Heap Protection Mechanism

An anonymous reader writes "There's an article by Jason Miller on innovation in Unix that talks about OpenBSD's new heap protection mechanism as a major boon for security. Sounds like OpenBSD is going to be the first to support this new security method."

Slowdown?

[(1+-sqrt(5))*(2**-1)]

Continues Theo,

A number of other similar changes which are too dangerous for normal software or cause too much of a slowdown are available as malloc options as described in the manual page.

Id est, they stopped before reaching a Java-like retardation.

Re:Slowdown?

[(1+-sqrt(5))*(2**-1)]

Trying programming in Java sometime outside of a website applet, kid, and maybe you will learn something.

I'm quite willing to concede the argument that programmer time is dearer than processor time; but why has the the Real Time Specification for Java, for instance, only been able to achieve 100 microsecond interrupt response times, when 2.0 microsecond response times aren't unheard of in other domains?

Re:Slowdown?

You Java apologists are worse than creationists.

Re:Slowdown?

Ho hum.

http://www-128.ibm.com/developerworks/java/library /j-jtp09275.html

Malloc is slow. Per studies, 20-30% of CPU time wasted on memory management.

I haven't seen that level of retardation in JVM's since... oh... 1996?

But yeah, keep thinking you can do it better. Whatever. In the meanwhile, the rest of the world moves on.

Re:Slowdown?

[ergo98]

Malloc is slow. Per studies, 20-30% of CPU time wasted on memory management.

Interesting paper - thanks for the link.

However I find the conclusions given a bit dubious. For instance the claim that allocations are "free" is somewhat dubious - garbage collecting languages put all of the work on the back-end, giving the illusion of a free front-end (whereas non-GC languages put the hard work on the front-end). Yet for every object you create on the heap that is more work the heap walker has to do each GC to detect orphaned objects - a non-trivial task. It then has to free all of those objects, and because of the "free" allocation it has to move all of the objects and rebase every object pointer in the application. It doesn't take a genius to realize that is a signficiant task in an application of a real-world size.

I think the proof is in the empirical proof - how many high performance memory intensive Java applications are there?

Re:Slowdown?

[Retric]

Java's RTspec is not designed around those applications. In the Real time world a lot of people are still using ASM because in plenty of applications programmer time is much cheaper than CPU time. If your paying for 10,000,000 CPU's then and 6 programmers then paying for 50c CPU's vs. 1$ CPU's is worth a lot.

I work with real time systems and 0.0001 seconds (100 microseconds) is plenty fast for most Human to Real time systems applications. Granted JAVA is not what you want for fine-tuning your Engines performance but it's plenty fast for most applications. What makes Java so useful is you get to avoid most of the really time consuming bugs. Compare a fully functional java based multithreaded HTTP server with the C / C++ equivalent and it's going to be 1/3rd as much code. And will operate at vary close to the same speeds. In other words it's designed around applications where programmer time is worth more than machine time. We already have C so Java was built around the 95% of applications that don't need inline ASM.

I have killed BSD UNIX with buggy C networking code which is the only thing I have been unable to duplicate with good Java code. You can do bit twiddling in Java, but it's faster in C. You can have hundreds of threads doing their own thing in either but it's much easer to do that in Java than C/C++. The secret is to know enough about how Java works so that you avoid things like creating new threads that eat up a lot of time. Once you understand how things work you can use things like Thread Pooling that are extremely efficient. Instead of complaining that concatenating Strings takes so long try learning about what other tools are out there like StringBuffer.

PS: A quick look at some fast Java code. (It is a bit dated but gives you some idea what I am talking about.)

Re:Slowdown?

[JohnQPublic]

PS: A quick look at some fast Java code. (It is a bit dated but gives you some idea what I am talking about.)

Hmm ... that's a little archaic. The page complains about Java performance in JDK 1.1, and appears to be based on a site (http://www.cs.cmu.edu/~jch/java/optimization.html ) that hasn't been updated since 1998.

Re:Slowdown?

[liloldme]

It doesn't take a genius to realize that is a signficiant task in an application of a real-world size.

And anyone who's run a JVM knows about the price of this task -- yes GC takes time.

However, as I understood the article, the author was making a point that the way most C programmers manage memory tends to make the task more time consuming than is necessary. Therefore relying on a known optimized implementation rather than reinventing the wheel every time may be preferred. After all, it is just the VM implementor that needs to understand how to optimize the memory management, not the application developers. So yes, where the time is spent is shifted but also the amount of total execution time spent on memory management can be reduced -- because the task is managed differently.

As for the specific details of this paper, they're basically discussing how to determine which objects can be safely allocated from the stack, instead of heap, and therefore can be discarded without the usual book keeping required from a heap GC.

how many high performance memory intensive Java applications are there

Java is so widely used on the server side and middleware, it cannot be difficult to come up with examples -- Tomcat, J2EE app servers, etc. eBay for instance advertizes very clearly on their front page to be powered by Sun's Java technology. There are individual Java systems that manage millions of transactions daily, and there must be thousands of systems out there that do this every day with Java.

Re:Slowdown?

[eric76]

About 15 years ago I started using a technique to improve performance when doing lots and lots of very short term mallocs.

Essentially, I'd create a large ring buffer of malloced temporary buffers of some standard length. Any time a temporary buffer was needed, I'd grab the next one in the ring.

Before the buffer was provided to the function asking for it, the length would be checked. If the requested length was longer than the current length, the buffer would be freed and one of at least the proper length would be allocated. (I normally allocated by buffers in byte multiples of some fixed constant, usually 32.)

The idea was that by the time it was reused, what was already in the buffer was no longer needed. To achieve that, I'd estimate how many buffers might be needed in the worst case and then multiply that number by 10 for safety's sake.

