oss-sec mailing list archives
Re: Address Sanitizer local root
From: Daniel Micay <danielmicay () gmail com>
Date: Wed, 17 Feb 2016 19:37:57 -0500
The use-after-free and double-free detection is based on the same quarantine technique in Valgrind. It can only detect the issues before allocations are flushed out of the quarantine by memory pressure. It does mitigate many vulnerabilities but comparable double-free detection could be done in malloc without the drawbacks (two flat arrays providing a ring buffer for a FIFO quarantine + a hash table). The same thing applies to write-after-free but not use-after-free, since that would require instrumentation in the code. A write-after-free can be detected by filling allocations with junk and then checking for it when it's flushed from the quarantine rather than instrumentation. It doesn't need to do the whole allocation to be useful, so there's a large range of tuning for performance. The junk data could come from a stream cipher seeded from the address if desired, but it doesn't seem important.
There's an initial implementation of this in CopperheadOS if anyone is curious about it. FIFO quarantine: https://github.com/CopperheadOS/platform_bionic/commit/bf8248f5644bc5f1fef36e8d9fd011334d08b994 Double-free detection via an open-addressed hash table: https://github.com/CopperheadOS/platform_bionic/commit/aa2038b668ace4546207e674850abbb3d6e1f392 Junk validation (upstreamed): https://github.com/robertbachmann/openbsd-libc/commit/00d2b970cb5791312ff38817feb1f8e015cca564 Remaining portion of the junk validation feature: https://github.com/CopperheadOS/platform_bionic/commit/49fb2a0464a3e93fcf138802b1691dcccc4816f7 It would mix well with a dynamic bounds checking implementation like Intel MPX since it covers the lifetime issues fairly well. There would need to be the ability to extend the default quarantine size to make it more useful but that's simple enough. There's also the standard OpenBSD randomized quarantine, which it doesn't interfere with. Detecting read- after-free beyond cases where a pointer to protected data (from the junk filling) will guarantee a crash really needs some form of hardware acceleration too. I think the cost of having huge memory usage via enormous deterministic mappings is too high.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Address Sanitizer local root Szabolcs Nagy (Feb 17)
- Re: Address Sanitizer local root Daniel Micay (Feb 17)
- Re: Address Sanitizer local root Daniel Micay (Feb 17)
- Re: Address Sanitizer local root Konstantin Serebryany (Feb 17)
- Re: Address Sanitizer local root Daniel Micay (Feb 17)
- Re: Address Sanitizer local root Rich Felker (Feb 19)
- Re: Address Sanitizer local root Daniel Micay (Feb 19)
- Re: Address Sanitizer local root Daniel Micay (Feb 17)
- Re: Address Sanitizer local root Daniel Micay (Feb 17)
- Re: Address Sanitizer local root Hanno Böck (Feb 18)
- Re: Address Sanitizer local root Balint Reczey (Feb 18)
- Re: Address Sanitizer local root Daniel Micay (Feb 18)
- Re: Address Sanitizer local root Gynvael Coldwind (Feb 18)
- Re: Address Sanitizer local root Robert Święcki (Feb 18)
- <Possible follow-ups>
- Re: Address Sanitizer local root Darren Martyn (Feb 18)