

Linux ASLR mmap weakness: Reducing entropy by half - jvoorhis
http://hmarco.org/bugs/linux-ASLR-reducing-mmap-by-half.html

======
dmitrygr
This, really, is not a big deal. ASLR reduces your chances of attack by making
addresses hard to guess. If you get into the system, and get to execute code,
you have _one_ chance to get it right, or your code crashes and takes the
vulnerable app with it. So while this does have reduced randomness, it is not
a huge deal.

When can it be? If you have a prod app which someone can hammer repeatedly
hoping to guess ASLRed location of something. Now, with this vulnerability,
they need only 64k tries on average instead of 128k tries. But if you do not
notice your prod app crashing 64k times in close succession, you have other
issues :)

~~~
saurik
The question one needs to ask is not whether you will notice, but whether you
will notice before it is too late.

~~~
dmitrygr
Well, if you do not notice 64k prod crashes, you will probably miss 128k as
well, thus ASLR won't save you anyways. :)

~~~
saurik
Every mistake that people find that decreases entropy has a multiplicative
effect, and some of this reduction can take place due to happenstance inside
of the application: maybe you can leak a couple bytes off the stack somewhere,
which lets you decrease the entropy further. That said, "search space is twice
as large" is by itself "big": maybe you'd notice every day, but wouldn't
notice every 12 hours, or you'd notice every week, but not notice every few
days.

~~~
dmitrygr
fair

------
userbinator
"Reducing entropy by half" sounds severe, but given that the actual values are
being reduced from 262144 to 131072, which are either very small or very large
numbers depending on the situation, what's the practical impact of this
weakness?

~~~
cibyr
"Reducing entropy by one bit" doesn't sound nearly a good, does it?