My primary use of this was when doing enormous numbers of allocations of memory for formatting purposes. The function doing the formatting would request a buffer large enough to hold whatever it would need, write the formatted data into the buffer, and then return a pointer to the buffer. The calling function would simply use the buffer and never have to worry about freeing it.

The performance results were superb except in the very simplest cases where you allocated the buffers without ever using them.

I've never known anyone else who used this kind of approach although I've showed it to a large number of people.

Re:Slowdown?

[Dan+Farina]

Many people have used this sort of approach. It is called "pooling."

Its use dates back to the first GC'd langauge, LISP, and was a common way to reduce garbage generation.

Re:Slowdown?

[Krach42]

Well the same issue exists with Copy-on-Write. COW implementations give an impression of faster copying, because they back off all the copying until the first damage to that information. Turns out that in some cases you don't need to make an actual fresh copy in every situation, and that sometimes, you just copy it to use it, don't damage it then just return. In those cases COW gains you time. Since you only copy when you must. You just have to deal with blocking during the first write to the copy. (You would have waited anyways during the copy, you just shift were it's at.)

The issue with GC vs. non-GC languages is that GC pushes all that GC stuff to the back end, but ask yourself, what if you never have to collect the garbage? The whole question lies in, if we wait until the back-end to clean everything up, will we gain any time? Considering that you spend less time on important non-transient things with GC, and potentially more time on very transient things, while you spend about the same time on both in non-GC, the question is How transient is your memory? Of course, the less transient your memory is, the less often you'll have to reallocate space for it in the non-GC case... so...

Re:Slowdown?

[TheRaven64]

And it can seriously increase the speed of a bit of code. I recently profiled some of my code and found that it was spending around 40% of its time in malloc and free. I created a very simple memory pool (no ring buffers, just a simple linked list with insertions and removals at the same end, nice and fast) for each frequently-allocated object type, and saw a huge speed increase.

Re:Slowdown?

[Fulcrum+of+Evil]

I've heard of pooling but was under the impression that you were mallocing several memory allocations at once, but that the pieces of allocated memory were assigned to particular uses.

That is basically what you just described - malloc std_length * count. Allocate out of this pool preferentially.

The primary benefit of this was to perform one malloc instead of N mallocs for N different memory assignments.

This performs 1 + N*M(1-hit_rate) allocations instead of N*M allocations, which is generally really nice.

new method?

[iggymanz]

other OS have had heap protection mechanisms, even one from Microsoft.

Re:new method?

[Intron]

ISTR that MS tried doing immediate free and it broke some programs that depend on the memory still being sround after being freed, so they made it optional. Sounds like OpenBSD is playing hardball here.

Re:new method?

[dougmc]

Sounds like those programs were broke from the start

Perhaps, but look at it from the user's perspective :

First, their system is working properly. Their OS is working, and their application is working. And then SP2 comes out, and they install it. And their application stops working.

Who are they likely to blame? Microsoft of the creator of their application? They'll look at what changed, and decide that Microsoft is to blame. And if this application is important, they'll even back out SP2 to make it work again.

Re:new method?

[afidel]

In the three cases we ran into when I was a consultant last year we placed the blame squarely on the shoulders of the vendor with the foobar product. They were coding in an unsafe manner to an undocumented API, it was 100% their fault. Now a naive home user with no real computer savy might blame MS, but when you look at the tradeoffs it seems like the security cleanup was good for the entire computer using public, even if a few people did have an app or two broken.

Re:new method?

[JohanV]

You mean the Data Execute Protection from Microsoft? OpenBSD has had that for a long time already, only they named it w^x.

This new feature from OpenBSD is the use of guard pages and the immediate freeing of memory. In essence this means that both bad programming and exploit attempts are much more likely to result in a core dump then some unidentifiable and non reproducible corruption or a working exploit. Many people consider that a good thing because it will result in bugs being found in userland applications that would have otherwise stayed unnoticed. So even if you don't use OpenBSD yourself this is helping your system becomming more secure and better. And if you are running OpenBSD there is o need to worry too much about the stability of this feature, it was actually enabled shortly after the 3.7 release and has been in every snapshot on the way to 3.8.

And I have to agree with the author that the best thing is that we get all the goods without ever having to switch them on!

Re:new method?

[ArbitraryConstant]

"You mean the Data Execute Protection from Microsoft? OpenBSD has had that for a long time already, only they named it w^x."

They also didn't need the per-page execute bit to do it. You need a fairly new machine to get the protection, but my 486 firewall has it. They also have stack protection, which is helpful because even if the heap and stack aren't executable you can overwrite return addresses or pointers to functions, and have them point to existing code that can be tricked into doing something malicious.

Re:new method?

[dougmc]

In the three cases we ran into when I was a consultant last year we placed the blame squarely on the shoulders of the vendor with the foobar product

Ok, but most Windows users don't have anything to do with consultants, and think that vendors are the guys who sell hotdogs (or the things you close to stop the wind from coming in, depending on where they live.)

Ultimately, think of Grandma. She fires up AOL, then her computer tells her that she needs SP2. She goes `ok' and many hours later, SP2 is done, and her {insert program useful to grandma here} application no longer works. She's not likely to blame this on the creator of the program -- she'll blame it on either Microsoft or AOL. (After all, grandma is no dummy. She knows that the program didn't change -- only Windows did. And perhaps AOL made it do it.)

It must really suck doing AOL tech support :)

Re:new method?

[afidel]

None of the applications which were actually broken by XP SP2 are something granny would run. On the other hand some of the applications that were affect were, but those were generally minor problems.

Hope

Let's hope it's not as broken as Microsoft's attempt in SP2.

But why did it take so long to implement?

