oss-sec mailing list archives
Re: How GNU/Linux distros deal with offset2lib attack?
From: lazytyped <lazytyped () gmail com>
Date: Sat, 06 Dec 2014 10:47:55 +0100
On 06/12/2014 08:22, Shawn wrote:
Hi guys, As you know Hector Marco disclosured a new attack targeting the GNU/Linux mitigation defensive technology earlier this week: http://www.openwall.com/lists/oss-security/2014/12/04/19 http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html
[...]
It seems ASLRv3 is the best option we have? Or anything else?
I think there is quite a bit of sweating on very little. This attack assumes that the attacker is capable of guessing the load address of the PIE binary. It basically already bypassed ASLR. It then "notices" that the PIE .text segment is loaded at a fixed offset from the shared libraries (BTW: shared libraries are loaded at fixed offsets among each others) and mounts a ROP attack using the shared library gadgets. This "fixed offset" is IMHO very unlikely to be a security issue, since in the vast majority of real life cases, the PIE .text itself will already contain enough gadgets to mount the attack. In other words, one may decide to separate the PIE .text from the rest of the libraries .text, but I don't really see much of a security win there. TL;DR: ASLR is a mitigation, if you have a chance to bruteforce or infoleak -one- address from it, the mitigation is gone. Separating the PIE .text or even libraries .text between each other won't buy you much. - Enrico
Current thread:
- How GNU/Linux distros deal with offset2lib attack? Shawn (Dec 05)
- Re: How GNU/Linux distros deal with offset2lib attack? lazytyped (Dec 06)
- Re: How GNU/Linux distros deal with offset2lib attack? Lionel Debroux (Dec 06)
- Re: How GNU/Linux distros deal with offset2lib attack? Greg KH (Dec 06)
- Re: How GNU/Linux distros deal with offset2lib attack? Loganaden Velvindron (Dec 06)
- Re: How GNU/Linux distros deal with offset2lib attack? Lionel Debroux (Dec 07)
- Re: How GNU/Linux distros deal with offset2lib attack? Shawn (Dec 07)
- Re: How GNU/Linux distros deal with offset2lib attack? Greg KH (Dec 07)
- Re: How GNU/Linux distros deal with offset2lib attack? Lionel Debroux (Dec 07)
- Re: How GNU/Linux distros deal with offset2lib attack? Shawn (Dec 08)
- Re: How GNU/Linux distros deal with offset2lib attack? Loganaden Velvindron (Dec 06)
- Re: How GNU/Linux distros deal with offset2lib attack? Greg KH (Dec 07)
- Re: How GNU/Linux distros deal with offset2lib attack? Daniel Micay (Dec 07)