Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
When will ASLR be made default on all profiles?
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 474

PostPosted: Mon Feb 27, 2017 3:57 pm    Post subject: When will ASLR be made default on all profiles? Reply with quote

It can -NOT- be a matter of if it happens, it -MUST- be a matter of when it happens. It must happen.

This is -the- solution to a number of very serious vulnerabilities that linux desktops are suffering from publicly right now in this time frame. Desktop users, not servers and workstations, but users of their own personal computer are at risk of a few serious exploits that ASLR will completely resolve. It's way past time to implement this functionality for everyone. It needs to happen asap.
_________________
MB: Biostar TForce 6100 AM2 @ 250x10
CPU: AMD Athlon 64 3800+ X2 @ 2500mhz
MEM: G. Skill DDR2-800 2GB @ DDR2-1000
GPU: nVidia GeForce 7600 GT
OS: Gentoo Linux 2006.1
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1140

PostPosted: Mon Feb 27, 2017 5:18 pm    Post subject: Reply with quote

What's stopping you from using it, you don't need to wait for it. Even outside that, you can always use grsecurity or SELinux if you are soo worried about this threat.
Back to top
View user's profile Send private message
R0b0t1
n00b
n00b


Joined: 05 Jun 2008
Posts: 70

PostPosted: Mon Feb 27, 2017 5:26 pm    Post subject: Reply with quote

Most people aren't technically savvy enough to enable it themselves. Mainstream distributions support ASLR by default; if it's not in the gentoo-sources configuration by default the developers are doing their users a disservice.

Decent benchmark: https://wiki.ubuntu.com/Security/Features. Also, the Windows kernel uses ASLR if I remember correctly.
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 474

PostPosted: Mon Feb 27, 2017 5:51 pm    Post subject: Reply with quote

R0b0t1 wrote:
Most people aren't technically savvy enough to enable it themselves. Mainstream distributions support ASLR by default; if it's not in the gentoo-sources configuration by default the developers are doing their users a disservice.

Decent benchmark: https://wiki.ubuntu.com/Security/Features. Also, the Windows kernel uses ASLR if I remember correctly.


I failed at it every time I've tried. It's because in order for ASLR to work it needs kernel configuration set correctly and compiler cflags set correctly. It's because it needs userspace configuration that effects all packages is the reason why it must be incorporated into the portage profiles. In todays modern world ASLR is not optional. It is an absolute requirement for -all- linux installations.

EDIT: there is a dot . at the end of your link that causes clicking on it to open a page does not exist yet error page.
_________________
MB: Biostar TForce 6100 AM2 @ 250x10
CPU: AMD Athlon 64 3800+ X2 @ 2500mhz
MEM: G. Skill DDR2-800 2GB @ DDR2-1000
GPU: nVidia GeForce 7600 GT
OS: Gentoo Linux 2006.1
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3169

PostPosted: Mon Feb 27, 2017 6:25 pm    Post subject: Reply with quote

Maybe after they've figured out how to harden it against the new javascript exploit? Until then it appears to have become worth less, if not worthless.

https://arstechnica.com/security/2017/02/new-aslr-busting-javascript-is-about-to-make-drive-by-exploits-much-nastier/
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 474

PostPosted: Mon Feb 27, 2017 6:36 pm    Post subject: Reply with quote

depontius wrote:
Maybe after they've figured out how to harden it against the new javascript exploit? Until then it appears to have become worth less, if not worthless.

https://arstechnica.com/security/2017/02/new-aslr-busting-javascript-is-about-to-make-drive-by-exploits-much-nastier/


I do fully understand the pervasiveness of javascript, but the real solution there is to disable javascript. I already did that years ago. I don't miss it at all. Websites that want to use JS simply don't want -me- to visit. That's all. It does suck, there is plenty of web content that won't work, but as long as those same web sites choose to rely on -the- most exploitable software -ever- written I will continue to absolutely refuse.

