OpenBSD Journal

OpenBSD may soon gain further memory protections: immutable userland mappings

Contributed by Peter N. M. Hansteen on from the mutable no more dept.

In a September 1st post to tech@ titled immutable userland mappings, Theo de Raadt (deraadt@) gave us a preview of code that may soon land in -current. The message leads in,

In the last few years, I have been improving the strictness of userland
memory layout.

An example is the recent addition of MAP_STACK and msyscall().  The first one
marks pages that are stack, so that upon entry to the kernel we can check if
the stack-pointer is pointing in the stack range.  If it isn't, the most obvious
conclusion is that a ROP pivot has occured, and we kills the process.  The second
one marks the region which contains syscall traps, if upon entry to the kernel
the PC is not in that region, we know somone is trying to do system calls via
an unapproved method.
My next attempt is to lock memory mappings.  The current working name is
mimmutable(void *addr, size_t len).  This identifies all current mapped memory
in a region, and tags the mappings.  Such mappings can never be unmapped.
No new mmap can be done on top of the mappings.  And the permissions cannot
be changed.  Other than that, the underlying storage memory works fine, it is
just the mapping that is locked.

This is about work that is upcoming, still not committed. The post includes a patch which is sort of a snapshot of work in progress.

You can read the full message and any followups starting here, and please do test if you feel up to it.

(Comments are closed)

  1. By John McCue (jmcunx) on

    A little bit over my head, but does this mean memory leak checking will get more strict ? BTW, if so, that sounds great to me :)

  2. By Solène Rapenne (solene) on

    Does someone know how it is beneficial for end users? I understand it's another layer for protecting the memory and programs, but I can't figure the benefits of it.

    1. By Peter J. Philipp (pjp) on

      If I understand this correctly it will benefit my DNS server software (authoritative server) that I'm programming. In this post a few months ago I wrote this:

      I think if I do the protections with guard pages in the memory and then immutable the entire shared region the guard pages can't be changed back making this better. Looks like a neat addition I'll have to see if I can put it in by december when I have the 1.7 release.

      Thanks Theo.

      One question I would have is what happens on violation, soft error or tear down of program?


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]