[Info-vax] Security, ASLR, KASLR, Pointers (was: Re: VMS x86 performance ?)
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Tue Nov 3 11:47:04 EST 2020
On 2020-11-02 22:13:00 +0000, John Dallman said:
> In article <rnpp29$bld$1 at dont-email.me>, seaohveh at hoffmanlabs.invalid
> (Stephen Hoffman) wrote:
>
> Some comments from doing this sort of stuff on VMS' mutant stepchild,
> Windows NT:
MICA was a nice design in various ways, and fixed various of the flaws
and limitations present within the OpenVMS design.
>> With code in 64-bit (P2) space (compile 64-bit, and then LINK
>> /SEGMENT_ATTRIBUTE=mumblefratz), the available address space
>> randomization is larger.
>
> The greater entropy is really valuable. This is one of the things that
> will get easier if putting code in 64-bit space gets simpler.
I've come to appreciate the decade-long migration and associated API
deprecation that Apple did with macOS.
A migration to 32-bit-APIs-and-tools-deprecated addressing is
inherently a long-term effort.
VSI is in a different situation in many ways.
>> An alternative to ASLR and KASLR is pointer authentication, and that
>> mechanism is starting to see production deployments...
>
> ARMv8.3 has hardware support for this, but x86-64 does not AFAIK.
Ayup. That's part of what that Microsoft link (re-posted below) was
discussing, too. Intel Control Flow Enforcement CET and Microsoft
Control Flow Guard CFG...
https://www.microsoft.com/en-us/research/uploads/prod/2019/07/Pointer-Tagging-for-Memory-Safety.pdf
>> This work might well include work on ... app signing
>
> One needs to distinguish between app signing and individual image
> signing. Apple uses whole-app signing, but their model is very much
> built around apps as the only form of distributed software. That makes
> good sense for consumer software markets, but that's not what VMS is
> for. Microsoft lets you sign individual EXEs and DLLs, which is more
> flexible.
Going to bundle-based app distributions provides other advantages, even
for servers. Installing apps with system-wide access is just a Bad
Idea, and in so many different ways.
Locally-developed and locally-deployed apps that aren't ever going to
be bundled, yes, a different approach for determining app and
environment integrity (and indirectly, user integrity) is necessary.
Sites with locally-developed deployments have either checksummed their
own installations, or have decided or have defaulted to not
implementing that verification. I'd wager most folks are in the latter
group. The latter gets ugly too, as you're trying to run more than one
server, or have multiple folks administering some or all of the servers.
Work that was intended to checksum the OpenVMS components (think
DECdetect-like) was targeting MD5 checksums, which shows how far back
that work was. A migration to SHA-3 checksums would be typical, now.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list