In my opinion the very best way to eliminate exploits is to eliminate the exploitable item. You can't say that's a flaw in ASLR only that javascript was exploited -again-.
_________________
MB: Biostar TForce 6100 AM2 @ 250x10
CPU: AMD Athlon 64 3800+ X2 @ 2500mhz
MEM: G. Skill DDR2-800 2GB @ DDR2-1000
GPU: nVidia GeForce 7600 GT
OS: Gentoo Linux 2006.1
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 4025
Location: UK

PostPosted: Mon Feb 27, 2017 11:16 pm    Post subject: Reply with quote

What's your threat model here? It's been demonstrated that ASLR is a wet paper bag so what do you think it's going to protect against in reality?
_________________
Quantity is not quality.
overlay | runit-scripts
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3169

PostPosted: Tue Feb 28, 2017 2:53 am    Post subject: Reply with quote

duby2291 wrote:
depontius wrote:
Maybe after they've figured out how to harden it against the new javascript exploit? Until then it appears to have become worth less, if not worthless.

https://arstechnica.com/security/2017/02/new-aslr-busting-javascript-is-about-to-make-drive-by-exploits-much-nastier/


I do fully understand the pervasiveness of javascript, but the real solution there is to disable javascript. I already did that years ago. I don't miss it at all. Websites that want to use JS simply don't want -me- to visit. That's all. It does suck, there is plenty of web content that won't work, but as long as those same web sites choose to rely on -the- most exploitable software -ever- written I will continue to absolutely refuse.

In my opinion the very best way to eliminate exploits is to eliminate the exploitable item. You can't say that's a flaw in ASLR only that javascript was exploited -again-.


Javascript was the exploit language, not the exploit. What makes it so bad is that it can be done by javascript, and doesn't need to be C, asm, or anything like that. That makes it a potential drive-by on a malicious web site, which is certainly the worst threat, but by no means the only one.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 474

PostPosted: Tue Feb 28, 2017 3:09 pm    Post subject: Reply with quote

Ant P. wrote:
What's your threat model here? It's been demonstrated that ASLR is a wet paper bag so what do you think it's going to protect against in reality?


You do know that ASLR is an acronym? It's a technique that randomizes memory locations. It effectively eliminates code injection attacks , buffer overflow attacks, certain types of privilege escalation attacks and more.

The only thing demonstrated is to never user JS, ever. That was something we all learned years ago anyway. If that's a problem then you need to personally bitch to the web sites you visit and insist they stop using the most malicious, insecure and buggy scripting language ever produced.
_________________
MB: Biostar TForce 6100 AM2 @ 250x10
CPU: AMD Athlon 64 3800+ X2 @ 2500mhz
MEM: G. Skill DDR2-800 2GB @ DDR2-1000
GPU: nVidia GeForce 7600 GT
OS: Gentoo Linux 2006.1


Last edited by duby2291 on Tue Feb 28, 2017 3:13 pm; edited 1 time in total
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 474

PostPosted: Tue Feb 28, 2017 3:12 pm    Post subject: Reply with quote

depontius wrote:
duby2291 wrote:
depontius wrote:
Maybe after they've figured out how to harden it against the new javascript exploit? Until then it appears to have become worth less, if not worthless.

https://arstechnica.com/security/2017/02/new-aslr-busting-javascript-is-about-to-make-drive-by-exploits-much-nastier/


I do fully understand the pervasiveness of javascript, but the real solution there is to disable javascript. I already did that years ago. I don't miss it at all. Websites that want to use JS simply don't want -me- to visit. That's all. It does suck, there is plenty of web content that won't work, but as long as those same web sites choose to rely on -the- most exploitable software -ever- written I will continue to absolutely refuse.

In my opinion the very best way to eliminate exploits is to eliminate the exploitable item. You can't say that's a flaw in ASLR only that javascript was exploited -again-.


Javascript was the exploit language, not the exploit. What makes it so bad is that it can be done by javascript, and doesn't need to be C, asm, or anything like that. That makes it a potential drive-by on a malicious web site, which is certainly the worst threat, but by no means the only one.


The thing is it is an exploit. This particular exploit is due to the fact that CPU designers were unaware of this being a posible exploit and as such it didn't get addressed. A kernel patch could fix it permanently. The second option, which everyone should already have done is don't use JS.

EDIT: What I'm saying is that Disable JS and you are immune to this exploit and ASLR itself makes you immune to whole categories of other exploits. Far and away that would be more secure than the situation is right now. Do you guys realize that even Windows 10 is getting better security reviews than linux right now? Giant corporations are fuzzing components of linux all time and finding flaws that ASLR makes impossible.

