From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932700AbbIUS7d (ORCPT <rfc822;w@1wt.eu>);
	Mon, 21 Sep 2015 14:59:33 -0400
Received: from mail-qg0-f53.google.com ([209.85.192.53]:36187 "EHLO
	mail-qg0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753224AbbIUS7b (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 21 Sep 2015 14:59:31 -0400
Subject: Re: why is text address constant with full randomization?
To: =?UTF-8?B?5oWV5Yas5Lqu?= <mudongliangabcd@gmail.com>,
        yalin wang <yalin.wang2010@gmail.com>
References: <CAD-N9QVQiWXkv9PYs8Hqw7jryCUKqeaeyWc-rWzMODc0Zu0KTw@mail.gmail.com>
 <000AC074-2BC0-4361-A518-787ABAC1C9A2@gmail.com>
 <CAD-N9QUd_hE0q3CkkZFvwxSjwqXdZAJK-xnPNPCTzyYstafyHg@mail.gmail.com>
Cc: linux-kernel@vger.kernel.org
From: Austin S Hemmelgarn <ahferroin7@gmail.com>
Message-ID: <5600538F.5080505@gmail.com>
Date: Mon, 21 Sep 2015 14:59:27 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <CAD-N9QUd_hE0q3CkkZFvwxSjwqXdZAJK-xnPNPCTzyYstafyHg@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms070102010300050701080009"
X-Antivirus: avast! (VPS 150921-0, 2015-09-21), Outbound message
X-Antivirus-Status: Clean
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This is a cryptographically signed message in MIME format.

--------------ms070102010300050701080009
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

On 2015-09-21 10:31, =E6=85=95=E5=86=AC=E4=BA=AE wrote:
> 2015-09-15 17:05 GMT+08:00 yalin wang <yalin.wang2010@gmail.com>:
>>
>>> On Sep 15, 2015, at 16:36, =E6=85=95=E5=86=AC=E4=BA=AE <mudongliangab=
cd@gmail.com> wrote:
>>>
>>> First, my linux kernel is Linux 114-212-83-136 4.1.0-2-amd64.
>>> Second, I copy /bin/cat in system to mycat , and see the address spac=
e
>>> layout below.
>>>
>>> mdl@114-212-83-136:~$ ./mycat /proc/self/maps
>>> 00400000-0040c000 r-xp 00000000 08:03 1046776
>>> /home/mdl/mycat
>>> 0060b000-0060c000 r--p 0000b000 08:03 1046776
>>> /home/mdl/mycat
>>> 0060c000-0060d000 rw-p 0000c000 08:03 1046776
>>> /home/mdl/mycat
>>> 01da7000-01dc8000 rw-p 00000000 00:00 0
>>> [heap]
>>> ......
>>>
>>> The starting address of executable image is constant with my aslr
>>> configuration 2 (full randomization).
>>> I think text segment should be inconstant to defeat the attack like
>>> reusing text code!
>>> Is it related to fixing offset2lib attack?
>>> Thanks for any help!
>>>     - mudongliang
>>
>>   your mycat elf is executable elf file,
>> it is not possible to random the .text section address,
>> only relocatable elf file can be random,
>> you should build your elf with  gcc -fPIC to make it relocatable .
> So this means Debian(my computer) system does not compile its system
> elf file with -fPIC in default.
> With fixed text address, it's easy to be attacked.
> Why there are many distributions which not compile their system elf fil=
e in PIC?
> And in the real word, how do servers protect themselves from being
> attacked in this way?
In general, most distributions don't compile executables with -fPIC,=20
only libraries (this is, however, one of the main reasons I use Hardened =

Gentoo on most of my systems, they compile everything with -fPIC and SSP =

by default).  Many of the types of attacks that ASLR and PIC are=20
supposed to protect against are primarily targeted at libraries, so this =

makes at least some sense.  Part of it may also be that PIC is=20
notoriously slow on at least 32-bit x86 processors (which are _really_=20
starved for registers already), and still often slower on average than=20
non-PIC code on 64-bit x86 processors as well.  On top of that, stuff=20
with inline assembly code tends to break when built with -fPIC unless=20
it's been specially designed for it.

