So it turns out vanilla Android really only has ~2-3 bits of ASLR entropy for mmap (secondary stacks, dlopen, malloc). That's really sad.
@CopperheadSec Userspace could emulate that just by mmap PROT_NONE with random size before each mmap, then munmapping it.
-
-
@RichFelker That's essentially what CopperheadOS does for stacks but it keeps it around until unmapping: https://android-review.googlesource.com/#/c/161453/ -
@RichFelker An attacker can overcome stuff like this via influence over heap allocations if reuse of the random gaps is allowed. -
@RichFelker So doing it in userspace probably means having a hash table of all mmap allocations, to track the size of random gaps. -
@RichFelker And then adding random gaps for some subset of allocations, carefully done to bound the wasted memory while remaining random.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.