> The only way to guarantee catching early allocator use is to switch
> the system's allocator (ie, libc itself) to the new one. Otherwise,
> the application will end up with two allocator implementations being
> used: the application's custom one and the system's, included and used
> within libc (and other system libraries, of course.)
So I don't know a ton about how this stuff works, but Firefox does
redirect allocations made by system libraries to the mozjemalloc
allocator. I know because I've been fighting with it recently because
it wasn't always doing it for MinGW and it's mismatch the alloc/free.
This is https://bugzilla.mozilla.org/show_bug.cgi?id=1547519 and
dependencies.
> > Fingerprinting: It is most likely possible to be creative enough to
> > fingerprint what memory allocator is used. If we were to choose from
> > different allocators at runtime, I don't think that fingerprinting is
> > the worst thing open to us - it seems likely that any attacker who
> > does such a attack could also fingerprinting your CPU speed, RAM, and
> > your ASLR base addresses which depending on OS might not change until
> > reboot.
>> My post was more along the lines of: what system-level components, if
> replaced, have a potentially visible effect on current (or future)
> fingerprinting techniques?
I imagine that we have not seen the limit of creativity when it comes
to fingerprinting hardware characteristics of the user's machine.
These would include graphics card performance, CPU performance, cache
sizes (CPU and RAM), FPU operation (?), perhaps even disk speed.
Allocator, sure too.
> And: If, or how, does breaking monocultures affect fingerprinting?
> Breaking monocultures is typically done to help secure an environment
> through diversity, causing an attacker to have to spend more resources
> in quest for success.
> > The only reason I can think of to choose between allocators at runtime
> > is to introduce randomness into the allocation strategy. An attacker
> > relying on a blind overwrite may not be able to position their
> > overwrite reliably AND it has the cause the process to crash otherwise
> > they can just try again.
> >
> > Allocators can introduce randomness themselves, you don't need to
> > choose between allocators to do that.
>> I'm assuming you're talking about randomness of the address space?
No, randomization of the allocations.
Imagine a simplistic example of grabbing 1MB of memory, and requesting
3 allocations of 100KB each.
In a deterministic allocator you'll always have the allocations at
<base>, <base+100Kb>, <base+200Kb>
In a randomized allocator the allocations could be at <base>,
<base+100Kb+r1>, <base+200Kb+r1+r2>
This removes determinism for the attacker in laying out the heap
exactly how they want it.
As I mention below, this randomness is easily bypassed in the content
process (where the attacker has a JIT engine to work with) and may
provide some security on the other side of an IPC boundary.
> > In virtually all browser exploits we have seen recently the attacker
> > creates exploitation primitives that allow partial memory read/write
> > and then full memory read/write. Randomness introduced is bypassed and
> > ineffective. I've seen a general trend away from randomness for this
> > purpose. The exception is when the attacker is heavily constrained -
> > like exploiting over IPC or in a network protocol. Not when the
> > attacker has a full Javascript execution environment available to
> > them.
> > In conclusion, while it's possible hardened_malloc could provide some
> > small security increase over mozjemalloc, the gap is much smaller than
> > it was when I advocated for allocator improvements 5 years ago, the
> > effort is definitely non-trivial, and the gap is closing.
>> I'm curious about how breaking monocultures affect attacks. I think
> supporting hardened_malloc (or <insert arbitrary allocator here>)
> would provide at least the framework for academic exercises.
At Mozilla in the past we have evaluated exploit mitigations by hiring
an exploit developer to write or adapt an exploit to bypass a
mitigation and give us their opinion. The replace_malloc framework is
effectively the framework for performing such an evaluation.
Exploits have become more and more frameworked. They abstract away the
exploitation primitives and write the exploits against an API. Then
for each vulnerability they construct the same primitives using
different or slightly different techniques and use mostly the same
exploit.
'Breaking the monoculture' to me feels like "The attacker doesn't know
X so they have to guess and they might guess wrong and lose their
ability to exploit." This assumes a) they have to guess and b) they
lose their ability to exploit.
(a) does not seem true. When they have a JIT to work with, they can
almost always safely inspect the system before taking any risks.