Re:Hope

[Krach42]

There have existed functions in Windows and Linux for a long time that mark a page as executable. Even though Linux or Windows never really enforced this to be set when executing data, it was required by specification.

Now that they're enforcing the specification, people complain that it broke.

Hey, PearPC was written before they enforced the specification, and Sebastian Biallas had the brilliant notion to actually follow the spec, and mark things as executable. Thus, when SP2 came out, PearPC worked fine.

Usually things break when moving to a newer version because some area of the spec wasn't very heavily stressed, and people writing code that just works (not as in, it works, but as in barely works,) thusly never really bothered shooting towards the spec. Then when the spec is enforced, they get all upiddy claiming that it breaks their app. Their app was broken to begin with, the previous implementations that you were relying on just didn't care.

For instance, when libc 5 (I think, don't hawk me about versions, if you know the correct versions, then please correct me, but I'm working off of a poor memory of the version numbers) came out, it enforced against passing a NULL file pointer. Before hand some people had hacked their code such that if an open failed, and returned a NULL file pointer, they didn't care or print an error message. They just kept going, since it would just waste CPU cycles, as nothing would get outputted or read from the file. It was silently gracefully failing for them, and they used that.

Then libc 5 comes out, and they break this silent graceful failure, and started reporting errors, or crashing when you passed them a NULL file pointer. People yelled and bitched, because they broke their app. But remember, THEIR APPS WERE BROKEN IN THE FIRST PLACE.

That's why I don't like people griping about "blah blah upgrade broke my app". Unless you can state that your app was built to spec from the beginning, then that upgrade didn't break your app. It was broken to begin with. The new upgrade just showed you how it was broken.

OpenBSD at the cutting edge on security

[Sv-Manowar]

Kudos to the OpenBSD folks for being at the cutting edge, in terms of implementations of these security features. Where they lead, surely others will follow and we'll be seeing this feature become commonplace. As their focus is security, its understandable that they lead more incentives in these areas than more mainstream Linux distributions.

Re:OpenBSD at the cutting edge on security

[fireboy1919]

than more mainstream Linux distributions

I know it seems strange...but OpenBSD isn't a Linux distribution at all.

I know its hard to wrap head around. Its one of those things you just have to accept. In addition:
-deep down, cows are not people too. So you can eat 'em, I guess.
-neither are cats or dogs. So don't force them to wear clothing.
-neither is information. So it doesn't care about being free or anything else.
-"Windows" is somehow both an operating system and a Window manager. You're not supposed to consider them separate things (wierd, isn't it?)
-Wearing a tampon with wings will not give you the power of flight.

Hopefully I've cleared up a few issues for you. :)

Re:OpenBSD at the cutting edge on security

[failure-man]

Won't this crutch actually tempt people to write sloppy memory management because "the heap manager will catch it?"
 
Doesn't seem so. The new malloc and mmap behavior will tend to cause buggy memory allocation code to segfault rather than allowing various sorts of stupiness or nastiness.

Re:OpenBSD at the cutting edge on security

[dougmc]

Won't this crutch actually tempt people to write sloppy memory management because "the heap manager will catch it?"

Well, it'll catch it ... and the application will immediately crash.

I don't see how that encourages writing `sloppy memory management'. Nobody wants an application that crashes. (Granted, it's correct for an application to immediately exit when it's in danger of doing damage to something, but to an end user, they don't want their application to crash.)

Perhaps if somebody is explicitly writing their application to be secure, they could worry less about their memory management and assume that the OS will keep them honest (as it should) but ultimately, an application that crashes isn't very useful. And most end users don't care much about security anyways (though if they're using OpenBSD, odds are that they care about security more than most) and would much prefer something that doesn't crash.

Is the performance hit really worth it?

Theo seems to think so. If you disagree, either disable it (it sounds like it's at least somewhat configurable, and even if not, you do have the source), or use another OS.

Re:OpenBSD at the cutting edge on security

[LurkerXXX]

You mean it will encourage sloppy coding more than the current system?

"hey, it might do something strange every once in a while, but at least it keeps running and doesn't crash, so the code is 'good-enough'".

I think Theo is doing entirely the right thing by killing badly written apps rather than letting them do bad things to the system. It's much more likely to make people fix bad code than the current system.

My solution is slower, but 100% effective

When my application needs a chunk of memory, it sends a specially crafted HTTPS request to my bank, debits the account, sends a fax to the local computer shop who then sends a tech over to install the DIMMs.

When the application is finished with the memory, it sends a FAX to the local electronics recycling facility who sends out a tech to remove the DIMMs and melt them down into whatever.

Using this method of heap memory allocation (I call it "ACAlloc" for "Anonymous Coward Alloc" has been 100% effective and I have NEVER had a heap overflow exploit in any of my code.

Yes, it's slow, but I am secure.

...And I'm running the most up-to-date 80386 Linux 0.97 kernel. TDz.

What's next?

[Groo+Wanderer]

Ok, we start out with 'protection', then we move to 'a heap' of protection, most assuredly to be followed by 'a whole heap' of protection. I can only see this spiral continuing until Bill Gates himself gets up on stage at CES in an Elvis suit promising 'a hunka- hunka- burnin protection'. *SHUDDER* Time to take a cold shower.

              -Charlie

Re:What's next?

[Rufus88]

Bill Gates himself gets up on stage at CES in an Elvis suit promising 'a hunka- hunka- burnin protection'. *SHUDDER* Time to take a cold shower.

You *need* a cold shower? Hell, to me, that image *was* the equivalent of a cold shower!

Apologies to the Black-Eyed Peas

OpenBSD's "My Heap":

Lookin' at my heap, heap
You can look but you can't touch it.
If you touch it, I'ma start some drama.
You don't want no drama.
[...]
My heap, my heap, my heap, my heap.

