Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
When will ASLR be made default on all profiles?
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 583

PostPosted: Tue Feb 28, 2017 8:29 pm    Post subject: Reply with quote

1clue wrote:
duby2291 wrote:
I do understand the terminology, and I also understand how pervasive JS is. But, neither of those issue are even relevant to this because if you disable JS as should have been done years ago, then that problem won't even exist for you.

The fundamental flaw is in modern CPU's MMU and CPU designers are already aware of it. In addition the Current CPU's that are already affected can be patched easily. The bottom line fact is this, No matter how you word it ASLR improves security by many times over when compared to a non-ASLR configuration. Even in it's current state it is still a better option than nothing.


For some people disabling JS is not an option. In my case, my income is directly tied to using sites which use JS and which will not stop using JS until a better alternative becomes pervasive and is proved more secure than JS.

I can and have read the history on this post, and have been following the topic long before this thread started. And for that matter I have enabled ASLR. I'm simply stating that the "solutions" being presented are not bullet proof. When I have a public-facing server and have a service on that system for maintenance I put it behind a VPN, AND use multifactor authentication, AND obscure the port. Obscuring the port is unnecessary but statistically helpful. Obscuring the port means absolutely nothing during a security audit and generates hate from the IT staff which must account for it. If somebody gets past the VPN and multifactor authentication then they sure AF can figure out what port I'm using if they should choose to look.

Likewise ASLR in no way fixes the vulnerability. If code can inject and run without it, then slightly smarter code can inject and run with it. The end, game over. As you pointed out the flaw is in hardware and unlikely to be fixed soon. You can obscure to your heart's content but that does not provably solve any problems. You can stop using JS, but doing that would mean I need to find another line of work. Not gonna happen soon. I'm 100% positive many other Linux users share the same opinion.

Lots of people on this thread and in the global discussion on these topics (ASLR, JS) present their solutions as all-or-nothing, or assume that those solutions would work for everyone. That sentiment is pure horse droppings.


And again that's entirely irrelevant to this discussion. ASLR is already configured on hardened gentoo profiles so if you have a server deployed it will already be implementing this. What I'm talking about here is for users of their own computers. I personally think ASLR should be enabled by default on all profiles due to the -fact- that it makes the most common exploits that can affect linux impossible. Something like 90% of all the exploits a desktop linux user can experience would be prevented automatically by ASLR.

And again the fundamental flaw that you are using as a weak excuse can be fixed in a easy patch to the kernel's memory manager. And additionally CPU designers are already aware of this flaw and you can bet you last dollar it will be addressed in the very next iteration of every CPU released from here out.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Tue Feb 28, 2017 8:30 pm    Post subject: Reply with quote

duby2291 wrote:
I do understand the terminology, and I also understand how pervasive JS is. But, neither of those issue are even relevant to this because if you disable JS as should have been done years ago, then that problem won't even exist for you.


Sorry, I just can't drop it.

If disabling JS makes the problem not exist, then you're basically saying that you're perfectly happy using only 20% of the Internet. Even that number (pure speculation on my part) is probably artificially higher than reality because all the recreational content I and my family like to use contains JS.

"Stop using JS" is not an acceptable solution, either professionally or privately. It's like telling your teens that they can have fireworks but only snakes and sparklers, not "the good stuff."
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Tue Feb 28, 2017 8:36 pm    Post subject: Reply with quote

duby2291 wrote:
1clue wrote:
duby2291 wrote:
I do understand the terminology, and I also understand how pervasive JS is. But, neither of those issue are even relevant to this because if you disable JS as should have been done years ago, then that problem won't even exist for you.

The fundamental flaw is in modern CPU's MMU and CPU designers are already aware of it. In addition the Current CPU's that are already affected can be patched easily. The bottom line fact is this, No matter how you word it ASLR improves security by many times over when compared to a non-ASLR configuration. Even in it's current state it is still a better option than nothing.


For some people disabling JS is not an option. In my case, my income is directly tied to using sites which use JS and which will not stop using JS until a better alternative becomes pervasive and is proved more secure than JS.

I can and have read the history on this post, and have been following the topic long before this thread started. And for that matter I have enabled ASLR. I'm simply stating that the "solutions" being presented are not bullet proof. When I have a public-facing server and have a service on that system for maintenance I put it behind a VPN, AND use multifactor authentication, AND obscure the port. Obscuring the port is unnecessary but statistically helpful. Obscuring the port means absolutely nothing during a security audit and generates hate from the IT staff which must account for it. If somebody gets past the VPN and multifactor authentication then they sure AF can figure out what port I'm using if they should choose to look.

