Implement Address Space Layout Randomization (ASLR)
With this change, randomization can be enabled for all non-fixed
mappings. It means that the base address for the mapping is selected
with a guaranteed amount of entropy (bits). If the mapping was
requested to be superpage aligned, the randomization honours the
U.S. Department of Homeland Security US-CERT National Cyber Awareness System: Windows ASLR Vulnerability
Original release date: November 20, 2017
The CERT Coordination Center (CERT/CC) has released information on a vulnerability in Windows Address Space Layout Randomization (ASLR) that affects Windows 8, Windows 8.1, and Windows 10. A remote attacker could exploit this vulnerability to take control of an affected system. US-CERT encourages users and administrators to review CERT/CC VU #817544 and apply the necessary workaround until a patch is released.
Greg Kroah-Hartman of the Linux Foundation submitted version 4.10 of a 81-part(!) patch to the Linux kernel by Baoquan He of Red Hat.
[PATCH 4.10 65/81] x86/mm/KASLR: Exclude EFI region from KASLR VA space randomization
4.10-stable review patch. If anyone has any objections, please let me know.
commit a46f60d76004965e5669dbf3fc21ef3bc3632eb4 upstream.
Currently KASLR is enabled on three regions: the direct mapping of physical memory, vamlloc and vmemmap. However the EFI region is also mistakenly included for VA space randomization because of misusing EFI_VA_START macro and assuming EFI_VA_START < EFI_VA_END. (This breaks kexec and possibly other things that rely on stable addresses.) The EFI region is reserved for EFI runtime services virtual mapping which should not be included in KASLR ranges. In Documentation/x86/x86_64/mm.txt, we can see:
ffffffef00000000 – fffffffeffffffff (=64 GB) EFI region mapping space
EFI uses the space from -4G to -64G thus EFI_VA_START > EFI_VA_END, Here EFI_VA_START = -4G, and EFI_VA_END = -64G. Changing EFI_VA_START to EFI_VA_END in mm/kaslr.c fixes this problem.
More info: see the linux-efi/linux-kernel list.
Initial Release supports checking of
/GS (Not 100% reliably)
Control Flow Guard
Metaphor – Stagefright with ASLR bypass By Hanan Be’er from NorthBit Ltd.
Metaphor’s source code is now released! The source include a PoC that generates MP4 exploits in real-time and bypassing ASLR. The PoC includes lookup tables for Nexus 5 Build LRX22C with Android 5.0.1. Server-side of the PoC include simple PHP scripts that run the exploit generator – I’m using XAMPP to serve gzipped MP4 files. The attack page is index.php. The exploit generator is written in Python and used by the PHP code.