Hm... old technique?

[archeopterix]

Ok, the article is light on technical details, but it seems that they are using guard pages. Guard pages aren't exactly shiny new. Efence has been using them since a long long time.

Re:Hm... old technique?

[Chocolate+Teapot]

Guard pages aren't exactly shiny new

Shhh!! I was waiting until everyone started using them before hitting them with my patent ;)

Microsoft Windows?

[fernique]

Could this technology be implemented in the Microsoft Windows systems to be more secure than Linux?

Re:Microsoft Windows?

[Slashcrap]

Could this technology be implemented in the Microsoft Windows systems to be more secure than Linux?

It certainly could be implemented, but it would have the slight drawback that a huge proportion of apps would stop working.

It's going to break a lot of stuff on OpenBSD as well, but because of their audience they can get away with e.g telling you not to run Apache because it's insecure. Also, the OSS apps that break because they assume a specific memory management model will get fixed. No-one is going to be able to fix Windows apps except the developers. And if they even bother they will just expect you to buy the new version.

And you seem to be saying that implementing this one feature on Windows will make it more secure than $OtherOS. I initially thought you might be trolling, but I've decided to give you the benefit of the doubt and just assume that you either know nothing about security or are making a lame attempt at humour.

Re:cool

[miffo.swe]

"What do you mean? Windows Vista will be more secure than Unix. j/k"

Just like...
Windows 95 was more secure than Windows 3.1
Windows 98 was more secure than Windows 95
Windows NT was much more secure than Windows 98
Windows 2000 was the mother of all security
Windows XP, this time we got it right
Windows XP SP2 this time we really really got it right, promise, cross my heart and hope to die
Windows 2003, most secure server OS ever built!
Windows VISTA, even better than the worlds best system ever built, this time ill put my mother up here on this 100 fot pole and if im wrong may she fall down into that pit of crocodiles!

Until i have a real life experience of good Windows security i will tend to think back and remember all the former promises that have gone down the drain. Today you expect Microsoft to promise things that arent really true.

Hm... gotta reply to myself

[archeopterix]

Ok, I've posted hastily, thus creating a bit of an half-assed post. They use more techniques (random address allocation, immediate free-to-kernel), still not revolutionary, but indeed worth mentioning. My bad.

Could this help Gnome?

[MuMart]

Sounds like a heap that returns unused pages to the system like this would help the problem described by John Moser in the Gnome Memory Reduction Project here.

Is it really true that the standard GNU/Linux heap implementation holds onto pages like this when it becomes fragmented? That sounds really primitive to me.

Re:Could this help Gnome?

[Ulrich+Hobelmann]

I don't know if GNU malloc uses mmap() or brk() for its allocation, but in both cases small memory chunk that the user allocates are taken from bigger, contiguous blocks of memory.

Maybe that's primitive, but it ensures that usually small memory requests are fast, and don't have to much space overhead, either.

If the memory de/allocation patterns are really bad, though, you get fragmentation with the mentioned problems. It's a tradeoff. Note that OpenBSD didn't choose its way for reducing heap usage (maybe they use even more memory, due to overheads), but for security reasons.

There would be one solution, and that's using different arenas, or memory regions for allocation. For instance every window might have its own allocation region, so when you close the window/document, the memory BLOCK is freed. No fragmentation, almost no overhead. I really wish Java apps, Cocoa apps, and other (Mozilla) would do this, as they seem to suffer from this fragmentation problem, only increasing their memory usage, even after closing all documents/windows etc.

Anyway, I love the new malloc, and kudos to the whole OBSD team!

Re:Could this help Gnome?

[joib]

I don't know if GNU malloc uses mmap() or brk() for its allocation, but in both cases small memory chunk that the user allocates are taken from bigger, contiguous blocks of memory.


It uses mmap() for big allocs (IIRC the threshold is 4 MB) and brk() for smaller ones.


There would be one solution, and that's using different arenas, or memory regions for allocation. For instance every window might have its own allocation region, so when you close the window/document, the memory BLOCK is freed.


Something like memory pools, used e.g. by apache portable runtime, gcc, and whatnot. Or the hierarchical allocator used by samba..


I really wish Java apps, Cocoa apps, and other (Mozilla) would do this, as they seem to suffer from this fragmentation problem, only increasing their memory usage, even after closing all documents/windows etc.


Actually, Java being garbage collected and not having "raw" pointers can avoid fragmentation by repacking heap memory. Of course the JVM must still use malloc() or mmap()/brk() directly to get the memory from the OS.

In related news, GCC 4.1 stack protector

[joib]

The upcoming GCC 4.1 release will include a stack protector. Basically it's a reimplementation of the old propolice patch.

Hopefully mainstream distros that have been wary of propolice will start using this new feature. And perhaps glibc malloc will borrow a few tricks from this new openbsd malloc too.

Re:In related news, GCC 4.1 stack protector

[rehabdoll]

There are patches available at http://www.trl.ibm.com/projects/security/ssp/ for 3.4.4 and 2.95.3

Already in Microsoft DEP

[Henry+V+.009]

DEP from Microsoft is only enabled by default on some system binaries. Here is how to enable it for everything: http://www.microsoft.com/technet/security/prodtech /windowsxp/depcnfxp.mspx

My CPU doesn't support DEP in hardware, so I imagine the software-based method of doing this will create quite a speed hit. Anybody have any experience with turning on DEP for all programs?

Re:Already in Microsoft DEP

[Henry+V+.009]

Well, I've turned it on now. No noticeable performance hit, and no mysterious application failures. Just compiled a Visual C++ program and it ran fine. Same for G++ on CYGWIN.

Also, I have not been hacked anytime in the last ~5 minutes, whatever that's worth (but would I know?).

