ryonaloli 2017-03-05 20:45:27
mniip: https://copperhead.co/android/docs/technical_overview gives some insight
ryonaloli 2017-03-05 20:45:42
since that incudes both bionic and openbsd related stuff.
ryonaloli 2017-03-05 20:46:35
for example, heap spraying becomes nearly impossible on windows, due to a totally unpredictable layout.
mniip 2017-03-05 20:46:42
ryonaloli, that sounds like a lot of performance hits
ryonaloli 2017-03-05 20:46:50
the performance hits are very slight.
ryonaloli 2017-03-05 20:47:07
only small allocations need to be randomized, and they can be pre-allocated and put in a pool.
mniip 2017-03-05 20:47:12
hmm
mniip 2017-03-05 20:47:23
isn't heap ASLR'd if you have systemwide PIC?
yray 2017-03-05 20:47:23
thanks folks, @mniip and ryonaloli very informative stuff. ryonaloli: I agree that windows 10 might be hardened, then what is with all these people and websites encouraging people to stay away from Win10. Also would you trust windows 10, when it is hardened and has been configured to keep your privacy to yourself, with your life?
ryonaloli 2017-03-05 20:47:24
even smaller allocations aren't put in the heap anyway. they typically go in the stack and aren't true allocations.
ryonaloli 2017-03-05 20:47:34
ASLR only occurs when you are pulling memory from the kernel.
ryonaloli 2017-03-05 20:47:50
usually you pull much more than you need (many megabytes), and then the malloc partitions that each time you need a little more memory.
mniip 2017-03-05 20:47:51
yes but that's what ld-linux does
ryonaloli 2017-03-05 20:48:34
and then when you free() memory, you don't free it back to the kernel, you free it back to the malloc arena.
mniip 2017-03-05 20:48:34
right right
ryonaloli 2017-03-05 20:48:34
where it will be used later via malloc()
mniip 2017-03-05 20:48:43
but malloc puts the data before the program break
ryonaloli 2017-03-05 20:48:46
yray: i do not trust windows 10 at all. i use hardened linux for everything.
mniip 2017-03-05 20:48:56
the location of which should be ASLRd in a PIC executable
ryonaloli 2017-03-05 20:49:07
but in terms of raw exploit mitigation, windows 10 in many ways is superior to *vanilla* linux.
ryonaloli 2017-03-05 20:49:41
mniip: you likely only get one or two mmap() calls, but possibly hundreds of malloc() calls. that means you only get randomized twice.
mniip 2017-03-05 20:49:51
right
ryonaloli 2017-03-05 20:50:21
then those hundreds of malloc(), realloc(), free(), whatever calls are not subject to the additional protections by ASLR. not to mention, ASLR is useless when it comes to protecting a local process from another locally executing program.
mniip 2017-03-05 20:50:29
are you suggesting that allocator you linked randomizes every pointer?
ryonaloli 2017-03-05 20:50:55
not quite. it randomizes small allocations in the arena.
ryonaloli 2017-03-05 20:51:07
which isn't something visible to the program like pointers are.
ryonaloli 2017-03-05 20:51:21
knowing the pointer isn't gonna help the attacker.
mniip 2017-03-05 20:51:29
hmm
ryonaloli 2017-03-05 20:51:54
>Fine-grained randomization is performed for small allocations by choosing a random pool to satisfy requests and then choosing a random free slot within a page provided by that pool. Freed small allocations are quarantined before being put back into circulation via a randomized delayed allocation pool. These features raise the difficulty of exploiting vulnerabilities by making the internal heap layout
ryonaloli 2017-03-05 20:52:00
and allocator behavior unpredictable.
ryonaloli 2017-03-05 20:52:02
is just one example
ryonaloli 2017-03-05 20:52:09
among many
ryonaloli 2017-03-05 20:52:37
the windows allocator also uses a large number of anti-exploitation techniques. pretty much as soon as a new one is found to be solid and made performant, it's added to windows in an update.
ryonaloli 2017-03-05 20:52:58
whereas glibc just uses ptmalloc3/dlmalloc, and the best they have for "hardening" is xor mangling of things like setjmp.
