TVM ASLR-exploit-proof?

48 views
Skip to first unread message

917832409173409178324097

unread,
Oct 14, 2016, 9:26:48 AM10/14/16
to qubes-users
Hello,

can ASLR tech help to build a hard template VM for Qubes?

https://securityetalii.es/2013/02/03/how-effective-is-aslr-on-linux-systems/

checksec.sh:
How important it is that all libs and executables are PIE-compiled?
Are 100% of the TVM PIE compliant?

https://www.blackhat.com/docs/asia-16/materials/asia-16-Marco-Gisbert-Exploiting-Linux-And-PaX-ASLRS-Weaknesses-On-32-And-64-Bit-Systems.pdf

Will ASLR-NG mitigate the ASLR-weaknesses?

The rerandomization should be fast enough or be able to detect some brute-force attacks.

There are other exploit-strategies, which sould be taken into account, so that the TVM is hard enough to resist the contact with the web (ebanking) - or the QAchitecture is adressing all of them?

Heap-Spraying?
Egg-Hunting?
ROP?
DEP?
SEHOP?
SafeSEZ?
Stack Cockies?
SEH overflows?
stack overflows?

or others?

It looks that there are many methods around to inject shellcode in some way...

https://www.corelan.be/index.php/2013/02/19/deps-precise-heap-spray-on-firefox-and-ie10/

Kind Regards

Manuel Amador (Rudd-O)

unread,
Oct 14, 2016, 10:32:58 AM10/14/16
to qubes...@googlegroups.com
This would be really nice, but basically you're talking about hardening
Fedora, so this should probably be done with upstreaming the work in
mind. Perhaps we begin with a template on Qubes OS that we can use, and
piece by piece, the modifications to that template can get upstreamed.
Eventually the template will no longer be necessary.


--
Rudd-O
http://rudd-o.com/

0923718973178347240243

unread,
Oct 17, 2016, 4:03:03 PM10/17/16
to qubes-users
Hello Rudd-O,

here is an interessting concept, in some way they reach the RAM randomization by one central DLL (for Windows Plattforms only), but it works direct on the fly for all apps and libs!!!

http://www.morphisec.com/how-it-works/

Wow, not bad!

This will be much more robust.
And in parallel they keep the honypot, to run the law enforcement procedures against intruders.

Here are some critical view to ASLR:

http://blog.morphisec.com/aslr-what-it-is-and-what-it-isnt/

But for sure, the randomization will need a good non-deterministic random generator and a fast random update sequence (in Seconds) because 4 GB are quite endless...

Would it makes sense to implement a similar fast not-deterministic randomization
tech into the Qubes to overcome some standard template vulnerabilities, with smart countermeasurements?

Kind Regards

10378213217831783789

unread,
Oct 17, 2016, 4:08:38 PM10/17/16
to qubes-users
Hello,

Tails is also using ASLR security tech now...

https://fossbytes.com/tails-2-6-secure-linux-os-snowden-updated-tor-and-kernel/

Kind Regards

Reply all
Reply to author
Forward
0 new messages