As an aside, I read the paper on the Microsoft DEP flaw a few months ago, and wasn't that impressed. It looks very hard to exploit. And since DEP is a added protection mechanism, the existence of a small, hard-to-expliot flaw isn't that big of a deal. (In simple terms, with DEP on, a hacker would have to exploit and DEP flaw and a normal overrun flaw to hack the system.)

Intron == heap protection

[hey]

I don't know if it was on purpose but your sig -- which mentions Intron (aka Junk DNA) is very apt.
OSes can put Intron between Exon (useful DNA -- useful stuff on the heap) to
detect badly behaving apps!

In other words, so-called "Junk DNA" may actually have a use...
HEAP PROTECTION ;-)

Re:Intron == heap protection

[SilverspurG]

In some cases introns serve a known purpose in indexing for the enzymes which work with DNA. Junk DNA is the stuff with no known purpose at all.

You're still correct. It is heap protection in an evolutionary way. Heap protection on computers seeks to safeguard the data as it is. Junk DNA accepts that things are going to get corrupted and seeks to make it statistically less likely for the important parts to get corrupted.

Thanks for that train of thought. :)

Re:Intron == heap protection

[Jah-Wren+Ryel]

You're still correct. It is heap protection in an evolutionary way. Heap protection on computers seeks to safeguard the data as it is. Junk DNA accepts that things are going to get corrupted and seeks to make it statistically less likely for the important parts to get corrupted.

Just being a "dummy target" seems like an inefficient use for extra DNA. I would have expected something along the lines of ECC like reed-solomon coding to have evolved. Kinda shoots down the "intelligent design" theory too, unless you can accept that God is an amateur at this stuff.

Totally wrong

What they restrict here, is extremely shitty programming. What's the point of allowing accessing memory areas out-of-bounds? Fewer crashes, because the system does not notice them? This is a very bad idea. If you don't know how to handle arrays and you don't know any other means to restrict yourself from doing something stupid, OpenBSD shows the best way to do it (as last instance).

Re:My Windows XP has heap protection!

[jcupitt65]

The MS thing is just support for no-execute: the bit that says that this page is only code and not data and you shouldn't try to run anything in here. Everyone has supported this for ages.

This is more. It looks like they are adding extra 'tripwire' pages to the heap, so if an attacker manages to write to part of the heap they shouldn't, there's a good chance they'll hit a tripwire and be detected.

Wrong solution for solving heap problems.

[master_p]

From the kerneltrap.org post:

He explains that for over a decade efforts have been made to find and fix buffer overflows, and more recently bugs have been found in which software is reading before the start of a buffer, or beyond the end of the buffer.

The solution that the kerneltrap.org refers to against buffer overflows is to:

1. unmap memory as soon as it is freed, so as that to cause a SIGSEV when illegaly accessed.
2. have some free 'guard' space between allocated blocks.

My opinion is that #1 will slow software down, although it will make it indeed more secure. #2 will make it more difficult to exploit buffer overflows, since the space between two allocated heap blocks will be random (and thus the attacker may not know where to overwrite data).

Unless I haven't understood well, these solutions will not offer any real solution to the buffer overflow problem. For example, stack-based exploits can still be used for attacks. The solution shown does not mention usage of the NX bit (which is i86 specific). It is a purely software solution that can be applied to all BSD-supported architectures.

Since all the problems relating to buffers (overflow and underflow) that have costed billions of dollars to the IT industly is the result of using C, doesn't anyone think that it is time to stop using C? there are C-compatible languages that allow bit manipulation but don't allow buffer overflows; e.g. Cyclone.

Re:Wrong solution for solving heap problems.

[Homology]

1. OpenBSD already makes use of NX-bit protection (they call it W^X).
2. OpenBSD previously implemented stack protection (propolice + other stuff).
3. OpenBSD even implements W^X on non-NX-bit i386 through other techniques.

The last point is important since most i386 machines don't have the NX-bit, and that will be the case for many years to come.

Re:Wrong solution for solving heap problems.

[bluefoxlucid]

C is actually the most secure language currently, AFAICT. Languages with higher level intrinsics (C++, Java, Basic, Mono, Objective-C, etc) have a more complex implementation that may allow different exploit vectors; while languages with real-time interpretation or runtime code generation (Java or Mono with JIT) will wind up disabling things like strong memory protection policies (strict Data/Code separation -- code is data when generated at runtime) and may not in their own code create a backup buffer overflow protection.

In the event of a screw-up on the part of the JIT or runtime programmer for any language, every program is instantly vulnerable, and all of this generic proactive security stuff is disabled because this "secure language" doesn't work in an "inherantly secure" environment, only a much weakened one. C's runtime is rather basic (and it's still huge), as is its language; people still screw that up once in a while, but rarely.

While these "shiney new secure languages" may boast "immunity to buffer overflows," their runtimes are still designed around other concepts that may leave holes. Look at this memory allocator and think about a bug in the allocator that smashes up its own memory before it gets everything set up; because the new protections aren't yet set in place, it'd be totally vulnerable at that point (no practical exploit of course). A bug that forgets to add guard pages (generates 0 guard pages every time) might occur too in one update. Now add to that something like Java or Mono-- interpreted or not, you're running on a whole -platform- instead of just a runtime. C++ instruments loads of back-end object orientation.

So in short, C is a very basic language that has easily quantifiable attack vectors, and thus the system can be targeted around these for security. Several such enhancements exist, see PaX, GrSecurity, W^X, security in heap allocators, SELinux, Exec Shield, ProPolice. Higher level languages like C++ implement back-end instrumentation that ramps up complexity and may open new, unprotected attack vectors that are harder to quantify. Very high end languages on their own platform, like Java and Mono, not only implement massive complexity, but rely on a back-end that may lose its security due to bugs. Platform languages may also be interpreted or runtime generated, in which case they may require certain protections like PaX' strict NX policy to vanish; in some cases these models (as an implementation flaw) also don't work well with strict mandatory access control policies under systems like SELinux.

