Date: Wed, 20 May 2015 12:24:57 -0500 From: Pedro Giffuni <pfg@FreeBSD.org> To: Oliver Pinter <oliver.pinter@hardenedbsd.org>, Shawn Webb <shawn.webb@hardenedbsd.org>, freebsd-arch@freebsd.org Subject: Re: ASLR work into -HEAD ? Message-ID: <555CC369.1030206@FreeBSD.org> In-Reply-To: <CAPQ4fftbUUSMHYXjOD-yO0ZzxdKwXzd5LA5AycrEyKMT3o63xw@mail.gmail.com> References: <555CADB6.202@FreeBSD.org> <CAPQ4fftbUUSMHYXjOD-yO0ZzxdKwXzd5LA5AycrEyKMT3o63xw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 05/20/15 11:31, Oliver Pinter wrote: > On 5/20/15, Pedro Giffuni <pfg@freebsd.org> wrote: >> Hello Shawn; >> >> What ever happened to the performance, does it still have a >> noticeable effect even when disabled? > We should ask to run an exp-run again with/without/disabled ASLR. > So there's not much done in that sense :(. >> I have no technical opinion on the patch, but ... >> >> TBH, the problem I see is that ASLR is so widespread that every >> potential attacker already knows how to defeat it. Yes, it is meant >> only as a mitigation technique but if it only buys you 5 min. >> (at most) I don't see much advantage in obfuscating the VM. > Hi Pedro! > > Explain the situation, when someone release an exploit against one > system without ASLR. The attacker hard code the address of the > specific code, and try it against the whole internet. > In this case all of the try will success. Then explain the other > situation, when the system has ASLR. In this case the exploit in the > majority fails, and the attacker must to try multiple times to attack > the system. This is very large cost on their side... My claim is that the majority of "professional" breachers and governments already have ASLR workarounds pre-coded and ready to launch. Finding an exploit is more difficult than beating ASLR so they are not going to hint everyone that they have an exploit until they can take all the linux/windows/MacOSX at the same time. The cost for the NSA and/or anonymous to step on ASLR is zero. > Sometimes this 5 minutes means that the attacker could break in or > not. Most of the average attackers does not have the knowledge, how to > bypass the ASLR. Yes, there exists automated ROP generator and other > tools, and articles about blink ROP effectiveness, but in the real > life the ASLR is a must have. I think (and see it's just my opinion), that it was a must have 5 years ago, but now any such measure is futile. Capsicum everywhere would be better spent effort. > The ASLR would much more efficient, when segvguard or similar brute > force prevention solution existing in the system. > Define efficient .. performance with PIE and other measures is certainly hit and very likely there is an energy cost as well, so energetically you could consider it a waste of resources. And, just to clarify, I am not in any way against your work: I would personally like to have the option to use ASLR but off by default. If I do turn it on sometime, I won't want any one else to turn it off (even for debugging). Pedro.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?555CC369.1030206>