Comments (7)
Thank you for creating this issue! I though a bit more about this since #13943 (comment):
- Type isolation requires considerable changes to the allocator, as addresses are reused in various scenarios. In particular we need to change zend_mm_gc() so it doesn't release address space, large slots must be allocated in fixed size bins like small ones, and for huge ones I'm not sure. I'm considering the layout used by mimalloc for small/large bins.
- GigaCages may not be practicable, or may not be effective, for multiple reasons. One is that the maximum string size is SIZE_MAX.
- ASLR: On Linux the mmap base is randomized by 28 bits by default, but we align chunks to 2MiB and the layout is predictable inside chunks, so we only get 19 bits or randomness in practice. We can improve that without too much effort, so even though ASLR is not a panacea it would still be worth it. Having a different base in every child process, and re-basing from time to time would also help a bit (literally, according to this paper).
- Under the threat model of a remote attacker, in some scenarios GET/POST may be the only way to heap feng chui. Allocating user inputs in a separate heap would be efficient against heap feng shui in this case.
Longer term, we should check if replacing refcounting+cycle GC by a full tracing GC is practicable, because it would help. Although refcounting can not be entirely removed because CoW semantics rely on it.
from php-src.
- mimalloc is pretty neat and performant, and I'd recommend looking at isoalloc as well. I spent some time last year trying to produce some easily digestible mitigation/design comparison between userland allocators which might be relevant here, as well as benchmarking the performances of the different allocators, even gave a small talk on the topic
- Err, indeed data with
SIZE_MAX
won't fix in a GigaCage, sigh. - Unfortunately, having a different base means re-executing the process after the fork, which might significantly impact performances wrt. CoW. It's one of the reasons Android's Zygote doesn't do it. Moreover, I think that the threat model here is "an attacker with (limited) PHP code execution", meaning that ASLR can usually be inferred/ignored in some ways. Randomization applied to freelist would/could help though.
- Isolating GET/POST is a great idea indeed!
from php-src.
- mimalloc is pretty neat and performant, and I'd recommend looking at isoalloc as well. I spent some time last year trying to produce some easily digestible mitigation/design comparison between userland allocators which might be relevant here, as well as benchmarking the performances of the different allocators, even gave a small talk on the topic
Great, thank you!
- Unfortunately, having a different base means re-executing the process after the fork, which might significantly impact performances wrt. CoW. It's one of the reasons Android's Zygote doesn't do it. Moreover, I think that the threat model here is "an attacker with (limited) PHP code execution", meaning that ASLR can usually be inferred/ignored in some ways. Randomization applied to freelist would/could help though.
Agreed with changing the base entirely. What I had in mind was to use a random mmap hint in zend alloc, and allocate contiguously from that hint (to avoid splitting the address space too much). After that we can randomize bin placement inside chunks (but I feel this can be easily defeated with heap feng shui) and freelists inside bins indeed.
Regarding the threat model, I'm focusing more on the remote attacker model for now, as I feel this is the most critical.
from php-src.
Agreed with changing the base entirely. What I had in mind was to use a random mmap hint in zend alloc, and allocate contiguously from that hint (to avoid splitting the address space too much). After that we can randomize bin placement inside chunks (but I feel this can be easily defeated with heap feng shui) and freelists inside bins indeed.
Oh, I see. Yes, having a randomized per-child base would help a bit, as an attacker wouldn't be able to use forks to bruteforce the randomization, albeit memory allocated before the fork would still be at the same offset across processes. As for periodic rebasing, I guess having the master process re-executing itself once in a while would be an acceptable hack tradeoff.
Remote PHP exploitation is pretty exotic, to my knowledge, to my knowledge, the only person to do it (publicly) is @cfreal. Local exploitation is much more common, usually to bypass open_basedir
and disable_functions
.
from php-src.
...
- surround large allocations with guard-pages, as done in partitionAlloc, scudo, …
...
@jvoisin, just curious ; would you recommend using the userfaultfd api in that case ?
from php-src.
@jvoisin, just curious ; would you recommend using the userfaultfd api in that case ?
I'd rather keep things simple and portable: map two pages PROT_NONE
and let the process violently crash in case of violation. I'm under the impression that userfaultfd
adds a lot of complexity, which is never a good thing for security-related features.
from php-src.
Oh not so much complexity it allows to handle the violation more smoothly than the usual technique you re referring to. But ... that s just linux :)
from php-src.
Related Issues (20)
- ZEND_MOD_CONFLICTS doesn't work
- Scalar Type Casting Magic Methods HOT 2
- openssl_dh_compute_key() silently fails for ECDH HOT 2
- Signed Integer Overflow in ext/date/lib/parse_posix.c
- Segmentation fault on unknown address 0x600000000018 in ext/opcache/jit/zend_jit.c HOT 2
- mail() breaks quoted_printable_encode()d subject
- Extend Reflection to expose import statements HOT 3
- For iterate over letters strange behavior HOT 6
- Regression - php.ini spelling mistake HOT 2
- curl segfault HOT 9
- heap-buffer-overflow with opcache when extending an internal class with class constant having attributes HOT 1
- Add SO_LINGER option for streams HOT 1
- pcntl_fork children are utilizing just a single core on FreeBSD 13.3+ HOT 5
- Set declare(strict_types=1) as Default Behavior
- Segmentation fault on unknown address 0x0001ffff8041 with XML extension under certain memory limit HOT 2
- Unpacking via list() produces NULLs in foreach HOT 1
- Floating point bug in range operation on Apple Silicon hardware HOT 12
- Phar timestamp is 32-bit
- DateTime with Timezone have different timestamps for End of Year. Only on certain years and time zones HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from php-src.