Face it. C is the best language all around for speed, security, portability, and maintainability. Assembly only brings excessive speed at the cost of all else; and higher level languages sacrifice both speed and real security (despite their handwaving claims of built-in security) at varying degrees for portability, speed of coding, and maintainability. Even script languages working inside a real tightly secured system would more easily fall victim to cross-site scripting, the injection of script into the interpretation line; under such a system, any similar attack is impossible in a C program.

On a side note, I'd love to see a RAD for C. Think Visual Basic 6.0, but open source, using C/GTK+. Glade comes close. . . .

Re:Wrong solution for solving heap problems.

[csirac]

The solution shown does not mention usage of the NX bit (which is i86 specific).

Actually, x86 is one of the last into town with "NX bit" functionality. POWER (and PPC I guess), PA-RISC, Sparc, Alpha, etc. on the big-iron has had this feature as a standard part of their architecture (along with the OSes that run on them) for bloody ages now... on those CPUs, even Linux has had hardware support since before whenever x86 got NX support.

http://en.wikipedia.org/wiki/NX_bit

Although this can stop execution of arbitrary code in areas of memory that aren't meant for it, you're still going to be vulnerable to corruption of memory and make the software behave in unintended ways. The problem is that the Operating System can't tell the difference between a memory pointer that has stepped outside the malloc'd space it was intended to address and into an adjacent one, or two legitimate pointers behaving nicely.

Adding the guard space will definately help, as will unmapping memory. OpenBSD hasn't exactly been known for its high performance; people use it for security and peace of mind. Additionally, they made mmap() return random addresses, which is very cool indeed.

doesn't anyone think that it is time to stop using C?
C is not used for building web apps, so what are you talking about?

Everybody knows C is the right tool for some jobs, Java/Perl/Ruby/etc for others.

In the right hands C can be just as secure and has the potential to be much faster than most of the alternatives.

Re:Wrong solution for solving heap problems.

[bluefoxlucid]

Actually, the correct analogy would be:

Permenantly dark goggles -- Java, etc

Goggles that tint when bright light happens -- C

The argument "C is insecure, we should use [insert odd language here]" is like saying, "Goggles that auto-tint are bad because they're not dark all the time, and you could see a bright flash."

The argument I made would be more like, "The auto-tint goggles are better because they take the basic need -- you have to see -- and allow that, but still protect you from the blinding flash of welding light when needed by cutting your vision off at that moment, a necessary evil some of the time."

I suggest you don't make retorts to peoples' comments unless you actually know what you're talking about.

Re:Sacrfice useability? Nice idea , won't work.

[Daniel_Staal]

Actually, for OpenBSD, it will work. And has.

The reason is very simple: There will always be some applications where the security of the system is a paramount point. Where it does have to do with the application. OpenBSD caters directly to those people, and those applications.

Now, you are right, this means OpenBSD is likely to never get as large a following as Linux or even FreeBSD, but they honestly don't care. They are making a system that fits their goals, and security is among the top goals.

This actually allows security to spread: Once these changes are on a 'major' system, applications start to be ported to work with them, which means the changes can be ported to other systems.

OpenBSD is a security testing ground. If it's features get in your way, you use a different system. This won't be the first time that advice will have been applicable.

Unnecessary when using languages that solve this p

[putko]

Languages like Lisp, Haskell, Scheme and ML allow you to avoid buffer and heap overflows (assuming the language implementation is correct).

It is therefore, in my opinion, less optimal (from a security perspective) to use something like "C" for a complicated app like sendmail, web server or secure shell daemon (sshd) than it is to use a language like "C".

Finally Locking the Door

[Doc+Ruby]

I'm surprised that modern heaps still put writable data segments adjacent to executable code segments. Self-modifying code is rare enough that all code should be in read-only (except by privileged processes, like the kernel which sets it up and tears it down) segments, except when a process has privilege to write to its own code segment. Then its code segment should be a data segment, with other security features applied (that are too expensive to apply to every code segment). Generally then, segments are either writeable or executable. Data segments could still get overwritten, which could put unsafe values in unexpected variables (like "write to that file" instead of this file). But at least those insecure operations are limited to the operations programmed into the code, not arbitrary new code inserted into executables by buffer overflows.

After decades of these problems, and known techniques already applied in Computer Science, its surprising that we're only now seeing these techniques deployed in popular OS'es like OpenBSD. Hopefully the open nature of OpenBSD and other OSS OS'es will see them tested for winning strategies quickly, and widely adopted.

Also Worth Mentioning

[RAMMS+EIN]

This presentation (by Theo de Raadt) gives a good overview of the security features in OpenBSD (beyond what's already outlined on the OpenBSD security page). It covers W^X, random stack displacements, random canaries to detect stack smashing, random library base addresses, random addresses for mmap and malloc operations, guard pages, privilege revocation, and privilege separation. One thing it doesn't cover is systrace.

Heap protection?

[justforaday]

I call my heap protection mechanism "bumpers" : p

Re:cool

[Iriel]

Then again, while I'm not defending Microsoft, here's my take on their 'security':

Yes, plenty, and maybe even most of their promises about being a generally secure system are complete and utter rubbish. However, I'm willing to bet that each of their OSes are more secure than the last one. The problem is that they still leave plenty of holes open when they do things like (to point out the landmark example) weld the web browser to the kernel. I know that most people crack windows because it's easy, but while I may be wrong on this, I think people will continue to spend thier efforts on Windows even if their security was (competely hypothetically) top-notch only because of the bad reputation that precedes them.