ryonaloli 2017-03-05 20:53:56
only openbsd malloc and bionic malloc (and especially copperhead bionic malloc, which is a fusion of the two, plus new features) is able to rival and likely surpass the windows allocator. plus since it focuses only on security, it doesn't have some issues the windows allocator has like "high availability heap" or whatever it's called.
mniip 2017-03-05 20:54:17
hm
celyr 2017-03-05 20:54:45
ryonaloli, OpenBSD malloc used to be a lot slower than freebsd one and linux one tho
celyr 2017-03-05 20:54:56
ryonaloli, Idk if they fixed that
ryonaloli 2017-03-05 20:55:13
celyr: that's mainly because it takes care to do silly things like sanitizing freed memory way too much, which isn't super improtant.
yray 2017-03-05 20:55:17
is Grsecurity only for paying customers?
ryonaloli 2017-03-05 20:55:19
or poisoning things or something.
ryonaloli 2017-03-05 20:55:27
yray: no, there's a free version which is basically the same.
ryonaloli 2017-03-05 20:55:46
there's a paid version which is if you need different kernel versions, like if you need an extra stable, older kernel for mass-deployment.
yray 2017-03-05 20:56:11
where should I find the free version? github?
ryonaloli 2017-03-05 20:56:17
grsecurity.net
mniip 2017-03-05 20:56:40
well
ryonaloli 2017-03-05 20:56:41
though distributions like gentoo allow you to install it via their package manager
mniip 2017-03-05 20:56:44
to be fair
ryonaloli 2017-03-05 20:56:45
and debian too
ryonaloli 2017-03-05 20:56:59
"emerge hardened-sources" for gentoo, "apt-get install linux-grsec" for debian.
mniip 2017-03-05 20:57:06
having security in linux's process abstraction is rather hard
ryonaloli 2017-03-05 20:57:19
mniip: in the malloc?
mniip 2017-03-05 20:57:23
no I mean,
mniip 2017-03-05 20:57:34
the way in linux you can move everything around in your virtual memory
ryonaloli 2017-03-05 20:57:49
well all computers with an mmu do that
mniip 2017-03-05 20:58:20
on windows many things are managed with call gates as opposed to mapping machine code into the user's process
ryonaloli 2017-03-05 20:58:37
mapping machine code into a user's process? you mean vDSO?
ryonaloli 2017-03-05 20:58:49
not sure what call gates are. i don't know a lot about windows internals.
mniip 2017-03-05 20:59:14
no I mean, shared libs on linux
mniip 2017-03-05 20:59:26
stuff like libc that is fairly internal
ryonaloli 2017-03-05 20:59:41
oh. how's that different than windows dlls in that sense?
ryonaloli 2017-03-05 20:59:57
they both link executables dynamically, but one is pe32+ and one is ELF
mniip 2017-03-05 20:59:58
on windows some dlls, particularly the kernel interfaces are call gates
yray 2017-03-05 21:00:02
ryonaloli : ok, here is a very idiotic question for you, would you change whatever linux distro you are using right now, to use whonix? What i mean is, how much would you trust whonix?
mniip 2017-03-05 21:00:15
they don't map kernel code into the user process
mniip 2017-03-05 21:00:34
so there is not a possibility of jumping into random locations in the kernel code, or use kernel code to assemble ROPs
ryonaloli 2017-03-05 21:00:37
yray: if you use whonix with a *physical* gateway (i.e. not with virtual machines), then it's pretty good if the threat model they take care of is your priority
ryonaloli 2017-03-05 21:00:46
mniip: linux doesn't do that. does windows?
entity 2017-03-05 21:00:54
hello how do register my nick
ryonaloli 2017-03-05 21:01:03
i mean the closest linux has to that is vDSO and that's not even true kernel code.
mniip 2017-03-05 21:01:10
ryonaloli, whichever DLL provides most system calls on windows
ryonaloli 2017-03-05 21:01:29
oh win32k.sys?
mniip 2017-03-05 21:01:30
it does that with call gates and not manual context switches like linux does
yray 2017-03-05 21:01:39
ryonaloli : what do you mean physical gateway? like installing the gateway image on a physical pc?