The thing is though, you shouldn't be depending on just ASLR and PIC for =

security, they should be one of many layers of security for a well=20
secured system. The first should be good firewall policy, and the second =

should well audited and up-to-date network server code.  Beyond that=20
layer comes stuff like chroot and other forms of sandboxing or MAC=20
layers (like SELinux).


--------------ms070102010300050701080009
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC
Brgwgga0MIIEnKADAgECAgMRLfgwDQYJKoZIhvcNAQENBQAweTEQMA4GA1UEChMHUm9vdCBD
QTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNp
Z25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcN
MTUwOTIxMTEzNTEzWhcNMTYwMzE5MTEzNTEzWjBjMRgwFgYDVQQDEw9DQWNlcnQgV29UIFVz
ZXIxIzAhBgkqhkiG9w0BCQEWFGFoZmVycm9pbjdAZ21haWwuY29tMSIwIAYJKoZIhvcNAQkB
FhNhaGVtbWVsZ0BvaGlvZ3QuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
nQ/81tq0QBQi5w316VsVNfjg6kVVIMx760TuwA1MUaNQgQ3NyUl+UyFtjhpkNwwChjgAqfGd
LIMTHAdObcwGfzO5uI2o1a8MHVQna8FRsU3QGouysIOGQlX8jFYXMKPEdnlt0GoQcd+BtESr
pivbGWUEkPs1CwM6WOrs+09bAJP3qzKIr0VxervFrzrC5Dg9Rf18r9WXHElBuWHg4GYHNJ2V
Ab8iKc10h44FnqxZK8RDN8ts/xX93i9bIBmHnFfyNRfiOUtNVeynJbf6kVtdHP+CRBkXCNRZ
qyQT7gbTGD24P92PS2UTmDfplSBcWcTn65o3xWfesbf02jF6PL3BCrVnDRI4RgYxG3zFBJuG
qvMoEODLhHKSXPAyQhwZINigZNdw5G1NqjXqUw+lIqdQvoPijK9J3eijiakh9u2bjWOMaleI
SMRR6XsdM2O5qun1dqOrCgRkM0XSNtBQ2JjY7CycIx+qifJWsRaYWZz0aQU4ZrtAI7gVhO9h
pyNaAGjvm7PdjEBiXq57e4QcgpwzvNlv8pG1c/hnt0msfDWNJtl3b6elhQ2Pz4w/QnWifZ8E
BrFEmjeeJa2dqjE3giPVWrsH+lOvQQONsYJOuVb8b0zao4vrWeGmW2q2e3pdv0Axzm/60cJQ
haZUv8+JdX9ZzqxOm5w5eUQSclt84u+D+hsCAwEAAaOCAVkwggFVMAwGA1UdEwEB/wQCMAAw
VgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBo
ZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMA4GA1UdDwEB/wQEAwIDqDBABgNV
HSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCG
SAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy
dC5vcmcwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9rZS5j
cmwwNAYDVR0RBC0wK4EUYWhmZXJyb2luN0BnbWFpbC5jb22BE2FoZW1tZWxnQG9oaW9ndC5j
b20wDQYJKoZIhvcNAQENBQADggIBADMnxtSLiIunh/TQcjnRdf63yf2D8jMtYUm4yDoCF++J
jCXbPQBGrpCEHztlNSGIkF3PH7ohKZvlqF4XePWxpY9dkr/pNyCF1PRkwxUURqvuHXbu8Lwn
8D3U2HeOEU3KmrfEo65DcbanJCMTTW7+mU9lZICPP7ZA9/zB+L0Gm1UNFZ6AU50N/86vjQfY
