On 02/20/2012 09:07 PM, Ralf-Philipp Weinmann wrote: > > On Feb 20, 2012, at 8:57 PM, Ondrej Mikle wrote: > >> Many tricks I've seen in defeating ASLR and other anti-ROP mitigations >> required >> some side-channel knowledge. Which is where the policy can do good job at >> stopping the attacker to gain such side-channel information. > > Yes, you'll need to bake yourself an info leak to deal with grsec. > >> Since with gentoo you compile everything with your own settings of >> compiler/linker and whatnot, that alone makes it hard for attacker to search >> for >> "gadgets" (pieces of code that can be used for ROP). > > I'm familiar with the technique, and agree that custom compiler/linker > settings on the box you're attacking can be a PITA to deal with. Depending on > the skills of the adversary, they might buy you a couple of months.
Yeah, I've noticed after sending previous mail when reading your USENIX/27C3 paper in the meantime :-) >> Is the additional RBAC policy worth it? Depends on your threat model. I've >> had a >> server running with grsecurity RBAC enabled for experimentation several years >> ago. The policies took a few days to write, but that's far from "unfeasible". > > RBAC, SELinux and App Armor (yes, I've added more clunky ways to band-aid > buggy code to prevent it from spilling the lifeblood of your box) are useful > for some things. I just really doubt they will buy you additional protection > in the threat model we're talking about. Other option is model-checking. But "true" model-checking of Tor is almost definitely unfeasible. Though RBAC is "kind of" model-checking. An interesting side note is that with ASLR and custom compile/link flags the machine acts as a random oracle (against ROP-style attacks). According to Baker-Gill-Solovay, in an universe relativized with random oracles, NP^A != P^A (A=random oracle). Thus it's provable that no deterministic polynomial algorithm can exist for ROP-style attacks. (I might have overstreched a bit the assumption about such machine being a random oracle; but you get the point.) Ondrej _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