Likewise ASLR in no way fixes the vulnerability. If code can inject and run without it, then slightly smarter code can inject and run with it. The end, game over. As you pointed out the flaw is in hardware and unlikely to be fixed soon. You can obscure to your heart's content but that does not provably solve any problems. You can stop using JS, but doing that would mean I need to find another line of work. Not gonna happen soon. I'm 100% positive many other Linux users share the same opinion.

Lots of people on this thread and in the global discussion on these topics (ASLR, JS) present their solutions as all-or-nothing, or assume that those solutions would work for everyone. That sentiment is pure horse droppings.


And again that's entirely irrelevant to this discussion. ASLR is already configured on hardened gentoo profiles so if you have a server deployed it will already be implementing this. What I'm talking about here is for users of their own computers. I personally think ASLR should be enabled by default on all profiles due to the -fact- that it makes the most common exploits that can affect linux impossible. Something like 90% of all the exploits a desktop linux user can experience would be prevented automatically by ASLR.


It doesn't make anything impossible. If the script in question can execute the code without ASLR then it can scan memory for a fingerprint of that code and execute it with ASLR. So your -fact- is false. It may statistically improve the odds but it makes absolutely nothing impossible.

Quote:

And again the fundamental flaw that you are using as a weak excuse can be fixed in a easy patch to the kernel's memory manager. And additionally CPU designers are already aware of this flaw and you can bet you last dollar it will be addressed in the very next iteration of every CPU released from here out.


I'm using nothing as a weak excuse to anything. I'll be glad to see the fix that the CPU designers give us, and I hope it's free of defects.
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 583

PostPosted: Tue Feb 28, 2017 8:39 pm    Post subject: Reply with quote

1clue wrote:
duby2291 wrote:
I do understand the terminology, and I also understand how pervasive JS is. But, neither of those issue are even relevant to this because if you disable JS as should have been done years ago, then that problem won't even exist for you.


Sorry, I just can't drop it.

If disabling JS makes the problem not exist, then you're basically saying that you're perfectly happy using only 20% of the Internet. Even that number (pure speculation on my part) is probably artificially higher than reality because all the recreational content I and my family like to use contains JS.

"Stop using JS" is not an acceptable solution, either professionally or privately. It's like telling your teens that they can have fireworks but only snakes and sparklers, not "the good stuff."


If you are calling JS the good stuff then I have to disagree with that in every possible way. It sucks and there is plenty of content that doesn't work, but I can personally live with it. I do understand how pervasive JS is, and even if you can't disable JS, the exploit here will still only affect you in cases where it actually gets executed.
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 583

PostPosted: Tue Feb 28, 2017 8:42 pm    Post subject: Reply with quote

1clue wrote:
duby2291 wrote:
1clue wrote:
duby2291 wrote:
I do understand the terminology, and I also understand how pervasive JS is. But, neither of those issue are even relevant to this because if you disable JS as should have been done years ago, then that problem won't even exist for you.

The fundamental flaw is in modern CPU's MMU and CPU designers are already aware of it. In addition the Current CPU's that are already affected can be patched easily. The bottom line fact is this, No matter how you word it ASLR improves security by many times over when compared to a non-ASLR configuration. Even in it's current state it is still a better option than nothing.


For some people disabling JS is not an option. In my case, my income is directly tied to using sites which use JS and which will not stop using JS until a better alternative becomes pervasive and is proved more secure than JS.

I can and have read the history on this post, and have been following the topic long before this thread started. And for that matter I have enabled ASLR. I'm simply stating that the "solutions" being presented are not bullet proof. When I have a public-facing server and have a service on that system for maintenance I put it behind a VPN, AND use multifactor authentication, AND obscure the port. Obscuring the port is unnecessary but statistically helpful. Obscuring the port means absolutely nothing during a security audit and generates hate from the IT staff which must account for it. If somebody gets past the VPN and multifactor authentication then they sure AF can figure out what port I'm using if they should choose to look.

