OpenBSD Journal

Recent Security Innovations

Contributed by rueda on from the conceal my writeable calls dept.

Introduction

There have been some recent security innovations previously unreported here:

  1. New flag "MAP_CONCEAL" for mmap(2) allocations
  2. No syscalls from pages where PROT_WRITE is still enabled

New mmap(2) flag: MAP_CONCEAL

Scott Soule Cheloha (cheloha@) committed code changes to support a new "MAP_CONCEAL" flag for mmap(2):

CVSROOT:	/cvs
Module name:	src
Changes by:	cheloha@cvs.openbsd.org	2019/02/28 18:46:18

Modified files:
	sys/sys        : mman.h 
	sys/uvm        : uvm.h uvm_extern.h uvm_map.c uvm_mmap.c 
	                 uvm_unix.c 

Log message:
New mmap(2) flag: MAP_CONCEAL.

MAP_CONCEAL'd memory is not written to disk in the event of a core dump.
It may grow other qualities in the future.

Wanted by libressl, probably useful elsewhere, too.

Prompted by deraadt@, concept from deraadt@/kettenis@.  With input from
deraadt@, cjeker@, kettenis@, otto@, bcook@, matthew@, guenther@, djm@,
and tedu@.

ok otto@ deraadt@

This was followed by th addition of malloc_conceal(3) and calloc_conceal(3) by Otto Moerbeek (otto@):

CVSROOT:	/cvs
Module name:	src
Changes by:	otto@cvs.openbsd.org	2019/05/10 09:03:24

Modified files:
	include        : stdlib.h 
	lib/libc       : Symbols.list shlib_version 
	lib/libc/hidden: stdlib.h 
	lib/libc/stdlib: malloc.3 malloc.c 

Log message:
Inroduce malloc_conceal() and calloc_conceal(). Similar to their
counterparts but return memory in pages marked MAP_CONCEAL and on
free() freezero() is actually called.

This was then used in smtpd(8) as the first user of those functions, as seen in this commit to reduce chances of leaking SSL data.

System Calls Prohibited from PROT_WRITE Memory

Theo de Raadt (deraadt@) committed an improvement to check permissions on the memory from which system calls come, and make sure they are not in a piece of memory which is writeable at the time of the call (in addition to the existing checking of validity of the stack pointer.)

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2019/06/01 16:42:21

Modified files:
	sys/sys        : proc.h syscall_mi.h 
	sys/uvm        : uvm_map.c uvm_map.h 
	sys/arch/alpha/alpha: trap.c 
	sys/arch/amd64/amd64: trap.c 
	sys/arch/arm/arm: fault.c 
	sys/arch/arm64/arm64: trap.c 
	sys/arch/hppa/hppa: trap.c 
	sys/arch/i386/i386: trap.c 
	sys/arch/mips64/mips64: trap.c 
	sys/arch/powerpc/powerpc: trap.c 
	sys/arch/sparc64/sparc64: trap.c 

Log message:
Refactor the MAP_STACK feature, and introduce another similar variation:
Lookup the address that a syscall instruction is executed from, and kill
the process if that page is writeable.  This brings an aspect of W^X
behaviour to W|X mappings (in JITs not yet adapted to W^X).  The goal is
to remove simple attack methods and force use of ret2libc or other more
complicated means.

(Comments are closed)


Comments
  1. By Peter J. Philipp (pjp) nospam@centroid.eu on https://centroid.eu

    Hi,

    Great works! I have a question regarding the malloc_conceal(). The manpage says, upon free the stored data is discarded explicitly. Does that mean a concealed malloc does not ever need a freezero()?

    Thanks!
    -peter

    Comments
    1. By Peter J. Philipp (pjp) nospam@centroid.eu on https://centroid.eu

      Ooops I just re-read the commit message. Please never mind.

      -peter

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]