„64-bit Debian and 64-bit HardenedBSD had the two best implementations of ASLR, with 64-bit Debian having just slightly more entropy than 64-bit HardenedBSD.“ web.cs.ucdavis.edu/~peisert/resea
This Tweet was deleted by the Tweet author. Learn more
Conversation
Replying to
The original tweet presenting the results in a misleading and dishonest only looks bad for the person doing it, not the project they're trying to attack.
twitter.com/gonzopancho/st
The paper is also only looking at one part of the ASLR implementation rather than the whole picture.
This Tweet is unavailable.
2
1
3
HardenedBSD doesn't care about 32-bit arch's.
The primary author of the paper had reached out to us during his research. He was very confused about how different ASLR implementations work. His testing methodology and algorithms weren't accurate.
This research paper is flawed.
1
The paxtest application has the proper algorithms to measure ASLR entropy. Note that paxtest cannot properly measure ASR entropy. FreeBSD is implementing ASR. This, paxtest cannot measure and compare between fbsd and hbsd.
1
It's fair to use it on FreeBSD to measure what matters most though. Fine-grained heap randomization is a separate feature that's best layered on top, and can't be accomplished well at only the mmap layer. Especially true with jemalloc involved, which aligns the mmap heap, etc.
1
1
ASLR can be extended with finer-grained bases via userspace features, and paxtest is mostly oblivious to that. It is capable of seeing one extremely tiny aspect of the difference between malloc implementations based on the entropy of one allocation between different executions.
1
1
glibc:
Heap randomization test (PIE): 32 quality bits (guessed)
jemalloc:
Heap randomization test (PIE): 23 quality bits (guessed)
hardened_malloc:
Heap randomization test (PIE): 41 quality bits (guessed)
Entropy of a specific allocation is such a tiny aspect of it though.
1
1
So, it's not even really worth noting or talking about beyond the fact that jemalloc aligning the heap is bad for ASLR and also fine-grained heap randomization, but it's one of the least interesting aspects of malloc security. It's not what paxtest is aimed at testing at all.
jemalloc has gotten A LOT better with regards to being ASLR-friendly. There's still room for improvement, but it's not nearly as bad as before.
1
ASLR friendliness and fine-grained randomization (which it doesn't do) are a tiny aspect of malloc security though. Protected out-of-line metadata, detecting all invalid frees, canaries, quarantines, isolated partitions for different sizes / types, etc. are all more interesting.
2
2
Show replies