Likewise ASLR in no way fixes the vulnerability. If code can inject and run without it, then slightly smarter code can inject and run with it. The end, game over. As you pointed out the flaw is in hardware and unlikely to be fixed soon. You can obscure to your heart's content but that does not provably solve any problems. You can stop using JS, but doing that would mean I need to find another line of work. Not gonna happen soon. I'm 100% positive many other Linux users share the same opinion.

Lots of people on this thread and in the global discussion on these topics (ASLR, JS) present their solutions as all-or-nothing, or assume that those solutions would work for everyone. That sentiment is pure horse droppings.


And again that's entirely irrelevant to this discussion. ASLR is already configured on hardened gentoo profiles so if you have a server deployed it will already be implementing this. What I'm talking about here is for users of their own computers. I personally think ASLR should be enabled by default on all profiles due to the -fact- that it makes the most common exploits that can affect linux impossible. Something like 90% of all the exploits a desktop linux user can experience would be prevented automatically by ASLR.


It doesn't make anything impossible. If the script in question can execute the code without ASLR then it can scan memory for a fingerprint of that code and execute it with ASLR. So your -fact- is false. It may statistically improve the odds but it makes absolutely nothing impossible.

Quote:

And again the fundamental flaw that you are using as a weak excuse can be fixed in a easy patch to the kernel's memory manager. And additionally CPU designers are already aware of this flaw and you can bet you last dollar it will be addressed in the very next iteration of every CPU released from here out.


I'm using nothing as a weak excuse to anything. I'll be glad to see the fix that the CPU designers give us, and I hope it's free of defects.


Yes it absolutely does make that type of exploit impossible when ASLR is used in combination with the NX bit.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Tue Feb 28, 2017 8:50 pm    Post subject: Reply with quote

duby2291 wrote:
1clue wrote:
duby2291 wrote:
I do understand the terminology, and I also understand how pervasive JS is. But, neither of those issue are even relevant to this because if you disable JS as should have been done years ago, then that problem won't even exist for you.


Sorry, I just can't drop it.

If disabling JS makes the problem not exist, then you're basically saying that you're perfectly happy using only 20% of the Internet. Even that number (pure speculation on my part) is probably artificially higher than reality because all the recreational content I and my family like to use contains JS.

"Stop using JS" is not an acceptable solution, either professionally or privately. It's like telling your teens that they can have fireworks but only snakes and sparklers, not "the good stuff."


If you are calling JS the good stuff then I have to disagree with that in every possible way. It sucks and there is plenty of content that doesn't work, but I can personally live with it. I do understand how pervasive JS is, and even if you can't disable JS, the exploit here will still only affect you in cases where it actually gets executed.


JS is not the good stuff, but the good content exists on sites which use JS. You can personally live with it, but I won't. Back in the early days of Linux I made all sorts of excuses in order to justify my choice of operating system. I no longer bother, because the only things I want to do but can't do on Linux is prove that the software I write works correctly on Windows or Mac OS.

Moreover, my software choices affect me and my family. You are attempting to make my software choices for me and the rest of the Linux world, and you can pretty much read my mind to get my response to that. It can't be printed here without getting a reprimand from the moderators.


Last edited by 1clue on Tue Feb 28, 2017 8:54 pm; edited 1 time in total
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Tue Feb 28, 2017 8:53 pm    Post subject: Reply with quote

duby2291 wrote:


Yes it absolutely does make that type of exploit impossible when ASLR is used in combination with the NX bit.


Assuming that the system in question has the NX bit, then I'll give that a big fat "maybe." In the case that it doesn't, then no.
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 583

PostPosted: Tue Feb 28, 2017 9:32 pm    Post subject: Reply with quote

1clue wrote:
duby2291 wrote:
1clue wrote:
duby2291 wrote:
I do understand the terminology, and I also understand how pervasive JS is. But, neither of those issue are even relevant to this because if you disable JS as should have been done years ago, then that problem won't even exist for you.


Sorry, I just can't drop it.

If disabling JS makes the problem not exist, then you're basically saying that you're perfectly happy using only 20% of the Internet. Even that number (pure speculation on my part) is probably artificially higher than reality because all the recreational content I and my family like to use contains JS.

"Stop using JS" is not an acceptable solution, either professionally or privately. It's like telling your teens that they can have fireworks but only snakes and sparklers, not "the good stuff."


