From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Daniel Colascione <dancol@dancol.org>
Newsgroups: gmane.emacs.devel
Subject: Re: Preview: portable dumper
Date: Tue, 29 Nov 2016 13:50:26 -0800
Message-ID: <r025oa0y6jml.fsf@dancol.org>
References: <047a67ec-9e29-7e4e-0fb0-24c3e59b5886@dancol.org>
	<jwvpolfjkdo.fsf-monnier+gmane.emacs.devel@gnu.org>
	<r025fumbgpnx.fsf@dancol.org> <jwv8ts2moer.fsf-monnier+emacs@gnu.org>
	<r025y4026l1i.fsf@dancol.org>
	<9b6a0571-b2ae-a5dd-a643-3595e8f71cd6@cs.ucla.edu>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: blaine.gmane.org 1480456279 22796 195.159.176.226 (29 Nov 2016 21:51:19 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Tue, 29 Nov 2016 21:51:19 +0000 (UTC)
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)
Cc: emacs-devel@gnu.org
To: Paul Eggert <eggert@cs.ucla.edu>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Nov 29 22:51:15 2016
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1cBqIt-0004XY-51
	for ged-emacs-devel@m.gmane.org; Tue, 29 Nov 2016 22:51:07 +0100
Original-Received: from localhost ([::1]:39405 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1cBqIw-0002YQ-RH
	for ged-emacs-devel@m.gmane.org; Tue, 29 Nov 2016 16:51:10 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:56319)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dancol@dancol.org>) id 1cBqIM-0002Y9-Ua
	for emacs-devel@gnu.org; Tue, 29 Nov 2016 16:50:36 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <dancol@dancol.org>) id 1cBqIM-0003sk-2M
	for emacs-devel@gnu.org; Tue, 29 Nov 2016 16:50:34 -0500
Original-Received: from dancol.org ([2600:3c01::f03c:91ff:fedf:adf3]:56712)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <dancol@dancol.org>) id 1cBqIL-0003sV-Ky
	for emacs-devel@gnu.org; Tue, 29 Nov 2016 16:50:33 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dancol.org;
	s=x; 
	h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date:References:Subject:Cc:To:From;
	bh=Gwkq4XiOC/EsItJRron173UoJpQ1gGSOVqv8/DLATgM=; 
	b=Yhl2N/CVhKCbg6uUir0W8Ow3/3uu/Z+06aExNNfTsCTiAs++sle3zoVRgB5saf1hYZCt1z3YWtSJ8n3VjN9XBsP72ui7SYf8KvLJ8qjHrn7OX1hqiPraVoDO4C9LxTpLB0svII/WxPWVT/iS72lPOk0Qj7D+SWpH07SrbK09qXW+EkGsJzh3nPsUjeaFcUIdF19bWVW1VjMOZnEpgiL55o/+SA2WQ3a0ZsKvLjJs7APPOn01+LSRZ5rZfhyj3eIQMz0EzXpJcQkuQH5SIYVA2uFvMEkykpHhYJKYddyCs0Ay5AgUmtcV6tPF1GVIVAgG5Dg65s2EXeBBGc2j/yiA/w==;
Original-Received: from [2620:0:1008:1101:a803:88c3:331:8b1] (helo=dancol-glaptop0)
	by dancol.org with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.84_2) (envelope-from <dancol@dancol.org>)
	id 1cBqIK-0004oJ-Gg; Tue, 29 Nov 2016 13:50:32 -0800
In-Reply-To: <9b6a0571-b2ae-a5dd-a643-3595e8f71cd6@cs.ucla.edu> (Paul Eggert's
	message of "Tue\, 29 Nov 2016 13\:35\:12 -0800")
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2600:3c01::f03c:91ff:fedf:adf3
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:209774
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/209774>

On Tue, Nov 29 2016, Paul Eggert wrote:
> On 11/29/2016 01:19 PM, Daniel Colascione wrote:
>> Even*with*  a PIC Emacs (which I hope is the default, because ASLR
>> greatly improves security), we can get these savings if
>> mmap(BASE_ADDRESS_STORED_IN_DUMP, ...) succeeds and we can map the dump
>> where we want.  If we can't map the dump where we want, we'll just
>> relocate it.
>
> Although your other advantages sound good, this one sounds
> worrisome. If Emacs maps the dump to the same place every time, we are
> giving up ASLR for the dump itself, and won't that pose a potential
> security risk? If so, perhaps it would be better to not mmap to the
> base address stored in the dump (unless we can determine that ASLR is
> not in use, I suppose).

The Emacs dump isn't PROT_EXEC though. It's pure* data, and this
difference diminishes the risk considerably, I think. I'd at least like
to make this behavior a user option.

* We do store function pointers in the dump, and an attacker could
  theoretically overwrite one of these to point where she wanted --- but
  with all PROT_EXEC code in the process being randomized, where would
  she point the function pointer that's under her control?