Gentoo Archives: gentoo-amd64

From: Marco Matthies <marco-ml@×××.net>
To: gentoo-amd64@l.g.o
Subject: Re: [gentoo-amd64] Questions about No Execute and security
Date: Thu, 06 Oct 2005 19:32:33
Message-Id: 43457B8E.6020402@gmx.net
In Reply to: Re: [gentoo-amd64] Questions about No Execute and security by "Hemmann
1 Hemmann, Volker Armin wrote:
2 > to do this fancy jump-around stuff, you need to know exactly where which
3 > snippet resides in ram - one error and all your work is lost.
4 >
5 > So, and because on gentoo everything is compiled by yourself with a little bit
6 > different setting like the next gentoo user, it is a lot harder to guess the
7 > correct adresses. Not like the binary distributions, where one is laid out
8 > like the other.
9
10 Well, lets find out. On my home system, i did this:
11
12 strace gzip > /dev/null
13 hit ctrl-c
14 find the mmap that maps /lib/libc.so.6 by:
15 - find the open call that opens libc, note that the open call returns
16 the file descriptor
17 - find the next mmap that acts on that fd (second to last argument
18 to mmap)
19 - mmap returns the address it mmapped to
20
21 Short excerpt:
22 $ strace gzip > /dev/null
23 [...snip...]
24 open("/lib/libc.so.6", O_RDONLY) = 3
25 [... reads, lseeks and fstats snipped ...]
26 mmap(NULL, 2248680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
27 0) = 0x2aaaaabc1000
28 [...snip...]
29
30 I got 0x2aaaaabc1000 on my machine, i would be interested to know what
31 your machine did. But judging from the fact that the people from
32 hardened added address space layout randomization, i'd guess we're going
33 to get the same address or something that varies but not very randomly
34 (low entropy). Make sure that you test with gzip though, other apps will
35 have slighly different addresses as they seem to load libs in a
36 different order -- this won't help though, as an exploit will be
37 targeted at a specific app.
38
39 But I'm still interested if we all get the same addresses or slightly
40 different.
41
42 Marco
43 --
44 gentoo-amd64@g.o mailing list

Replies