(b) also does not seem true. Reading memory is fairly safe so the
probability of crashing is low.
I think there is *significant* advantage to trying new approaches and
experimenting. Alternate implementations and experimentation. However
to toss those experiments in for no clear reason besides 'diversity'
does not seem advantageous.
-tom
More information about the Whonix-devel
mailing list
“Look here!” Dick began to chuckle. “We’ve got a queer combination to work with—our Sky Patrol has! Suspicious Sandy—and—Superstitious Jeff!” Sandy grinned ruefully, a little sheepishly. Larry smiled and shook his head, warning Dick not to carry his sarcasm any further, as Jeff frowned. 52 "You do doubt me. If you did not, it would never occur to you to deny it. You doubt me now, and you will doubt me still more if you don't read it. In justice to me you must." "That same. She was part Mescalero, anyway." This Act, as disgraceful as any which ever dishonoured the statute-book in the reigns of the Tudors or Stuarts, was introduced into the Commons, on the 12th of May, by Sir William Wyndham, and was resolutely opposed by the Whigs, amongst whom Sir Peter King, Sir Joseph Jekyll, Mr. Hampden, Robert Walpole, and General Stanhope distinguished themselves. They did not convince the majority, which amounted to no less than two hundred and thirty-seven to one hundred and twenty-six. In the Lords, Bolingbroke himself moved the second reading, and it was ably opposed by the Lords Cowper, Wharton, Halifax, Townshend, Nottingham, and others. The greatest curiosity was displayed regarding the part which Oxford would take, as it was known that in the Council he had endeavoured to soften the rigorous clauses; but in the House he followed his usual shuffling habit, declaring that he had not yet considered the question; and, having induced the Opposition to let the second reading pass without a division, he absented himself from the final voting, and thus disgusted both parties and hastened his own fall. The battle of Falkirk, which in itself appeared so brilliant an affair for Prince Charles, was really one of his most serious disasters. The Highlanders, according to their regular custom when loaded with plunder, went off in great numbers to their homes with their booty. His chief officers became furious against each other in discussing their respective merits in the battle. Lord George Murray, who had himself behaved most bravely in the field, complained that Lord John Drummond had not exerted himself, or pursuit might have been made and the royal army been utterly annihilated. This spirit of discontent was greatly aggravated by the siege of the castle of Stirling. Old General Blakeney, who commanded the garrison, declared he would hold out to the last man, in spite of the terrible threats of Lord George Murray if he did not surrender. The Highlanders grew disgusted with work so contrary to their habits; and, indeed, the French engineer, the so-called Marquis de Mirabelle, was so utterly ignorant of his profession, that the batteries which he constructed were commanded by the castle, and the men were so much exposed that they were in danger of being destroyed before they took the fortress. Accordingly, on the 24th of January they struck to a man, and refused to go any more into the trenches. "Haint we bit off more'n we kin chaw. Shorty?" asked Si, as he looked over the increasing gang. "Hadn't we better ask for some help?" "How far would it carry?" Corpril, Company Q, 2 Hundsrdth Injiamiy Volintear "He d?an't care much. F?ather, he likes to be comfortable, and this Inclosure w?an't make much difference to that. 'T?un't as if we wanted the pasture badly, and F?ather he d?an't care about land." "Byles," interrupted Calverley, speaking rapidly, "you are poor—you are in arrear with your rent; a distress will be levied, and then what will become of you—of your wife and the little one? Listen to me! I will give you money to keep a house over your head; and when I am steward, you shall have the first farm at my lord's disposal, if you will only aid me in my revenge! Revenge!" he repeated, vehemently—"but you hesitate—you refuse." "Yes, yes, there is little doubt of that: but how can we come at the truth? Sudbury still retains his wrath against us, and would oppose an arrest; and even could he be waylaid, and brought hither, he is stubborn, and might refuse to answer." HoME一级做人爱c视正版免费
ENTER NUMBET 0017 www.lolla.com.cn pddchain.com.cn bdjc.com.cn www.mulu9.com.cn baotv.com.cn www.xumi5.com.cn www.lyltsb.com.cn dishi8.net.cn www.ad-sonic.com.cn www.ac3d4.com.cn