MESSAGE
| DATE | 2017-02-15 |
| FROM | Rick Moen
|
| SUBJECT | Subject: [Learn] [conspire] [svlug] AnC side-channel attack: In which ASLR
|
From learn-bounces-at-nylxs.com Wed Feb 15 18:10:17 2017
Return-Path:
X-Original-To: archive-at-mrbrklyn.com
Delivered-To: archive-at-mrbrklyn.com
Received: from www.mrbrklyn.com (www.mrbrklyn.com [96.57.23.82])
by mrbrklyn.com (Postfix) with ESMTP id 33B6B161337;
Wed, 15 Feb 2017 18:10:17 -0500 (EST)
X-Original-To: learn-at-www.mrbrklyn.com
Delivered-To: learn-at-www.mrbrklyn.com
Received: by mrbrklyn.com (Postfix, from userid 1000)
id F01AE161336; Wed, 15 Feb 2017 18:10:14 -0500 (EST)
Resent-From: Ruben Safir
Resent-Date: Wed, 15 Feb 2017 18:10:14 -0500
Resent-Message-ID: <20170215231014.GA26192-at-www.mrbrklyn.com>
Resent-To: learn-at-mrbrklyn.com
X-Original-To: ruben-at-mrbrklyn.com
Delivered-To: ruben-at-mrbrklyn.com
Received: from linuxmafia.com (linuxmafia.COM [198.144.195.186])
by mrbrklyn.com (Postfix) with ESMTP id 47B76161336
for ; Wed, 15 Feb 2017 17:18:55 -0500 (EST)
Received: from localhost ([127.0.0.1] helo=linuxmafia.com)
by linuxmafia.com with esmtp (Exim 4.72)
(envelope-from )
id 1ce7ta-0006eT-O4; Wed, 15 Feb 2017 14:17:54 -0800
Received: from rick by linuxmafia.com with local (Exim 4.72)
(envelope-from ) id 1ce7tZ-0006eO-9t
for conspire-at-linuxmafia.com; Wed, 15 Feb 2017 14:17:53 -0800
Date: Wed, 15 Feb 2017 14:17:53 -0800
From: Rick Moen
To: conspire-at-linuxmafia.com
Message-ID: <20170215221753.GK6937-at-linuxmafia.com>
MIME-Version: 1.0
Content-Disposition: inline
Organization: If you lived here, you'd be $HOME already.
User-Agent: Mutt/1.5.20 (2009-06-14)
X-BeenThere: conspire-at-linuxmafia.com
X-Mailman-Version: 2.1.13
Precedence: list
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: conspire-bounces-at-linuxmafia.com
X-SA-Exim-Scanned: No (on linuxmafia.com); SAEximRunCond expanded to false
X-UID: 35053
Subject: [Learn] [conspire] [svlug] AnC side-channel attack: In which ASLR
doesn't protect you from dumbness
X-BeenThere: learn-at-nylxs.com
List-Id:
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: learn-bounces-at-nylxs.com
Sender: "Learn"
Further worthwhile links:
https://www.vusec.net/projects/anc/
https://news.ycombinator.com/item?id=13650611
----- Forwarded message from Rick Moen -----
Date: Wed, 15 Feb 2017 13:33:45 -0800
From: Rick Moen
To: skeptic-at-linuxmafia.com
Subject: Re: [skeptic] It isn't Windows vs Apple anymore - all modern CPUs
can be compromised
Organization: If you lived here, you'd be $HOME already.
Quoting Beth W (badastrum-at-gmail.com):
> New ASLR-busting JavaScript is about to make drive-by exploits much nastier
> A property found in virtually all modern CPUs neuters decade-old
> security protection.
[...]
> Full article at
> https://arstechnica.com/security/2017/02/new-aslr-busting-javascript-is-about-to-make-drive-by-exploits-much-nastier/
I also recommend the actual research article discussed,
http://www.cs.vu.nl/~herbertb/download/papers/anc_ndss17.pdf
I'm not the least bit surprised, because Javascript has always been a
disaster (but also see below; it's not _really_ Javascript but rather
what it's called upon to do). It's always been absurdly overfeatured,
and so everyone with elementary common sense has been severely
curtailing what it's permitted to do, either using a _well-tuned_
NoScript (i.e., not just load the extension and drool) or its latter-day
competitor uBlock Origin or uMatrix (same qualification).
Users almost never are willing to do that, because users overwhelmingly
behave like morons, never even looking to tweak the defaults of their
software let alone questioning the necessity and wisdom of excessive
functionality, and correcting that. At the end of my lecture 'The Wild,
Wild Web: Web Browser Security, Performance, and Privacy' in Feb. 2011,
I asked for an honest show of hands about how many in the audience were
seriously considering following my recommendations, I think there were
three hands. I thanked everyone for their honesty. And that was a
_technical_ audience, but they were nonetheless lazy and borderline
inert. This is the reality.
I'll mention in passing that Javascript is overfeatured but that that
any other language pressed into its role would pose the same problem,
and that is that a remote Web server asks your browser 'Will you be
willing to run unknown program code I'm about to hand you that will run
in a full-blown Turing-complete environment and do basically damned near
anything it wants, with your user to be told the results later?', and
your browser says 'Sure, I'll start that for you.'
And why is this the case? Why does even Firefox ship without the means
to curtail and control this stuff, with that task being consigned to
extensions and aftermarket configuration? Because advertising, and
because user-tracking[1]. Because Sutton's Law.
As one of the reader comments on ArsTechnica says, ASLR is and always
was security through obscurity. The real problem is accustoming users
to blandly running complex, unknown, third-party code that they have
absolutely no reason to trust and want to run -- just because someone
makes a buck from that. If your security depended on ASLR, you already
lost.
To translate to man-in-the-street, ASLR is this: 'Problem: People run
exploit code. That code, once running, finds running code and its data
structures in the user's computer memory and messes with it, in order to
do harm. Solution: Let's shuffle-around the vitual memory addresses of
running code and its data structures to make them unpredictably
located.' The research paper documents a pretty easy side-channel
method for exploit code to _find_ that running code and data structures.
Darn, what a pity users keep running highly untrustworthy, complex,
unknown code from nobody-in-particular! If only they had... what's that
phrase?... a sense of self-preservation.
But of course computer users have none. It's been shown repeatedly that
most will give away their corporate-network passwords for candy, for example.
You want a comprehensive layered response that still keeps Javascript in
the picture, look no farther than Qubes OS, which sandboxes everything
in individual hypervisor VMs. Me, I'll continue to just corral and
whittle down Javascript through other means. As I said during my
lecture, Javascript is really the keystone security problem.
And if Javascript hadn't been the advertising/tracking-driven keystone
security problem, something equally ugly would have taken its rotten
niche.
[1] This industry goes under a wealth of euphemisms, including metrics,
'Web bugs', behavioural marketing, a lot more.
_______________________________________________
skeptic mailing list
skeptic-at-linuxmafia.com
http://linuxmafia.com/mailman/listinfo/skeptic
To reach the listadmin, mail rick-at-linuxmafia.com
----- End forwarded message -----
_______________________________________________
conspire mailing list
conspire-at-linuxmafia.com
http://linuxmafia.com/mailman/listinfo/conspire
_______________________________________________
Learn mailing list
Learn-at-nylxs.com
http://lists.mrbrklyn.com/mailman/listinfo/learn
|
|
