vUnUCE7JWZsg2waS4g@mail.gmail.com> <CA%2BCmbWkwePCPwoMKgKFqR_J=vBf%2BOTvnUEME7v7-Cip3De0yUA@mail.gmail.com> <CA%2BCmbW=gJTJDN2KYnwhmau36mJmr2ihQ2h=UwBM7QeCrQMEVaw@mail.gmail.com> <CA%2BCmbWnA3Tu4vgRggKNgL56Tf9LuajRg9HX0KJQ=ZoPbVbPjEQ@mail.gmail.com> <CA%2BCmbW=yR-tkKvuz=oBowb91xn0DkBOBK5W55jGj6mEh0=rY2g@mail.gmail.com> <CA%2BCmbW=gHAtuEMMTKYLdzvr9jipNxmyUY119Z_onB4-hqcsqxg@mail.gmail.com> <CA%2BCmbW=ed85QfP4L%2BK46Js_MtL7xkxfkXHk1VbxqHRMwcGUYkg@mail.gmail.com> <CA%2BCmbWkSsWBGWCe7R-32Qtb8u92RN2VDTShGOKgxvOLrB2-_bQ@mail.gmail.com> <CA%2BCmbW=L5fj3pJ0VYbhcHdqVfenhOKt9ZmNpfmOaLqzVpAt9Ow@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 19, 2016 at 12:00 PM, Beach Geek <labeachgeek@gmail.com> wrote: > This came across my tech news feed. It's a bit early and more testing is > being done, but I wanted to start a discussion about it. > > Does this affect FreeBSD? > If so, severity? > Can this be countered/fixed in the OS? > > Link to 13 page paper: > http://www.cs.ucr.edu/~nael/pubs/micro16.pdf Hi, FreeBSD doesn't have an ASLR implementation to bypass. So the straightforward answer is no. It does not affect FreeBSD's existing code. There is an open question of whether it affects or obviates Konstantin's userspace ASLR patch which is waiting to be merged. The paper suggests a really lame and difficult software mitigation on page 10. On page 11 it suggests a possible HW mitigation, but that does not yet exist in any CPU of course. The userspace ASLR attack is somewhat limited. Key quotes: > Our prototype code tests 100 addresses in a second. 2^18 / 100 ~=3D 2^7 or ~2^11 seconds is about 35 minutes. > Please note that current BTB addressing scheme (as used in Haswell proces= sor used for our experiments) allows us to recover only a limited number of= ASLR bits. The number of bits that are randomizes is implementation specif= ic. However, according to [47], the full ASLR in Linux randomizes 12th to 4= 0th bits of the virtual address. Since 30th and higher bits are not used in= BTB addressing, only 18 bits can be recovered using the BTB attack on Hasw= ell. So it seems ASLR may still be somewhat useful on amd64, especially if bits above 30 are randomized (Haswell anyway). But it may be completely useless on i386. Best, Conrad
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG6CVpWU_Kt2-FaD=-VpoFH7=uAKXtCVAu27aZ-4TT-1MnDV0A>