If you are calling JS the good stuff then I have to disagree with that in every possible way. It sucks and there is plenty of content that doesn't work, but I can personally live with it. I do understand how pervasive JS is, and even if you can't disable JS, the exploit here will still only affect you in cases where it actually gets executed.


JS is not the good stuff, but the good content exists on sites which use JS. You can personally live with it, but I won't. Back in the early days of Linux I made all sorts of excuses in order to justify my choice of operating system. I no longer bother, because the only things I want to do but can't do on Linux is prove that the software I write works correctly on Windows or Mac OS.

Moreover, my software choices affect me and my family. You are attempting to make my software choices for me and the rest of the Linux world, and you can pretty much read my mind to get my response to that. It can't be printed here without getting a reprimand from the moderators.


I guess I have to admit that your opinion on JS represents a far larger majority than mine does. But at the same time I absolutely guarantee mine is the actual correct one. It sucks I know, that so many popular common web sites rely so heavily on one of the worst software ever written, but it is what is and unfortunately I as an individual can't do anything about it. So I learned to live with it, but I won't ever claim it was easy.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Tue Feb 28, 2017 9:48 pm    Post subject: Reply with quote

Youtube? javascript.
Netflix? javascript.
Amazon? javascript.
Ebay? Javascript.
The top 10 news sites based on hit count? Javascript.
Edit: pretty much every social networking site? Javascript. And probably flash which is a million times worse than JS.

What popular sites do you use which don't use javascript? Which of the ones that do are even functional without it?

Give me a mainstream website that normal people use, that doesn't use javascript.
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 583

PostPosted: Tue Feb 28, 2017 10:01 pm    Post subject: Reply with quote

1clue wrote:
Youtube? javascript.
Netflix? javascript.
Amazon? javascript.
Ebay? Javascript.
The top 10 news sites based on hit count? Javascript.

What popular sites do you use which don't use javascript? Which of the ones that do are even functional without it?

Give me a mainstream website that normal people use, that doesn't use javascript.


First let's try to make this conversation more realistic for people reading this thread and instead talk about scripts with malicious intent rather than narrowing down on JS. I stated my opinion on JS and I deal with it by disabling JS totally. It does suck and it's not something most people can do. But what most people can do is use ublock or even better yet noscript. They can isolate scripts that have a malicious intent and prevent them from running in the first place.

But now I think we are getting side tracked by a personal opinion I have rather than addressing the actual issue. And that actual issue is that Gentoo only implements ASLR on hardened profiles when in fact it really needs to be implemented on all profiles.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Tue Feb 28, 2017 10:42 pm    Post subject: Reply with quote

Sure.

NoScript: You expect an 8 year old kid to figure out which script is malicious? Or tell them why Facebook works on their friends' computers but not on theirs? My wife has no understanding of code or why there would be scripts either, for that matter.

Malicious code: You can prove that bugs do exist, but you can't prove that they don't. If we could prove bugs/exploits don't exist then there would be no CVE database, nor code patches for security or stability.

I have described a very reasonable scenario where ASLR does not fix the security hole we're talking about. I'm sure others have presented the same or similar scenarios. ASLR is in no way a true fix.

Presenting that ASLR is an absolute solution is provably incorrect. Presenting the removal of JS as a cure for the problem is also provably incorrect. Saying that either or both will improve your chances of avoiding an exploit is reasonable.

Gentoo is a distribution of choice. IMO if the maintainers think there's a good reason to keep the setting as-is then it should stay as it is. So far I have seen no compelling reason why it should be changed.
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 583

PostPosted: Tue Feb 28, 2017 11:05 pm    Post subject: Reply with quote

If making it so that something like 90% of all exploits that can affect desktop linux users are impossible is not compelling to you then nothing will be.

All you are doing right now is nitpicking your opinions vs mine.
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2678

PostPosted: Wed Mar 01, 2017 12:06 am    Post subject: Reply with quote

duby2291 wrote:
All you are doing right now is nitpicking your opinions vs mine.
The Cirrus aircraft company decided that in the interest of safety (and because their aircraft failed its spin testing) that they should include a full airframe parachute as standard equipment. They like to boast that it has been 100% effective when used correctly. What they don't say is that there have been numerous fatal accidents when the parachute has been deployed too low or too fast (this is normally how a loss of control due to ice ends) and the majority of saves would have had similar nonfatal outcomes without the parachute in the first place. To top it all off the parachute robs the aircraft of any meaningful payload and requires expensive annual maintenance. So is it worth it?