I'm not saying that Windows is secure or that it ever will be. However, their security has improved, regardless of how poorly. The last reason on the list to crack Windows (in my opinion) and possibly the strongest reason is that they have a history of poor security. I think script-kiddies will pour ANY amount of effort into destroying any version of Windows just to keep that idea alive.

As much as I love Linux, I really doubt that any one distro (like RedHat for example) would be able to keep their system as secure as it is now if they were the entire world's information security scapegoat as MS is now. (PS, yes I know that MS does, mostly deserve the title they hold)

(I'm not a security expert, nor am I claiming to be, so if you think I'm wrong all I ask is that you not 'correct' me with a torch ^_^)

Linux Had A Spec For This Ages Ago

But Linus doesn't like specs so it got dropped !

OpenBSD Goals

[RAMMS+EIN]

Yep. After all, the goal of the OpenBSD project is not simply to be the most secure operating system ever. The goal is to provide the best security, along with a number of other goals, such as running Unix software, achieving good performance, and providing a good (according tho the stated goals even "the best") development platform.

Re:cool

[resiak]

they do things like (to point out the landmark example) weld the web browser to the kernel.

For about the 35,348th time: no, no they don't. IE has nothing to do with the kernel. Go and learn what a kernel is. Hope that helps, have a nice day. :-)

This is how Electric Fence works.

[Bruce+Perens]

Electric Fence explicitly allocates dead pages at the end (or configurably, the beginning) of buffers. It can also protect the memory immediately as it is freed. I think it was first published in 1987.

It may be a legitimate invention - it is cited as prior art in an ATT patent. This is also the first known example of a prior Open Source publication causing a patent filer to cite. ATT also removed a claim from the patent that my work invalidated. Just search for "Perens" in the U.S. patent database to find the patent.

We don't run it on production programs because of its overhead. To do this sort of protection exhaustively, it requires minimum two pages of the address space per allocation: one dead page between allocations and one page allocated as actual memory. This is a high overhead of page table entries, translation lookaside buffers, and completely destroys locality-of-reference in your application. Thus, expect slower programs and more disk-rattling as applications page heavily. If you are to allocate and release memory through mmap, you get a high system call overhead too, and probably a TLB flush with every allocation and free.

Yes, it makes it more difficult to inject a virus. Removing page-execute permission does most of that at a much lower cost - it will prevent injection of executable code but not interpreter scripts.

I don't think the BSD allocator will reveal more software bugs unless the programmers have not tested with Electric Fence.

Bruce

Re:This is how Electric Fence works.

[LurkerXXX]

I don't think the BSD allocator will reveal more software bugs unless the programmers have not tested with Electric Fence.

I think that's exactly the problem though. There are users out there installing applications they found somewhere, by somebody who may or may not have bothered to use a good debugger. This will prevent those unknown bad apps from fouling up the system.

I'm still on OpenBSD 3.7. I haven't tried the 3.8 builds, but I'm hoping the overhead from this won't be too bad.

Re:This is how Electric Fence works.

[stab]

I don't think the BSD allocator will reveal more software bugs unless the programmers have not tested with Electric Fence.

The OpenBSD allocator already has revealed a number of software bugs (in X11, in ports, they lurk everywhere). Some of the bugs found were years old. Thats the point of the testing process in the OpenBSD release cycle.

I think you're missing the point behind the integration of these technologies into OpenBSD. The idea is that they are always on, with a performance hit that is acceptable that your day-to-day programs can be protected, and most crucially, used under them. Not sitting in a debug environment getting limited regressions and unit tests that the particular programmer felt like writing (and if I want that, I run it under Valgrind, which has a near-miraculous tendency to find lurking bugs).

And considering them in isolation is also dangerous. When you combine the address randomization, W^X, heap protection, propolice canaries and local variable re-ordering, you're left with a system that has accepted a reasonable performance hit in return for a large amount of protection against badly written code. Sprinkle in regular audits, timely releases every 6 months to keep our users up-to-date on stable systems, and a 'grep culture' to hunt down related bugs in the source tree when a bug does strike.

As others have pointed out, other "hero projects" have stuck bits and bobs into their respective distributions. But how many have had the discipline to follow through, maintain and integrate their patches, test the fallout and release a complete OS with thousands of third-party packages year after year... probably only Microsoft, but the first thing they do at the sign of incompatibility is to turn the protection off. Oh well :)

Re:This is how Electric Fence works.

[stab]

The guards pages are only practical for larger allocations due to hardware limitations, as you say. Strings are protected by different means such as Propolice; in order to minimise the overhead of Propolice, it "detects" strings (as opposed to byte buffers) and specifically protects them with canaries to try and find overflows that would smash the stack (the local variable re-arrangement tries to put these buffers as close to the canary as it can at compile time). The string detection is a heuristic as gcc doesn't maintain quite enough type information when it reaches the code generation parts which Propolice touches. Also, there is a simple bounds checker built into gcc which looks for incorrect use of statically allocated buffers with some standard functions such as strncpy or sscanf (you'd be amazed how many people specify the buffer size wrong to a bounded function).

None of these are perfect of course, but each of the techniques has found bugs (hundreds in the case of the two mentioned above) in our source and ports trees. It's also great to see projects like CCured being developed at Berkeley; although the overhead is just slightly too high to be used "out of the box" right now, it still works great with select applications such as Apache. The underlying tool, CIL can compile most of the OpenBSD source tree (including the kernel) now, and the result even boots when using a null source-to-source transform.

VBLinux

[Frankie70]

  For real security, don't use C.


I am rewriting Linux in Visual Basic 6.0.
I am going to call the distro VBLinux.

