ASLR entropy is very low in mimalloc-secure

[pr0cf5]

The execution environment is ubuntu 18.04 latest.

// address range [0x40000802000 - 0x40000917021] is allocated at a rate of 0.570000
// address range [0x40000942000 - 0x40000a57021] is allocated at a rate of 0.430000
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <malloc.h>

void* p[256];
uintptr_t buf[256];

int main() {
  p[0] = malloc(378200);
  p[1] = malloc(1134626);
  return 0;
}

When executing the code above, the heap memory range is quite predictable. It is, by 100% either one of 0x40000802000 - 0x40000917021 or 0x40000942000 - 0x40000a57021, so it may be prone to heap spray attacks. The main reason is because the base address is fixed to 0x40000000000.

[daanx]

Ah that is unexpected; Did you run in debug mode? In that case ASLR is disabled for mimalloc to be more deterministic (unless secure mode is enabled). The entropy should be 20 bits, see

mimalloc/src/os.c

Line 474 in a9686d6

init = init + (MI_SEGMENT_SIZE * ((r>>17) & 0xFFFFF)); // (randomly 20 bits)*4MiB == 0 to 4TiB

[daanx]

I tested this and I think you were running in debug mode.

[insuyun]

Hi. I think that would be nice if you mention this in the documentation.
I checked documentation but fails to find this until I read code.

[daanx]

Hi @insuyun,

Yes you are right; I'll add it to the documentation.

Hmmm, on the other hand, maybe it is better to always enable ASLR in secure mode just to avoid this kind of surprise.
(and if you need determinism for debugging then one can always compile outside secure mode). I'll sleep on it but I think that is probably a better solution. Thanks for bringing this to attention again :-)

[insuyun]

We are working for the next version of ArcHeap to evaluate security of secure allocators.
Our tool actually found this issue, and my student @pr0cf5 reported it.
I reviewed this issue today and found that it is better to be documented for other people.

Thank you for your work!
Best,
Insu Yun

[daanx]

Thanks Insu -- I just pushed a commit to make ASLR to be always on in secure mode to avoid future security surprises.
Good luck with the paper and send me a draft when you can :-) -- let me know if there are any further issues that I can address.

[daanx]

Ouch, looking at the commit I realized my logic was wrong -- it was already fixed! The test

#if (MI_SECURE>0 || MI_DEBUG==0)

should always trigger in either secure or non-debug mode so it should already always do ASLR in secure mode even with debugging enabled. However, when I look back in the repo to 2020-08-09, it looks like it was already like this when the issue was raised so I wonder how that came about?
(see:

mimalloc/src/os.c

Line 472 in 5805c39

#if (MI_SECURE>0 || MI_DEBUG==0) // security: randomize start of aligned allocations unless in debug mode

)

[insuyun]

Oh, I checked that my student said that he used older version.
I think now it seems ok.
Thank you for letting us know.

Best,
Insu Yun