Pierre H. 🔥🌸 · Aug 12, 2021 · 2:13 PM UTC

Pierre H. 🔥🌸

Pierre H. 🔥🌸 @pedantcoder

12 Aug 2021

We typically do not comment on future roadmaps so I won’t go in details. But yes unlike autoslab we rely on manual adoption and it isn’t thorough yet, and covers zones (~= sub-page) for now. We are indeed type based which gives us precise free sites (the free site pins types)

PaX Team · Aug 12, 2021 · 8:18 PM UTC

PaX Team @paxteam

12 Aug 2021

re: sequestering, it's 2 scalability problems: perf impact of small pages (e.g., linux/kmalloc uses the lowmem map with 2M/1G pages on amd64) and available address space (think 100k autoslabs and months of uptime on a busy server).

Pierre H. 🔥🌸 · Aug 13, 2021 · 1:04 AM UTC

Pierre H. 🔥🌸 @pedantcoder

13 Aug 2021

you assume we used 100k zones ;) we randomize type-to-zone mappings each boot, sequestering combined with precise free sites allows us to tune the balance between perf and security. iDevices have even less RAM, and run in such trouble you mention even faster than a busy server

PaX Team · Aug 13, 2021 · 6:31 AM UTC

PaX Team @paxteam

13 Aug 2021

the 100k was the autoslab number and i'm pretty sure manual conversion or the whole sequestering idea wouldn't scale there :). re free sites, are you saying (if you can :) that objects from the same allocation site(s) can end up in different zones (some sequestered, some not)?

Pierre H. 🔥🌸 · Aug 13, 2021 · 3:12 PM UTC

Pierre H. 🔥🌸 @pedantcoder

13 Aug 2021

No. I say that we group types into buckets to diminish the number of zones (slabs). But in general a free site can only free to a single zone. If an attacker tries to pass a pointer from bucket slab you panic. This rigidity makes up for the bucketting we do

Pierre H. 🔥🌸 · Aug 13, 2021 · 3:13 PM UTC

Pierre H. 🔥🌸 @pedantcoder

13 Aug 2021

To exploit a vuln you need to do it with the types your bucket shares as a result. That’s it. and that bucketing is random.

PaX Team · Aug 13, 2021 · 8:30 PM UTC

PaX Team @paxteam

13 Aug 2021

so does it mean that once a physical page is allocated to a (sequestered) zone, it'll never be freed, even if all objects in that zone get freed? 'cos i don't see how else you can guarantee that there's no cross-cache attack possible.

Pierre H. 🔥🌸 · Aug 13, 2021 · 8:40 PM UTC

Pierre H. 🔥🌸 @pedantcoder

13 Aug 2021

VA is not reused and we zero pages on population so you can’t ever see data from a physical page from a previous life.

PaX Team · Aug 13, 2021 · 8:46 PM UTC

PaX Team @paxteam

13 Aug 2021

so you do free the backing page and allow it to be reallocated to another zone later. then cross-cache UAF exploitation is still possible, right?

Pierre H. 🔥🌸 · Aug 13, 2021 · 8:47 PM UTC

Pierre H. 🔥🌸 @pedantcoder

13 Aug 2021

How? The content of the page is erased in the process and we keep no pointers to PA. So what dangling pointer can you use here to carry out the attack?

PaX Team · Aug 13, 2021 · 9:01 PM UTC

PaX Team · Aug 13, 2021 · 9:01 PM UTC

PaX Team @paxteam

13 Aug 2021

Replying to @pedantcoder @spendergrsec

if the page gets reallocated to the same zone some time later then the dangling ptr (VA) becomes 'valid' again (no page fault on deref), and can now point into an object of a different type (since more than one type shares the given zone if i got you right).

Aug 13, 2021 · 9:01 PM UTC

Pierre H. 🔥🌸 · Aug 13, 2021 · 9:03 PM UTC

Pierre H. 🔥🌸 @pedantcoder

13 Aug 2021

Replying to @paxteam @spendergrsec

Yes in the new system you have type confusion possible with a set of types that share your bucket (you do not need reallocation for that). We pick those types smartly and randomly each boot so to carry out your attack you need to find enough type pairs that “work”

Pierre H. 🔥🌸 · Aug 13, 2021 · 9:04 PM UTC

Pierre H. 🔥🌸 @pedantcoder

13 Aug 2021

As I hinted we’re shipping this on phones with less ram capacity than a server so trade offs are made.