WgkCd6dZD4rQ5y8L+d/lRbJW7ZGEQw1bSFVTRpkxxDTOwXH4/GpQfnfqTAtQuJ1CsKT12e+H
NSD/RUWGTr289dA3P4nunBlz7qfvKamxPymHeBEUcuICKkL9/OZrnuYnGROFwcdvfjGE5iLB
kjp/ttrY4aaVW5EsLASNgiRmA6mbgEAMlw3RwVx0sVelbiIAJg9Twzk4Ct6U9uBKiJ8S0sS2
8RCSyTmCRhJs0vvva5W9QUFGmp5kyFQEoSfBRJlbZfGX2ehI2Hi3U2/PMUm2ONuQG1E+a0AP
u7I0NJc/Xil7rqR0gdbfkbWp0a+8dAvaM6J00aIcNo+HkcQkUgtfrw+C2Oyl3q8IjivGXZqT
5UdGUb2KujLjqjG91Dun3/RJ/qgQlotH7WkVBs7YJVTCxfkdN36rToPcnMYOI30FWa0Q06gn
F6gUv9/mo6riv3A5bem/BdbgaJoPnWQD9D8wSyci9G4LKC+HQAMdLmGoeZfpJzKHMYIE0TCC
BM0CAQEwgYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNl
cnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcN
AQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAxEt+DANBglghkgBZQMEAgMFAKCCAiEwGAYJKoZI
hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTUwOTIxMTg1OTI3WjBPBgkq
hkiG9w0BCQQxQgRAdXdRqZ+bKRhCD6XR+o4Ms3ZPfAy4kcIkECX74L94zc7pqjdlAuqrrtb9
KojISo9FGIgflGBSM9c5HagKe+PWMzBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjAL
BglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFA
MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGRBgkrBgEEAYI3EAQxgYMwgYAweTEQMA4GA1UE
ChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlD
QSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy
dC5vcmcCAxEt+DCBkwYLKoZIhvcNAQkQAgsxgYOggYAweTEQMA4GA1UEChMHUm9vdCBDQTEe
MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25p
bmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAxEt+DAN
BgkqhkiG9w0BAQEFAASCAgAP0MCs0Eo529L562y5rk/+MPIJ/htpwnehKSKEiD04QoeSfBl7
ZZgLxlXEKG06ag5HAPEYshy6KraN0w83qlRExzq1IJpfVei2ESlmcDjAn2PDeFcnhCQmSutW
x2mkduBaOJ+mFkvOsogqwJPA/LM7NNE5grsSM8PlxOsuHVp8B3m0WbWoQUYAOkoCVzHKSXFU
kkiyliAmb3eukxGMUgjuQIM9dJMytC6EQXe2dj0UjYenOLLY85JS63WZp8hZ/ohQ5Pcsvcjw
aUeKyyc8Mk5ZsDUE1FdwVrJXdlV8sp/6oNS3htzRRW0uSc5ikI2b+WOvxmRsSvqDhTqtWl7g
IFMbtuet5SLJMQLOEB+jTXdKHQ2GH57MZBhMHMH9zi1u2fkb1ZxkHfDnT/FamMDO3AKlILfJ
QPVwYfcoHljOhiYkr0EmzhWvDCmD50kep6j4wppTUSM9aG7UfzIBVeeJ/bgMDL8z+pyxUYAN
Xwqt3mgKms3YjZG0RrAhwrC9yvVzbmSLUfpfjV64Pvvp6YIQpElZBjy/oPdmx1EtcAxW4a/I
Xe4g+R21osMHo71DbXQBYG8xy6tkztw6i5v4l6qjeJXD7mSUUB47GDOO3twxZiQaCc07DFpc
gM+4c/yhVaHJY+O/FqTlaVAT6og0+T+/aYkY5Yg3uKh9nEYZLZ4ECjljCAAAAAAAAA==
--------------ms070102010300050701080009--