lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <55367BB3.6080406@upv.es>
Date: Tue, 21 Apr 2015 18:32:51 +0200
From: Hector Marco-Gisbert <hecmargi@....es>
To: fulldisclosure@...lists.org, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com
Cc: Ismael Ripoll <iripoll@...ca.upv.es>,
	Assign a CVE Identifier <cve-assign@...re.org>
Subject: [FD] AMD Bulldozer Linux ASLR weakness: Reducing entropy by 87.5%

A security issue in Linux ASLR implementation which affects some AMD processors 
has been found. The issue affects to all Linux process even if they are not 
using shared libraries (statically compiled).

The problem appears because some mmapped objects (VDSO, libraries, etc.) are 
poorly randomized in an attempt to avoid cache aliasing penalties for AMD 
Bulldozer (Family 15h) processors.

Affected systems have reduced the mmapped files entropy by eight. Grsecurity/PaX 
is also affected.

The total entropy for the VVAR/VDSO, mmapped files and libraries of a processes 
are reduced by eight. The number of possible locations where the mapped areas 
can be placed are reduced by 87.5%.

On 32-bit systems, for example, the entropy for libraries is reduced from 2^8 to 
2^5, which means that libraries only have 32 different places where they can be 
loaded. Under this scenario, advanced techniques used by PaX to thwart brute 
force attacks (for example, force a delay on the process creation when a crash 
occurs) are no longer effective. The attackers need on average only 16 trials.

Advisory details at:
http://hmarco.org/bugs/AMD-Bulldozer-linux-ASLR-weakness-reducing-mmaped-files-by-eight.html


We sent a patch, and Linux 4.1 Will Improve AMD Bulldozer's ASLR Entropy Issue:
http://www.spinics.net/lists/linux-tip-commits/msg27373.html



-- 
Hector Marco-Gisbert @ http://hmarco.org/
Cyber Security Researcher @ http://cybersecurity.upv.es
Universitat Politècnica de València (Spain)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