ryonaloli 2017-03-05 21:01:44
yray: yes
ryonaloli 2017-03-05 21:01:51
entity: /msg nickserv help register
entity 2017-03-05 21:01:54
k
mniip 2017-03-05 21:02:42
ryonaloli, imagine if all shared libraries used call gates
ryonaloli 2017-03-05 21:02:55
trying to wrap my head around the concept of call gate
mniip 2017-03-05 21:03:02
every shared library would have its own virtual memory
ryonaloli 2017-03-05 21:03:11
like is it just a syscall in userspace?
mniip 2017-03-05 21:03:18
no like
ryonaloli 2017-03-05 21:03:23
like something in CPL3 that has the function of a syscall?
mniip 2017-03-05 21:04:33
hmm
mniip 2017-03-05 21:04:54
actually I might be wrong about call gates in windows
mniip 2017-03-05 21:05:16
ryonaloli, http://wiki.osdev.org/System_Calls#Call_Gates_.28Intel.29
yray 2017-03-05 21:05:24
Just finished reading what you guys been chatting about up to now, this could easily become a very awesome security article....
ryonaloli 2017-03-05 21:05:30
all i know about windows syscalls is that some occur in userspace and aren't true syscalls (about 500), and some are (like 2000?)
ryonaloli 2017-03-05 21:05:53
reading now
ryonaloli 2017-03-05 21:06:05
oh i get it
ryonaloli 2017-03-05 21:06:11
it's something internal to the architecture
mniip 2017-03-05 21:06:18
ryonaloli, a call gate is a special descriptor in the GDT that makes a specific pointer act as a far jump when called with a regular call
ryonaloli 2017-03-05 21:06:40
yeah i see
ryonaloli 2017-03-05 21:07:05
that sounds rather scary
ryonaloli 2017-03-05 21:07:17
i'm glad linux just uses regular syscalls and vDSO
mniip 2017-03-05 21:07:31
isn't call gates what vsyscall is?
ryonaloli 2017-03-05 21:07:48
vsyscalls haven't been used for quite a while
ryonaloli 2017-03-05 21:07:59
even on systems that do use them, they're merely emulated vsyscalls
ryonaloli 2017-03-05 21:08:04
native vsyscalls are a thing of the past
ryonaloli 2017-03-05 21:08:19
and even they are being quickly phased out to be fully replaced with vDSO
ryonaloli 2017-03-05 21:10:07
(and yeah vsyscalls are scary :P)
ryonaloli 2017-03-05 21:10:23
i got a patch upstreamed in tails to get them to remove it for that reason
mniip 2017-03-05 21:10:56
gotta go
mniip 2017-03-05 21:11:33
ryonaloli, anyway, call gates let you have a non-centralized syscall interface,
mniip 2017-03-05 21:11:40
without having to map kernel code into userspace
mniip 2017-03-05 21:11:47
where it can be remapped and modified and whatever
ryonaloli 2017-03-05 21:11:53
if they're the same as what vsyscalls were, then that makes a lot more sense
mniip 2017-03-05 21:12:01
and if we treated shared libs similarly
ryonaloli 2017-03-05 21:12:04
and if windows uses them extensively, then that is really quite terrifying :D
mniip 2017-03-05 21:12:11
I think there's some potential in this scheme
ryonaloli 2017-03-05 21:13:32
(i don't know what "map kernel code into userspace" means anyway. i don't think either linux or windows does that)
ryonaloli 2017-03-05 21:13:37
anyway, ttyl
yray 2017-03-05 21:14:21
ryonaloli: thank you for the insight, mate
ryonaloli 2017-03-05 21:14:31
np
ryonaloli 2017-03-05 21:14:43
and i g2g too, got some reading to do
yray 2017-03-05 21:15:07
you rock... see you around, best of wishes
xdej 2017-03-05 21:22:13
chatter29 on #gentoo-prefix: "to accept islam say that i bear witness that there is no deity worthy of worship except allah and muhammad peace be upon him is his slave and messenger"
elky 2017-03-05 21:22:35
mniip: ^
xdej 2017-03-05 21:22:52
It was 20 minutes ago, chatter29 is still connected.
elky 2017-03-05 21:22:53
xdej: in the future don't repeat spam or spamkiller bots might think you're a spammer :)
xdej 2017-03-05 21:23:06
elky: how should I proceed ?
