Contributed by rueda on from the conceal my writeable calls dept.
Introduction
There have been some recent security innovations previously unreported here:
- New flag "
MAP_CONCEAL
" formmap(2)
allocations - No syscalls from pages where
PROT_WRITE
is still enabled
New mmap(2)
flag: MAP_CONCEAL
Scott Soule Cheloha (cheloha@
)
committed
code changes to support a new
"MAP_CONCEAL
"
flag for mmap(2)
:
CVSROOT: /cvs Module name: src Changes by: cheloha@cvs.openbsd.org 2019/02/28 18:46:18 Modified files: sys/sys : mman.h sys/uvm : uvm.h uvm_extern.h uvm_map.c uvm_mmap.c uvm_unix.c Log message: New mmap(2) flag: MAP_CONCEAL. MAP_CONCEAL'd memory is not written to disk in the event of a core dump. It may grow other qualities in the future. Wanted by libressl, probably useful elsewhere, too. Prompted by deraadt@, concept from deraadt@/kettenis@. With input from deraadt@, cjeker@, kettenis@, otto@, bcook@, matthew@, guenther@, djm@, and tedu@. ok otto@ deraadt@
This was followed by th
addition
of
malloc_conceal(3)
and
calloc_conceal(3)
by Otto Moerbeek (otto@
):
CVSROOT: /cvs Module name: src Changes by: otto@cvs.openbsd.org 2019/05/10 09:03:24 Modified files: include : stdlib.h lib/libc : Symbols.list shlib_version lib/libc/hidden: stdlib.h lib/libc/stdlib: malloc.3 malloc.c Log message: Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
This was then used in
smtpd(8)
as the first user of those functions, as seen in this
commit to reduce chances of leaking SSL data.
System Calls Prohibited from PROT_WRITE
Memory
Theo de Raadt (deraadt@
)
committed
an improvement to check permissions on the memory from which system calls come, and make sure they are
not in a piece of memory which is writeable at the time of the call (in addition to the existing checking of validity of the stack pointer.)
CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2019/06/01 16:42:21 Modified files: sys/sys : proc.h syscall_mi.h sys/uvm : uvm_map.c uvm_map.h sys/arch/alpha/alpha: trap.c sys/arch/amd64/amd64: trap.c sys/arch/arm/arm: fault.c sys/arch/arm64/arm64: trap.c sys/arch/hppa/hppa: trap.c sys/arch/i386/i386: trap.c sys/arch/mips64/mips64: trap.c sys/arch/powerpc/powerpc: trap.c sys/arch/sparc64/sparc64: trap.c Log message: Refactor the MAP_STACK feature, and introduce another similar variation: Lookup the address that a syscall instruction is executed from, and kill the process if that page is writeable. This brings an aspect of W^X behaviour to W|X mappings (in JITs not yet adapted to W^X). The goal is to remove simple attack methods and force use of ret2libc or other more complicated means.
(Comments are closed)
By Peter J. Philipp (pjp) nospam@centroid.eu on https://centroid.eu
Hi,
Great works! I have a question regarding the malloc_conceal(). The manpage says, upon free the stored data is discarded explicitly. Does that mean a concealed malloc does not ever need a freezero()?
Thanks!
-peter
Comments
By Peter J. Philipp (pjp) nospam@centroid.eu on https://centroid.eu
Ooops I just re-read the commit message. Please never mind.
-peter