Re:OpenBSD does not matter

[Ulrich+Hobelmann]

Who is "not giving back?"
Feel free to download all of their source code before complaining.
If you don't like it, don't use it, even though I'm sure you too benefited from some security fixes that originated with OpenBSD.

Performance?

[cardpuncher]

I'd be interested to know what the performance impact of this is - exactly what counts as "too much of a slowdown".

Application heap allocation has "traditionally" been fairly inexpensive unless the heap has to be grown (update a couple of free block pointers/sizes) and the cost of growing the heap (which requires extending the virtual address space and therefore fiddling with page tables which would on a typical CPU require a mode change) is mitigated by allocating more virtual address space than is immediately needed.

If free space is always unmapped then each block allocation will require an alteration to the page tables, as will each unallocation. Not to mention that could cause the page-translation hardware to operate sub-optimally since the range of addresses comprising the working set will constantly change.

If most allocations are significantly less than a page size, then the performance impact may be minimal since whole pages will rarely become free, but if allocations typically exceed a page size, that would no longer be true. If the result is that some applications simply implement their own heap management to avoid the overhead, then you've simply increased the number of places that bugs can occur.

Re:For Real Security

[Jamu]

From the examples in the essay, you could easily make the case that for real security use good code.

Re:For Real Security

[NullProg]

Just curious,

Do you also advocate four times the memory usage and double the speed? Do you blame the language or the speaker when they can't formulate a proper sentence construct? How about we just teach the programmers better instead of bitching about the tool they use.

If half the C coders out there knew the differences between stack, heap, and namespaces, we would not even be debating this issue. Don't blame the coders, blame the universities.

Enjoy,

Re:cool

[Orgazmus]

Its just Windows 2000 with a 1 added for each bugfix

Re:This is why I couldn't use OpenBSD exclusively.

[Nimrangul]

But they don't care, they're not trying to be FreeBSD or a Linux distribution, they're trying to be OpenBSD and a part of that is not letting people's perception of optimum performance get in the way of doing what is right by them.

You gotta remember, the project doesn't do it for outsiders, what they do is for themselves. They want security and are willing to pay performance and ease of use to get it, it's like a mantra for them, never take the path of least resistance.

If this looses like 5 or 10 percent of it's performance on my machines I won't mind, it's another layer of protection and I like having it and am fine with the cost, faster hardware isn't that expensive. If something I run crashes, I will report to the people that wrote it, telling them that I found a problem that was found by OpenBSD's malloc, maybe they'll even devote an old test box to checking for bugs on it.

If OpenBSD was trying to be a Linux distribution then we'd not have most of the good stuff that makes OpenBSD unique.

Re:Unnecessary when using languages that solve thi

[Clover_Kicker]

You're totally right, dude.

Let me know when you release your Haskell version of Sendmail, and I'll switch over immediately.

Re:Whatever happened to segmentation?

[Sloppy]

Holy crap, if my 1987 self could hear what I'm saying in 2005... "You senile old bastard! I'll fucking kill you for this!" would probably be his first reaction.

2005 self would counter with, "Yeah, the pointers will be bigger than they used to be, but you progam in high-level languages now, so you don't ever worry about that. It's the compiler's problem."

1987 Sloppy would say, "But I'm going go write a compiler!"

2005 Sloppy would say, "You fuckwit, you never got anywhere on that project. You barely even started it. Too much time fucking around with graphics and genetics."

1987 Sloppy would say, "But, but, it's not fair! Segmentation is an x86 thing. Everyone knows that in the future, we'll all be using 68k. 68k doesn't do segmentation."

2005 Sloppy would sigh.

1987 Sloppy would say, "Oh come on. There's no way people are still using x86 in the 21st century, or even in the 1990s. No fucking way."

2005 Sloppy would just shrug. There's nothing to do in a situation like this. There's nothing you can say. They'll never believe you.

Re:Unnecessary when using languages that solve thi

[Bob+The+Cowboy]

It always surprises me when something like this gets modded up on /.

This I believe is one of the key differences between programmers and computer scientists. I would simply love to see something with the complexity of sshd or sendmail written in Haskell, Lisp, Scheme, or whatever the current interpreted language is en vogue. Seriously, show me the code! Benchmark some enterprise-level (as in, used in businesses, not the buzzword) non-trivial app (like the aforementioned) written in C/C++ compared to it's interpreted counterpart. I would be incredibly surprised if Apache, Mozilla, Word, whatever would run with anywhere near the speed or responsiveness.

Your opinion (which you are of course entitled to) ignores things like Operating Systems, embedded devices, and even the runtimes/interpreters/virtual machines themselves. And then who is going to maintain this code? Haskell and friends don't have anywhere near the mindshare that C/C++/Java have. You're right.. in theory, using C is terrible, but in reality the other options are worse for different reasons.

Bill

Re:Heap Protection vs. Managed Code

[0xABADC0DA]

You don't "rearrange" the MMU, you just check/clear the dirty bit in the page table. This bit is set by the hardware regardless so setting it is zero overhead. Clearing these bits is still only 0.006% the time of scanning all of memory. So unless you write to 32k unique pages per GC you get a huge benefit from this.

You could probably also use the MMU to reduce pauses in the gc... you determine what objects are unreachable in the background and using the dirty bit you can tell which pages may have references into the set, so instead of starting over from scratch again you just weed out the now-reachable objects from the set, which seems like it should be a much more tractable problem.

If I wasn't working I would do this. Check out jnode or jxos for example.

Solaris has had this for YEARS

[sethmeisterg]

Check out libumem -- much more powerful than this and has been around in Solaris for years (granted, the manpage should be better to reveal the powerful features -- but a quick look at the source at opensolaris.org reveals how to use the most advanced features).