Many pilots will now refuse to fly an aircraft that doesn't have a parachute. Is their opinion based on reason? Or are they simply happy to have the illusion of safety?

You can spend all day arguing ASLR both ways, but it cannot be denied that it is much less than perfect and multiple solutions exist to cure the same problem. Same with Javascript and systemd. As Ant P. pointed out ASLR is fundamentally broken and can easily be exploited by any code that manages to run on your machine. So is it worth making ASLR a part of the profiles for the illusion of security? Or should we simply leave that up to the user?
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Wed Mar 01, 2017 12:22 am    Post subject: Reply with quote

duby2291 wrote:
If making it so that something like 90% of all exploits that can affect desktop linux users are impossible is not compelling to you then nothing will be.

All you are doing right now is nitpicking your opinions vs mine.


There you go with that "impossible" word again. As long as you continue to use that word in this context, we will continue to have words. Are you willing to sign a legally binding contract stating that, with the ASLR fix in place that Linux exploits will be 10% of the number of exploits without it, and accept responsibility for full financial damages to back it up?

I've given a very plausible hole to your argument, and you cannot even theoretically prove that your position holds true. Ant P. has pointed out how the code is broken. You STILL insist that once ASLR is built into all Gentoo kernels that successful attacks on Linux will drop 90%? Will predatorial animals cease to hunt and become vegetarian too? Will war cease to exist on the planet? Do you want to buy a bridge?
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 583

PostPosted: Wed Mar 01, 2017 12:59 am    Post subject: Reply with quote

The Doctor wrote:
duby2291 wrote:
All you are doing right now is nitpicking your opinions vs mine.
The Cirrus aircraft company decided that in the interest of safety (and because their aircraft failed its spin testing) that they should include a full airframe parachute as standard equipment. They like to boast that it has been 100% effective when used correctly. What they don't say is that there have been numerous fatal accidents when the parachute has been deployed too low or too fast (this is normally how a loss of control due to ice ends) and the majority of saves would have had similar nonfatal outcomes without the parachute in the first place. To top it all off the parachute robs the aircraft of any meaningful payload and requires expensive annual maintenance. So is it worth it?

Many pilots will now refuse to fly an aircraft that doesn't have a parachute. Is their opinion based on reason? Or are they simply happy to have the illusion of safety?

You can spend all day arguing ASLR both ways, but it cannot be denied that it is much less than perfect and multiple solutions exist to cure the same problem. Same with Javascript and systemd. As Ant P. pointed out ASLR is fundamentally broken and can easily be exploited by any code that manages to run on your machine. So is it worth making ASLR a part of the profiles for the illusion of security? Or should we simply leave that up to the user?


I can flip that same arguement the other waytoo of course. Just because food poisoning exists doesn't mean that you shouldn't buy food. In other words just because a door lock can be picked doesn't mean you shouldn't have door locks. What you are describing is the same thing.

The exploit described only exists in a scenario where nobody running ublock or adplus or noscript can even get affected by it. And in the mean time it resolves a l;arge number of security flaws that desktop users are currently suffering from. You say that it's an illusion of security. But all you are doing right now is nothing more than painting a false illusion od insecurity.


Last edited by duby2291 on Wed Mar 01, 2017 1:05 am; edited 2 times in total
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 583

PostPosted: Wed Mar 01, 2017 1:03 am    Post subject: Reply with quote

1clue wrote:
duby2291 wrote:
If making it so that something like 90% of all exploits that can affect desktop linux users are impossible is not compelling to you then nothing will be.

All you are doing right now is nitpicking your opinions vs mine.


There you go with that "impossible" word again. As long as you continue to use that word in this context, we will continue to have words. Are you willing to sign a legally binding contract stating that, with the ASLR fix in place that Linux exploits will be 10% of the number of exploits without it, and accept responsibility for full financial damages to back it up?

I've given a very plausible hole to your argument, and you cannot even theoretically prove that your position holds true. Ant P. has pointed out how the code is broken. You STILL insist that once ASLR is built into all Gentoo kernels that successful attacks on Linux will drop 90%? Will predatorial animals cease to hunt and become vegetarian too? Will war cease to exist on the planet? Do you want to buy a bridge?