ryonaloli 2017-03-05 21:23:21
put zero width spaces in between a few of the words :P
opm 2017-03-05 21:23:43
xdej: just say Allah spammer is in so and so channel
elky 2017-03-05 21:23:44
xdej: ask for staff for assistance with a spammer, they will always ask for details before assuming you're right anyway
opm 2017-03-05 21:23:50
generally works out
opm 2017-03-05 21:23:54
or what elky said
ryonaloli 2017-03-05 21:23:56
also yeah, everyone knows the allah sammer
ryonaloli 2017-03-05 21:24:02
*spammer
xdej 2017-03-05 21:24:15
how can I ask for staff assistance (I have no particular right on #gentoo-prefix) ?
opm 2017-03-05 21:24:27
you are a user
opm 2017-03-05 21:24:29
right?
xdej 2017-03-05 21:24:31
ryonaloli: except this one is still connected 20 minutes after.
xdej 2017-03-05 21:24:33
opm: right
ryonaloli 2017-03-05 21:24:58
xdej: just say "any staff here? the allah spammer (chatter29) is in #gentoo-prefix spamming the place and no chanops are around"
opm 2017-03-05 21:25:01
you don't need to have special rights in a channel to bring something pertinent to the notice of staff members
ryonaloli 2017-03-05 21:25:07
and if staff are around, they'll likely kline him
xdej 2017-03-05 21:25:09
ryonaloli: (connected, but did not care to say anything in the last 20 minutes)
ryonaloli 2017-03-05 21:25:26
xdej: well he's been doing that in multiple channels
ryonaloli 2017-03-05 21:25:38
not too long ago, he did that in #libreboot
elky 2017-03-05 21:26:02
xdej: there's a lot of traffic on freenode, staff kind of rely on user reports to bring things to their attention because they can't always pay full attention to goings on
irinix 2017-03-05 21:26:31
and thus, on the fifth day of reckoning, in the hour of reflection, spake opm.
xdej 2017-03-05 21:26:47
elky: how much storage would it be for freenode staff to keel last 24h worth of IRC log on all channels ?
ryonaloli 2017-03-05 21:27:22
not enough that it would be impractical
xynashi 2017-03-05 21:27:29
they won't do that for privacy reasons
elky 2017-03-05 21:27:31
xdej: no idea, but they don't log channels they're not in, and only select user activity
ryonaloli 2017-03-05 21:27:44
ideally :P
elky 2017-03-05 21:28:01
besides, you can store all the data you want, but you still need $n lifetimes to be able to read it all
xdej 2017-03-05 21:28:41
elky: why do you talk about reading ? grepping the IP reported on #freenode would be enough.
xdej 2017-03-05 21:28:52
(the IP and also the incriminated username)
ryonaloli 2017-03-05 21:29:10
xdej: staff don't need to check logs to know that. that's stored in memory by freenode for a while anyway.
ryonaloli 2017-03-05 21:29:20
even after a user quits
ryonaloli 2017-03-05 21:29:30
after all, /whowas is a thing :P
xdej 2017-03-05 21:32:46
ryonaloli on #gentoo-prefix "anyway this is probably off-topic for #gentoo-prefix." right :-) last message on #gentoo-prefix was on March, 3.
ryonaloli 2017-03-05 21:32:59
heh
xdej 2017-03-05 21:33:00
ryonaloli: thanks for you kind attention anyway.
Atlas01 2017-03-05 21:35:12
110001 110001 110001 110000 110000 110001 110001 100000 110001 110001 110001 110000 110001 110000 110001 100000 110001 110001 110001 110000 110001 110000 110001 100000 110001 110001 110001 110000 110001 110000 110001 100000 110001 110001 110000 110001 110000 110000 110000 100000 110001 110000 110000 110000 110000 110000 100000 110001 110001 110000 110000 110001 110000 110000 100000 110001 110001 110001 110000 110001 110000 110001 100000 110001 110001
ryonaloli 2017-03-05 21:37:03
what is this, 6-bit ascii?
ryonaloli 2017-03-05 21:37:11
mind = blown
Atlas01 2017-03-05 21:38:38
+4, ryona
Atlas01 2017-03-05 21:38:54
or well, -4
norkle 2017-03-05 21:39:11
binary porn?
ryonaloli 2017-03-05 21:39:17
at least that didn't change my reputation at all
Atlas01 2017-03-05 21:39:26
could call it that