No software is perfect, just because JS sucks ass and is the most malicious software ever designed doesn't mean that we shouldn'ty worry about security flaws. In other words just because security flaws exist doesn't mean that we shouldn't worry about them. In fact because they exist we should worry about them even more. The JS script expoit uses the CPU's MMU to figure out what memory addresses are, and kinda works around ASLR. Which is exactly the same difference as no ASLR -BUT- ONLY in cases where the JS exploit is implemented.
_________________
MB: Biostar TForce 6100 AM2 @ 250x10
CPU: AMD Athlon 64 3800+ X2 @ 2500mhz
MEM: G. Skill DDR2-800 2GB @ DDR2-1000
GPU: nVidia GeForce 7600 GT
OS: Gentoo Linux 2006.1


Last edited by duby2291 on Tue Feb 28, 2017 3:29 pm; edited 1 time in total
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3169

PostPosted: Tue Feb 28, 2017 3:28 pm    Post subject: Reply with quote

duby2291 wrote:

EDIT: What I'm saying is that Disable JS and you are immune to this exploit and ASLR itself makes you immune to whole categories of other exploits. Far and away that would be more secure than the situation is right now. Do you guys realize that even Windows 10 is getting better security reviews than linux right now? Giant corporations are fuzzing components of linux all time and finding flaws that ASLR makes impossible.

No software is perfect, just because JS sucks ass and is the most malicious software ever designed doesn't mean that we shouldn'ty worry about security flaws. In other words just because security flaws exist doesn't mean that we shouldn't worry about them. In fact because they exist we should worry about them even more.


Disable JS and you're immune to the drive-by nature of the exploit. But that's only because JS is the most common web language. The real problem is not JS, it's that ASLR doesn't really work any more. The "R" of it can be figured out by &programming_language. and JS just happens to make drive-bys possible. The "R" could also be figured out by C, asm, or probably just about any other Turing-complete language - including Java, though Java doesn't usually run as invisibly as JS.

ASLR is broken. It was a good idea that didn't end up working out. JS didn't break ASLR, it just made drive-by exploits easy.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 474

PostPosted: Tue Feb 28, 2017 3:35 pm    Post subject: Reply with quote

depontius wrote:
duby2291 wrote:

EDIT: What I'm saying is that Disable JS and you are immune to this exploit and ASLR itself makes you immune to whole categories of other exploits. Far and away that would be more secure than the situation is right now. Do you guys realize that even Windows 10 is getting better security reviews than linux right now? Giant corporations are fuzzing components of linux all time and finding flaws that ASLR makes impossible.

No software is perfect, just because JS sucks ass and is the most malicious software ever designed doesn't mean that we shouldn'ty worry about security flaws. In other words just because security flaws exist doesn't mean that we shouldn't worry about them. In fact because they exist we should worry about them even more.


Disable JS and you're immune to the drive-by nature of the exploit. But that's only because JS is the most common web language. The real problem is not JS, it's that ASLR doesn't really work any more. The "R" of it can be figured out by &programming_language. and JS just happens to make drive-bys possible. The "R" could also be figured out by C, asm, or probably just about any other Turing-complete language - including Java, though Java doesn't usually run as invisibly as JS.

ASLR is broken. It was a good idea that didn't end up working out. JS didn't break ASLR, it just made drive-by exploits easy.


This is literally the most retarded shit I've heard the past few years. What you're saying is only true in cases where JS is enabled AND the exploit has been deployed. The exploit only works right now because CPU designers were unaware of it and haven't addressed it yet. It could in fact be easily fixed with a few lines of code added to the kernels MM.

No software is perfect and totally ignoring the most effective security measure available today because of JS designed to be as malicious as possible is retarded.

EDIT: Let's imagine you ruled a country, what you are saying is -exactly- the same thing as if you told your people you wouldn't provide food, because food bourne diseases exist. Despite the fact that its something that your people actually need.
_________________
MB: Biostar TForce 6100 AM2 @ 250x10
CPU: AMD Athlon 64 3800+ X2 @ 2500mhz
MEM: G. Skill DDR2-800 2GB @ DDR2-1000
GPU: nVidia GeForce 7600 GT
OS: Gentoo Linux 2006.1
Back to top
View user's profile Send private message
R0b0t1
n00b
n00b


Joined: 05 Jun 2008
Posts: 70

PostPosted: Tue Feb 28, 2017 3:42 pm    Post subject: Reply with quote

If ASLR has been reduced to security through obscurity, I have two comments:
  • All exploit prevention that is not an access control mechanism is security through obscurity, and,
  • they still paint tanks camouflage colors.

