From owner-freebsd-current@freebsd.org Sun Feb 28 12:23:41 2021 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0D55256A79E for ; Sun, 28 Feb 2021 12:23:41 +0000 (UTC) (envelope-from tsoome@me.com) Received: from mr85p00im-ztdg06011901.me.com (mr85p00im-ztdg06011901.me.com [17.58.23.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4DpMxm6C0qz3mg5 for ; Sun, 28 Feb 2021 12:23:40 +0000 (UTC) (envelope-from tsoome@me.com) Received: from nazgul.lan (148-52-235-80.sta.estpak.ee [80.235.52.148]) by mr85p00im-ztdg06011901.me.com (Postfix) with ESMTPSA id C03BCA60603; Sun, 28 Feb 2021 12:23:37 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\)) Subject: Re: HEADS-UP: PIE enabled by default on main From: Toomas Soome In-Reply-To: Date: Sun, 28 Feb 2021 14:23:35 +0200 Cc: Ihor Antonov , Warner Losh , FreeBSD Current , Gordon Bergling , Ed Maste Content-Transfer-Encoding: quoted-printable Message-Id: <49B22332-AE96-4E51-A5A8-DFE4261499C5@me.com> References: <20210228043411.mj7l5wkwj46neurv@localhost> <20210228062442.qk5nkzxt4msw2cgm@localhost> To: "dmilith ." X-Mailer: Apple Mail (2.3654.60.0.2.21) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-02-28_04:2021-02-26, 2021-02-28 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2006250000 definitions=main-2102280103 X-Rspamd-Queue-Id: 4DpMxm6C0qz3mg5 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Feb 2021 12:23:41 -0000 > On 28. Feb 2021, at 13:27, dmilith . wrote: >=20 > First of all - ALSR is designed as mitigation for external attacks, > not internal ones (logged in user). > Second - Linux and FreeBSD both have weak implementations in > comparison to PAX-driven ones. Try attacking the system with > Grsecurity or HardenedBSD (both use the strongest ASLR available > AFAIK). >=20 > Saying that security mitigation features that affect no performance > are "meaningless", is just ridiculous or at least just irresponsible. > It's like telling C programmers that stack protection or out of bounds > checks are bad, cause there's nothing wrong with random SEGFAULTS from > time to time=E2=80=A6 >=20 You seem to forget that those mechanisms are there exactly because = programmers are not caring about random faults from time to time:D With = correct code, one would not need mechanisms like ALSR.=20 rgds, toomas >=20 > On 28/02/2021, Ihor Antonov wrote: >> On 2021-02-27 22:29, Warner Losh wrote: >>> On Sat, Feb 27, 2021 at 9:34 PM Ihor Antonov >>> wrote: >>>=20 >>>>>=20 >>>>> But isn't it well-known that ASLR/ASR/any-related-buzzwork does = not >>>>> add >>>>> any security, except imaginary? The only purpose of it is to have = a >>>>> check-list item ticked green. >>>>=20 >>>> I don't know if I should parse this as sarcasm (or any other form = of >>>> "humor") or is a serious statement? But this does leave me with a = whole >>>> bunch of questions.. >>>>=20 >>>> If this is really how Konstantin is describing it then is it OK to = say >>>> about this to the whole Internet? Why FreeBSD Foundation is paying = for >>>> meaningless work then? Why members of the Core team do this work? = Does >>>> this mean that FreeBSD is working to satisfy the silly needs of = some >>>> fat >>>> customer? What about project independence and not being controlled = by >>>> big money? >>>>=20 >>>> Where can I read about ASLR and security myths? >>>=20 >>> Why not spend time and explain why this does not work? >>>>=20 >>>=20 >>> Not to rise to the baitiness of all these leading questions (they = really >>> are quite contrary to how our community usually comports itself, but = for >>> the sake of civil discourse, I'll ignore).... >>>=20 >>> I'll bet it has something to do with the many known ASLR attacks. = One is >>> chronicled in https://www.vusec.net/projects/anc/ and elsewhere, = which >>> show >>> how MMU side channels can defeat ASLR. Or maybe he's familiar with = the >>> offset2lib attack against Linux 64-bit ASLR documented in this paper >>> = https://cybersecurity.upv.es/attacks/offset2lib/offset2lib-paper.pdf. >>> There's many others as well that show the shortcomings of ASLR and >>> disclose >>> ways to defeat it using various clever means. >>=20 >> Warner, thanks for the links. They are indeed interesting. >>=20 >>>> You clearly should mean something useful and much more important = than >>>> that, >>>=20 >>> Maybe he'd like to understand how PIE accomplishes better security = give >>> the >>> known ASLR weaknesses. And rather than take a sarcastic tone, he = asked >>> for >>> more details that back up the earlier claims of improved security so = we >>> could all learn something. >>=20 >> The conclusion of the paper in the second link clearly says: >>=20 >> We present a new weakness on the current implementationof the ASLR >> Linux systems which affects PIE compiled ex-ecutables. = Applications >> compiled with PIE are consideredto be more robust since it makes >> attacks more difficult. >>=20 >> Which I read as ASLR and PIE work better together. This is the same = what >> Gordon was saying. >>=20 >> The whole situation is wrong on 2 different levels. >>=20 >> First: saying that ASLR is not perfect and can be broken is not the = same >> thing as saying "The only purpose of it is to have a check-list item = ticked >> green" >>=20 >> There are no perfect security measures, and you guys (kernel and OS >> developers) should know that better than us (users). Hackers find new >> exploits, developers find ways to mitigate them and cycle repeats. = Just >> the fact that ASLR can be broken is not the reason to not have it. >>=20 >> Second: look at this exchange from a distance >>=20 >> Ed: we are enabling security feature X, please rebuild your worlds.. >> Godron: great progress! go team! >> Konstantin: why do you think this is great progress? (implying it is >> not) >> Gordon: well, I heard feature X works best with feature Y >> Konstantin: feature Y is useless checkbox, next time you speak make = sure >> you say something useful! >>=20 >> Considering the fact that Konstantin himself worked on ASLR this is = at >> least confusing.. Also does this also mean that feature X (PIE) is = also >> useless checkbox? >>=20 >> Konstantin, Ed, Warner - I dunno what is going on in your house = (Core) but >> it does not look good form the outside. You are sending mixed signals = to >> your auditory. >>=20 >>=20 >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to = "freebsd-current-unsubscribe@freebsd.org" >>=20 >=20 >=20 > --=20 > -- > Daniel Dettlaff > Versatile Knowledge Systems > verknowsys.com > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to = "freebsd-current-unsubscribe@freebsd.org"