No you haven't you latched on to an arguement that anybody using ublock or noscript is simply not going to get affected by, and in the mean time it does resolve a huge number of exploits that desktop linux users are dealing with right now.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Wed Mar 01, 2017 1:15 am    Post subject: Reply with quote

duby2291 wrote:
1clue wrote:
duby2291 wrote:
If making it so that something like 90% of all exploits that can affect desktop linux users are impossible is not compelling to you then nothing will be.

All you are doing right now is nitpicking your opinions vs mine.


There you go with that "impossible" word again. As long as you continue to use that word in this context, we will continue to have words. Are you willing to sign a legally binding contract stating that, with the ASLR fix in place that Linux exploits will be 10% of the number of exploits without it, and accept responsibility for full financial damages to back it up?

I've given a very plausible hole to your argument, and you cannot even theoretically prove that your position holds true. Ant P. has pointed out how the code is broken. You STILL insist that once ASLR is built into all Gentoo kernels that successful attacks on Linux will drop 90%? Will predatorial animals cease to hunt and become vegetarian too? Will war cease to exist on the planet? Do you want to buy a bridge?


No you haven't you latched on to an arguement that anybody using ublock or noscript is simply not going to get affected by, and in the mean time it does resolve a huge number of exploits that desktop linux users are dealing with right now.


Except you have not established that JavaScript is the ONLY POSSIBLE language this exploit can be used with, which we all know is not true. Which means ublock or noscript are not a solution either. It does not solve the exploits, it will simply make the exploits less likely. The "known" exploit does not account for ASLR but it's trivial to account for it even if it would take awhile to do that. You can be certain that any number of black hat hackers have thought of it, and there are probably examples running in the wild.

Come on, the entire group of people who posted to this topic who are not duby2291 have called BS on your argument. Search "linux aslr faults" and you get all kinds of examples of how ASLR breaks. https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space-Layout-Randomization-KASLR-With-Intel-TSX-wp.pdf was near the top of the list in my browser.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Wed Mar 01, 2017 1:16 am    Post subject: Reply with quote

Actually that link I posted suggests that they can break kernel ASLR in under a second.
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2678

PostPosted: Wed Mar 01, 2017 2:22 am    Post subject: Reply with quote

duby2291 wrote:
I can flip that same arguement the other waytoo of course. Just because food poisoning exists doesn't mean that you shouldn't buy food. In other words just because a door lock can be picked doesn't mean you shouldn't have door locks. What you are describing is the same thing.
No it isn't. My example is an extra safety measure that is proven to be flawed not an unavoidable risk. ASLR is exactly the same. It is vulnerable, adds complexity, and isn't the only solution or even the best solution. You want it for increased security. That is fine, but given the vulnerability it really starts looking more like fake security to make you feel better than actual protection for your system.

But by all means, if that is what you want you are free to use it.

duby2291 wrote:
The exploit described only exists in a scenario where nobody running ublock or adplus or noscript can even get affected by it. And in the mean time it resolves a l;arge number of security flaws that desktop users are currently suffering from. You say that it's an illusion of security. But all you are doing right now is nothing more than painting a false illusion od insecurity.
No it doesn't.

First, if running ublock, adplus or noscript was sufficient to stop unwanted code execution then there is no point to ASLR since it only serves to stop such executions. Second, the exploit is vulnerable to any such code execution. In other words, it doesn't do what it says on the label. Javascript was simply the language used to demonstrate it. Granted, not running javascript on untrusted sites and blocking adds is a good security measure but it isn't absolute. There are plenty of exploits that allow arbitrary code execution without using javascript. Most of these get patched quickly but they are a thing.

The vulnerabilities in the desktop have a large number of possible preventive measures, such as hardened sources. However, as has been pointed out ASLR can be broken very easily so it isn't doing its job. If that isn't an illusion of security I don't know what is.

EDIT: In case my point wasn't clear, your vulnerability with ublock, adplus, noscript, etc. is no different with ASLR or without it. The reason is simple. The former stops code from being installed while ASLR stops it from running (in theory. ) Since it has already been shown circumventing ASLR is easy once you install your code I don't see any benefit.