Just because most door locks can be picked in a matter of minutes is no excuse to leave one off my door.
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 4025
Location: UK

PostPosted: Tue Feb 28, 2017 6:07 pm    Post subject: Reply with quote

duby2291 wrote:
Ant P. wrote:
What's your threat model here? It's been demonstrated that ASLR is a wet paper bag so what do you think it's going to protect against in reality?


You do know that ASLR is an acronym? It's a technique that randomizes memory locations. It effectively eliminates code injection attacks , buffer overflow attacks, certain types of privilege escalation attacks and more.

The only thing demonstrated is to never user JS, ever. That was something we all learned years ago anyway. If that's a problem then you need to personally bitch to the web sites you visit and insist they stop using the most malicious, insecure and buggy scripting language ever produced.

There's no exploit in JS here. ASLR is simply so worthless that someone managed to break it by running code in a sandboxed virtual machine a million layers of isolation and abstraction from the bare metal. They can do exactly the same in any other runtime on your system, which is where an attacker *will already be* when ASLR comes into play.

You completely ignored either question I asked - do you understand what a threat model is?
_________________
Quantity is not quality.
overlay | runit-scripts


Last edited by Ant P. on Tue Feb 28, 2017 6:13 pm; edited 1 time in total
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 474

PostPosted: Tue Feb 28, 2017 6:12 pm    Post subject: Reply with quote

Ant P. wrote:
duby2291 wrote:
Ant P. wrote:
What's your threat model here? It's been demonstrated that ASLR is a wet paper bag so what do you think it's going to protect against in reality?


You do know that ASLR is an acronym? It's a technique that randomizes memory locations. It effectively eliminates code injection attacks , buffer overflow attacks, certain types of privilege escalation attacks and more.

The only thing demonstrated is to never user JS, ever. That was something we all learned years ago anyway. If that's a problem then you need to personally bitch to the web sites you visit and insist they stop using the most malicious, insecure and buggy scripting language ever produced.

There's no exploit in JS here. ASLR is simply so worthless that someone managed to break it by running code in a sandboxed virtual machine a million layers of isolation and abstraction from the bare metal. They can do exactly the same in any other runtime on your system.

You didn't even *try* to answer either question I asked - do you know what a threat model is?


It would take nothing more than a simple patch to the kernels memory manager to fix, not to mention that CPU designers are already aware of the limitation of there MMU implementation. I have no doubt at all it will fundamentally get fixed. And in the mean time you use JS as an excuse to not secure our favorite distribution. It's retarded. If you think it can be duplicated in another language, then please demonstrate it. I'm absolutely positive that information would prove to be highly valuable in resolving this. In the mea time the -ONLY- language it -has- been demonstrated on is the most malicious scripting language ever devised. It shouldn't even be enabled in the first place. Disable JS and problem solved. ASLR completely eliminates whole classes of attacks
_________________
MB: Biostar TForce 6100 AM2 @ 250x10
CPU: AMD Athlon 64 3800+ X2 @ 2500mhz
MEM: G. Skill DDR2-800 2GB @ DDR2-1000
GPU: nVidia GeForce 7600 GT
OS: Gentoo Linux 2006.1
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 4025
Location: UK

PostPosted: Tue Feb 28, 2017 6:22 pm    Post subject: Reply with quote

Quote:
ASLR completely eliminates whole classes of attacks

Name a single one then.
_________________
Quantity is not quality.
overlay | runit-scripts
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 474

PostPosted: Tue Feb 28, 2017 6:40 pm    Post subject: Reply with quote

Ant P. wrote:
Quote:
ASLR completely eliminates whole classes of attacks

Name a single one then.


Really? You're asking this and in previous posts you argue for not enabling ASLR..... Just stumped.... I don't get you're attitude at all.

