oss-sec mailing list archives
Re: Offset2lib: bypassing full ASLR on 64bit Linux
From: Daniel Micay <danielmicay () gmail com>
Date: Wed, 10 Dec 2014 13:27:24 -0500
On 10/12/14 11:11 AM, Steve Grubb wrote:
On Tuesday, December 09, 2014 03:24:39 PM Daniel Micay wrote:I studied this area 2 years ago for a gray hat talk and in preparation to help set the policy going forward for Fedora and RHEL. The general reason I've heard mentioned about why its not used as fully as possible is that it adds memory pages that can't be coalesced or consolidated because they are not the same.AFAIK, it doesn't cause a significant increase in memory usage. The whole point of position independent code is that it can be reused across processes. Dynamic libraries are already fully position independent.This was the issue as I remember it, when you use PIE, it introduces a writable memory segment for the indirection that is filled in lazily. Because this is writeable it is per process. It is also per DSO. With desktop apps linking against a 60 or so libraries and an average of 150 apps running at any time, the memory used starts to really add up. Server workloads tend to have apps with less libraries linked in but many more processes active. Of course today systems are starting to ship with 16GB standard, but now we add virtualization work loads and you have dozens more of the above. I think this institutional memory of the old days kind of hinders any movement. We had an internal debate of this on bz 786915 (which is not 100% open). The start up performance never really a factor in the discussions. It was purely about "wasted" memory.
The GOT/PLT is still there without PIE. You can blame features like LD_PRELOAD for this, not ASLR. Every library is already paying the costs of PIE and more (-fpie / -fPIE is a subset of -fpic / -fPIC). http://www.macieira.org/blog/2012/01/sorry-state-of-dynamic-libraries-on-linux/ Before the recent GCC / binutils improvements, PIE would result in GOT usage for every global just like PIC. The changes eliminate the need for that so past measurements (which usually indicate a 0-3% perf hit) won't be valid anymore.
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Offset2lib: bypassing full ASLR on 64bit Linux, (continued)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Daniel Micay (Dec 05)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Reed Loden (Dec 05)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Daniel Micay (Dec 05)
- Message not available
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Daniel Micay (Dec 05)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Florent Daigniere (Dec 06)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Daniel Micay (Dec 09)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Daniel Micay (Dec 09)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Loganaden Velvindron (Dec 09)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Steve Grubb (Dec 10)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Daniel Micay (Dec 10)
- Re: Re: Offset2lib: bypassing full ASLR on 64bit Linux Hector Marco (Dec 11)