oss-sec mailing list archives

Re: Address Sanitizer local root

From: Daniel Micay <danielmicay () gmail com>
Date: Wed, 17 Feb 2016 19:37:57 -0500

The use-after-free and double-free detection is based on the same
quarantine technique in Valgrind. It can only detect the issues before
allocations are flushed out of the quarantine by memory pressure. It
does mitigate many vulnerabilities but comparable double-free
detection
could be done in malloc without the drawbacks (two flat arrays
providing
a ring buffer for a FIFO quarantine + a hash table). The same thing
applies to write-after-free but not use-after-free, since that would
require instrumentation in the code. A write-after-free can be
detected
by filling allocations with junk and then checking for it when it's
flushed from the quarantine rather than instrumentation. It doesn't
need
to do the whole allocation to be useful, so there's a large range of
tuning for performance. The junk data could come from a stream cipher
seeded from the address if desired, but it doesn't seem important.


There's an initial implementation of this in CopperheadOS if anyone is
curious about it.

FIFO quarantine:

https://github.com/CopperheadOS/platform_bionic/commit/bf8248f5644bc5f1fef36e8d9fd011334d08b994

Double-free detection via an open-addressed hash table:

https://github.com/CopperheadOS/platform_bionic/commit/aa2038b668ace4546207e674850abbb3d6e1f392

Junk validation (upstreamed):

https://github.com/robertbachmann/openbsd-libc/commit/00d2b970cb5791312ff38817feb1f8e015cca564

Remaining portion of the junk validation feature:

https://github.com/CopperheadOS/platform_bionic/commit/49fb2a0464a3e93fcf138802b1691dcccc4816f7

It would mix well with a dynamic bounds checking implementation like
Intel MPX since it covers the lifetime issues fairly well. There would
need to be the ability to extend the default quarantine size to make it
more useful but that's simple enough. There's also the standard OpenBSD
randomized quarantine, which it doesn't interfere with. Detecting read-
after-free beyond cases where a pointer to protected data (from the junk
filling) will guarantee  a crash really needs some form of hardware
acceleration too. I think the cost of having huge memory usage via
enormous deterministic mappings is too high.

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Address Sanitizer local root Szabolcs Nagy (Feb 17)
- Re: Address Sanitizer local root Daniel Micay (Feb 17)
  - Re: Address Sanitizer local root Daniel Micay (Feb 17)
- Re: Address Sanitizer local root Konstantin Serebryany (Feb 17)
  - Re: Address Sanitizer local root Daniel Micay (Feb 17)
    - Re: Address Sanitizer local root Rich Felker (Feb 19)
    - Re: Address Sanitizer local root Daniel Micay (Feb 19)
- Re: Address Sanitizer local root Hanno Böck (Feb 18)
  - Re: Address Sanitizer local root Balint Reczey (Feb 18)
  - Re: Address Sanitizer local root Daniel Micay (Feb 18)
- Re: Address Sanitizer local root Gynvael Coldwind (Feb 18)
  - Re: Address Sanitizer local root Robert Święcki (Feb 18)
- <Possible follow-ups>
- Re: Address Sanitizer local root Darren Martyn (Feb 18)

(Thread continues...)