It makes stack injections impossible so that you can't execute code at a memory address that you injected there. In combination with the NX bit it can also make buffer overflow attacks impossible, which itself eliminates many types of privilege escalations. It's that second case of preventing many common buffer overflow attacks that is the main thing for me. I mean really just look at how many malicious attacks take advantage of being able to overflow a buffer in order to get to an executable address. I'm taking an educated guess here and am willing to say that is the vast majority of attacks that are capable of harming a linux distribution.
_________________
MB: Biostar TForce 6100 AM2 @ 250x10
CPU: AMD Athlon 64 3800+ X2 @ 2500mhz
MEM: G. Skill DDR2-800 2GB @ DDR2-1000
GPU: nVidia GeForce 7600 GT
OS: Gentoo Linux 2006.1
Back to top
View user's profile Send private message
1clue
Veteran
Veteran


Joined: 05 Feb 2006
Posts: 1868

PostPosted: Tue Feb 28, 2017 6:47 pm    Post subject: Reply with quote

duby2291 wrote:
It would take nothing more than a simple patch to the kernels memory manager to fix, not to mention that CPU designers are already aware of the limitation of there MMU implementation. I have no doubt at all it will fundamentally get fixed. And in the mean time you use JS as an excuse to not secure our favorite distribution. It's retarded. If you think it can be duplicated in another language, then please demonstrate it. I'm absolutely positive that information would prove to be highly valuable in resolving this. In the mea time the -ONLY- language it -has- been demonstrated on is the most malicious scripting language ever devised. It shouldn't even be enabled in the first place. Disable JS and problem solved. ASLR completely eliminates whole classes of attacks


Only ASLR doesn't secure anything at all. JS is not the problem. Don't get me wrong, JS is about as insecure as it gets which makes it A problem, but it's not the root cause of this problem.
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 474

PostPosted: Tue Feb 28, 2017 7:00 pm    Post subject: Reply with quote

1clue wrote:
duby2291 wrote:
It would take nothing more than a simple patch to the kernels memory manager to fix, not to mention that CPU designers are already aware of the limitation of there MMU implementation. I have no doubt at all it will fundamentally get fixed. And in the mean time you use JS as an excuse to not secure our favorite distribution. It's retarded. If you think it can be duplicated in another language, then please demonstrate it. I'm absolutely positive that information would prove to be highly valuable in resolving this. In the mea time the -ONLY- language it -has- been demonstrated on is the most malicious scripting language ever devised. It shouldn't even be enabled in the first place. Disable JS and problem solved. ASLR completely eliminates whole classes of attacks


Only ASLR doesn't secure anything at all. JS is not the problem. Don't get me wrong, JS is about as insecure as it gets which makes it A problem, but it's not the root cause of this problem.


That's just not true, it literally does eliminate entire classes of attacks. The -only- language that exploit has been demonstrated on was JS, so disable JS and the problem is completely gone. Again, if you think it can be demonstrated on a different language then please do so because it would be highly useful information. The problem here is directly related to a flaw in modern CPU's MMU, it happened because CPU designers were unaware of it. You can be assured they are aware of it now, not to mention that CPU's that do already have an affected MMU they can be patched via a fix in the kernel's memory manager.
_________________
MB: Biostar TForce 6100 AM2 @ 250x10
CPU: AMD Athlon 64 3800+ X2 @ 2500mhz
MEM: G. Skill DDR2-800 2GB @ DDR2-1000
GPU: nVidia GeForce 7600 GT
OS: Gentoo Linux 2006.1
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 37570
Location: 56N 3W

PostPosted: Tue Feb 28, 2017 7:05 pm    Post subject: Reply with quote

duby2291,

ASLR is security by obscurity. It makes attacks more difficult but it does not prevent them.

Its part of the defence against exploits because security is not about keeping a focused targetted attack out.
The NSA will send the boys round to beat your secrets out of you, its faster than exploiting your system.
Its about deterring random attackers looking to add hosts to their botnet. It helps send the message that there
are easier boxes to attack, so they will move on before they collect your host.

Security is like the layers of an onion and its never absolute. There is no magic bullet.

Think of ASLR as like running sshd on an unusual port.
None of the above is a reason for not using ASLR. With security, every little helps.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 474

PostPosted: Tue Feb 28, 2017 7:15 pm    Post subject: Reply with quote

NeddySeagoon wrote:
duby2291,

ASLR is security by obscurity. It makes attacks more difficult but it does not prevent them.

Its part of the defence against exploits because security is not about keeping a focused targetted attack out.
The NSA will send the boys round to beat your secrets out of you, its faster than exploiting your system.
Its about deterring random attackers looking to add hosts to their botnet. It helps send the message that there
are easier boxes to attack, so they will move on before they collect your host.

Security is like the layers of an onion and its never absolute. There is no magic bullet.

Think of ASLR as like running sshd on an unusual port.
None of the above is a reason for not using ASLR. With security, every little helps.


Yes it makes attacks more difficult because entire classes of exploits become impossible like stack injections, and in combination with the NX bit certain types of buffer overflows. But that covers something like 90% or more of what Linux is vulnerable to. That's highly significant.
_________________
MB: Biostar TForce 6100 AM2 @ 250x10
CPU: AMD Athlon 64 3800+ X2 @ 2500mhz
MEM: G. Skill DDR2-800 2GB @ DDR2-1000
GPU: nVidia GeForce 7600 GT
OS: Gentoo Linux 2006.1
Back to top
View user's profile Send private message
1clue
Veteran
Veteran


Joined: 05 Feb 2006
Posts: 1868

PostPosted: Tue Feb 28, 2017 7:46 pm    Post subject: Reply with quote

duby2291 wrote:
1clue wrote:
duby2291 wrote:
It would take nothing more than a simple patch to the kernels memory manager to fix, not to mention that CPU designers are already aware of the limitation of there MMU implementation. I have no doubt at all it will fundamentally get fixed. And in the mean time you use JS as an excuse to not secure our favorite distribution. It's retarded. If you think it can be duplicated in another language, then please demonstrate it. I'm absolutely positive that information would prove to be highly valuable in resolving this. In the mea time the -ONLY- language it -has- been demonstrated on is the most malicious scripting language ever devised. It shouldn't even be enabled in the first place. Disable JS and problem solved. ASLR completely eliminates whole classes of attacks


Only ASLR doesn't secure anything at all. JS is not the problem. Don't get me wrong, JS is about as insecure as it gets which makes it A problem, but it's not the root cause of this problem.


That's just not true, it literally does eliminate entire classes of attacks. The -only- language that exploit has been demonstrated on was JS, so disable JS and the problem is completely gone. Again, if you think it can be demonstrated on a different language then please do so because it would be highly useful information. The problem here is directly related to a flaw in modern CPU's MMU, it happened because CPU designers were unaware of it. You can be assured they are aware of it now, not to mention that CPU's that do already have an affected MMU they can be patched via a fix in the kernel's memory manager.


Security by obscurity makes an attack less likely to be successful but it doesn't prevent the attack from being successful. Edit:What I mean by this is, if the JS can search memory for a fingerprint of the injected code then it can complete its exploit.. An example of security by obscurity would be to open an ftp server on port 7198. It's unlikely that an attacker will scan for ftp on this port, but if they somehow find out about it (for example by scanning for ports up to 10,000) then the service is every bit as vulnerable as if it were on the standard port.

If the problem can be demonstrated in JS then it can be demonstrated in pretty much any other language Edit: because JS is supposedly isolated from the hardware to prevent exploits, where other languages are not. If it hasn't been demonstrated in another language then it's because nobody sees the point in doing so. Unfortunately there are few alternatives that work inside a web browser, and JS is part of the official html5 spec.
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 474

PostPosted: Tue Feb 28, 2017 8:02 pm    Post subject: Reply with quote

1clue wrote:
duby2291 wrote:
1clue wrote:
duby2291 wrote:
It would take nothing more than a simple patch to the kernels memory manager to fix, not to mention that CPU designers are already aware of the limitation of there MMU implementation. I have no doubt at all it will fundamentally get fixed. And in the mean time you use JS as an excuse to not secure our favorite distribution. It's retarded. If you think it can be duplicated in another language, then please demonstrate it. I'm absolutely positive that information would prove to be highly valuable in resolving this. In the mea time the -ONLY- language it -has- been demonstrated on is the most malicious scripting language ever devised. It shouldn't even be enabled in the first place. Disable JS and problem solved. ASLR completely eliminates whole classes of attacks


Only ASLR doesn't secure anything at all. JS is not the problem. Don't get me wrong, JS is about as insecure as it gets which makes it A problem, but it's not the root cause of this problem.


That's just not true, it literally does eliminate entire classes of attacks. The -only- language that exploit has been demonstrated on was JS, so disable JS and the problem is completely gone. Again, if you think it can be demonstrated on a different language then please do so because it would be highly useful information. The problem here is directly related to a flaw in modern CPU's MMU, it happened because CPU designers were unaware of it. You can be assured they are aware of it now, not to mention that CPU's that do already have an affected MMU they can be patched via a fix in the kernel's memory manager.


Security by obscurity makes an attack less likely to be successful but it doesn't prevent the attack from being successful. An example of security by obscurity would be to open an ftp server on port 7198. It's unlikely that an attacker will scan for ftp on this port, but if they somehow find out about it (for example by scanning for ports up to 10,000) then the service is every bit as vulnerable as if it were on the standard port.

If the problem can be demonstrated in JS then it can be demonstrated in pretty much any other language. If it hasn't been demonstrated in another language then it's because nobody sees the point in doing so. Unfortunately there are few alternatives that work inside a web browser, and JS is part of the official html5 spec.


I do understand the terminology, and I also understand how pervasive JS is. But, neither of those issue are even relevant to this because if you disable JS as should have been done years ago, then that problem won't even exist for you.

The fundamental flaw is in modern CPU's MMU and CPU designers are already aware of it. In addition the Current CPU's that are already affected can be patched easily. The bottom line fact is this, No matter how you word it ASLR improves security by many times over when compared to a non-ASLR configuration. Even in it's current state it is still a better option than nothing. In fact I'd say that in todays modern world it's absolutely required.
_________________
MB: Biostar TForce 6100 AM2 @ 250x10
CPU: AMD Athlon 64 3800+ X2 @ 2500mhz
MEM: G. Skill DDR2-800 2GB @ DDR2-1000
GPU: nVidia GeForce 7600 GT
OS: Gentoo Linux 2006.1
Back to top
View user's profile Send private message
1clue
Veteran
Veteran


Joined: 05 Feb 2006
Posts: 1868

PostPosted: Tue Feb 28, 2017 8:16 pm    Post subject: Reply with quote

duby2291 wrote:
I do understand the terminology, and I also understand how pervasive JS is. But, neither of those issue are even relevant to this because if you disable JS as should have been done years ago, then that problem won't even exist for you.

The fundamental flaw is in modern CPU's MMU and CPU designers are already aware of it. In addition the Current CPU's that are already affected can be patched easily. The bottom line fact is this, No matter how you word it ASLR improves security by many times over when compared to a non-ASLR configuration. Even in it's current state it is still a better option than nothing.


For some people disabling JS is not an option. In my case, my income is directly tied to using sites which use JS and which will not stop using JS until a better alternative becomes pervasive and is proved more secure than JS.

I can and have read the history on this post, and have been following the topic long before this thread started. And for that matter I have enabled ASLR. I'm simply stating that the "solutions" being presented are not bullet proof. When I have a public-facing server and have a service on that system for maintenance I put it behind a VPN, AND use multifactor authentication, AND obscure the port. Obscuring the port is unnecessary but statistically helpful. Obscuring the port means absolutely nothing during a security audit and generates hate from the IT staff which must account for it. If somebody gets past the VPN and multifactor authentication then they sure AF can figure out what port I'm using if they should choose to look.

Likewise ASLR in no way fixes the vulnerability. If code can inject and run without it, then slightly smarter code can inject and run with it. The end, game over. As you pointed out the flaw is in hardware and unlikely to be fixed soon. You can obscure to your heart's content but that does not provably solve any problems. You can stop using JS, but doing that would mean I need to find another line of work. Not gonna happen soon. I'm 100% positive many other Linux users share the same opinion.

Lots of people on this thread and in the global discussion on these topics (ASLR, JS) present their solutions as all-or-nothing, or assume that those solutions would work for everyone. That sentiment is pure horse droppings.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 37570
Location: 56N 3W

PostPosted: Tue Feb 28, 2017 8:23 pm    Post subject: Reply with quote

duby2291,

duby2291 wrote:
Yes it makes attacks more difficult because entire classes of exploits become impossible


That's the same value of impossible as iron ships, heavier than air flying machines and more recently, blue LEDs.
More difficult != Impossible
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page 1, 2, 3  Next
Page 1 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum