Dailydave mailing list archives
Re: ASLR+DEP = no problem. :>
From: Berend-Jan Wever <berendjanwever () gmail com>
Date: Fri, 5 Feb 2010 11:08:43 +0100
The way I see it DEP+ASLR tries to take the executability of controllable bytes (DEP) and the predictability of the locations of bytes (ASLR) away from an attacker. I have not seen the talk or any technical information about the attack under discussion, but I am guessing that this JIT attack generates a large number of functions with specific content, which cause the JIT compiler to generate a large number of executable bytes with predictable content. That means you break DEP by generating controllable bytes that are executable and ASLR because you can create so many copies that you can predict a location where one of them will be. V8 <http://code.google.com/p/v8/> has some mitigations to prevent too much control over the bytes it generates; 32-bit hard-coded integers are split into two 16 bit values, to prevent an attacker from having control over too many sequential bytes. This is an attempt to prevent an attacker from generating a sequence of useful instructions. Though I do not doubt that it is still possible to generate code that does arbitrary things, it becomes a lot harder. It is possible to take control and information away from the attacker even further by generating code in different ways each time where possible ( http://lists.immunitysec.com/pipermail/dailydave/2007-July/004471.html), inserting random NOPs, cutting code into chunks that are connected by JMPs and reordering these chunks as well as inserting random (unused) chunks of bytes in between the normal code, etc.., etc... There is of course a trade-off with speed and code size. You want to make your compiler random enough for an attacker to have less than a 1/256 chance of successfully executing arbitrary code. I'm guessing that making it random enough to not allow better chances of success than ASLR is prohibitively expensive in speed and size, especially now that speed is becoming more and more important for browsers. You can probably decrease the chance of success significantly below 1 though. Cheers, SkyLined
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: ASLR+DEP = no problem. :>, (continued)
- Re: ASLR+DEP = no problem. :> Moshe Ben Abu (Feb 04)
- Re: ASLR+DEP = no problem. :> dave (Feb 04)
- Re: ASLR+DEP = no problem. :> Matthew Wollenweber (Feb 04)
- Message not available
- Re: ASLR+DEP = no problem. :> Thierry Zoller (Feb 04)
- Re: ASLR+DEP = no problem. :> Alexander Sotirov (Feb 04)
- Re: ASLR+DEP = no problem. :> Nate Lawson (Feb 05)
- Re: ASLR+DEP = no problem. :> Larry Seltzer (Feb 05)
- Re: ASLR+DEP = no problem. :> Michal Zalewski (Feb 05)
- Re: ASLR+DEP = no problem. :> Moshe Ben Abu (Feb 04)
- Re: ASLR+DEP = no problem. :> Sergio 'shadown' Alvarez (Feb 04)
- Re: ASLR+DEP = no problem. :> pageexec (Feb 04)
- Re: ASLR+DEP = no problem. :> Berend-Jan Wever (Feb 05)