Particularly if "everyone is doing it." In that case not running it might be more secure since the bugler spends all his time trying to pick a lock that doesn't exist!
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21490

PostPosted: Wed Mar 01, 2017 3:08 am    Post subject: Reply with quote

The intended use for ASLR is to make it difficult to turn control of the instruction pointer into arbitrary code execution. If the attacker is already running attacker-chosen code, even code in a sandbox, then you are dealing with a security threat that ASLR is not well suited to counter. It might not be worthless, but it is not the proper defense at that stage.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Wed Mar 01, 2017 3:44 am    Post subject: Reply with quote

I haven't finished reading my link I posted above, but it is very informative. Not all aslr implementations are equal, and the Linux one is clearly not the best. Part of that seems to be tbe quality of the random number generator but not all of it.

In reading this document I'm beginning to think that ASLR as it's implemented in Linux is a placebo.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Wed Mar 01, 2017 5:47 am    Post subject: Reply with quote

1clue wrote:
In reading this document I'm beginning to think that ASLR as it's implemented in Linux is a placebo.

1clue ... this piece by Brad Spengler (of grsecurity fame) is also similarly damning (and covers some history): KASLR: An Exercise in Cargo Cult Security

Of relevance to this particular discussion:

Brad Spengler wrote:
[...] ASLR was always meant to be a temporary measure and its survival for this long speaks much less to its usefulness than our inability to get our collective acts together and develop/deploy actual defenses against the remaining exploit techniques.

best ... khay
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 583

PostPosted: Wed Mar 01, 2017 8:54 am    Post subject: Reply with quote

Thanks everyone for posting here. I have read the links provided and I do want to legitimately consider the implications. 1clue I never intended to be a pain for you, I just don't agree with you, I don't think I ever will either. But that's OK, different strokes for different folks.

While I definitely do agree that the Linux implementation of ASLR isn't as strong as it could be it most definitely is better with it than without it. No doubt about that at all in my mind. I honestly think Gentoo is effectively screwing its userbase by not making this a default configuration across the board. And frankly I don't want to let you guys screw me, so I will be spending the next while learning how to set up hardened gentoo build. I tried and failed in the past, but this thread has given me more incentive to do it.

Anyways what has been made perfectly clear to me is that my stance on this matter is a minority and I'll just have to do it for myself. Thanks everyone for your patience and good luck.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Wed Mar 01, 2017 9:42 am    Post subject: Reply with quote

duby2291 wrote:
While I definitely do agree that the Linux implementation of ASLR isn't as strong as it could be it most definitely is better with it than without it. No doubt about that at all in my mind.

duby2291 ... I think this is the crux of what others are arguing against, to quote from the above linked post by Brad Spengler:

Brad Spengler wrote:
KASLR is more of a marketing tool (much like the focus of the rest of the industry) than a serious addition to defense. Many other strategies exist to deal with the problem KASLR claims to deal with. To use some wording from the PaX Team, the line of reasoning is: we need to do something. KASLR is something. Let's do KASLR. "Make attacks harder" is not a valid description of a defense. Nor is "it's better than nothing" an acceptable excuse in the realm of security. If it is, then we need to give up the facade and admit that these kinds of fundamentally broken pseudo-mitigations are nothing more than obfuscation, designed to give the public presence of security while ensuring the various exploit dealers can still turn a profit off the many weaknesses.

You might not have illicited the reaction you did had you not worked from that premise.

best ... khay
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Wed Mar 01, 2017 4:26 pm    Post subject: Reply with quote

Things I learned from this thread and the links posted in it:


  1. Not all ASLR implementations are equal
  2. Linux KASLR is mediocre at best.
  3. Its mediocrity opens it to easy compromise in amazingly short times.
  4. If you are heart-set on ASLR then DO NOT use a 32-bit Linux. The 64-bit figures are much better than 32-bit.
  5. From this point forward all serious hardware I buy will have a high quality random number generator. This is one of the key points on ASLR entropy (which I no longer care so much about) and is critical for encryption too.


Before I saw this thread I thought that ASLR was somewhat worthwhile -- enough so to install it. After reading the links posted here, I've come to regard it as a pandora's box of sorts. What little gains it gets are quite possibly offset by problems it introduces (my speculation!). The jury is still out as to whether it's worth it to put in or worth it to take it out of an existing system.

@duby2291, no hard feelings, I just can't stand people using absolutes in a security context, other than "this will fail every time." The best one can hope for is a moderate sense of having done the best you can. An IT security person can address all known threats but must always remember that there ARE unknown vulnerabilities to every operating system.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page Previous  1, 2, 3  Next
Page 2 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum