MPS issue job003484

TitleMPS has predictable address space layout
Assigned userGareth Rees
DescriptionThe Virtual Memory Arena implementation assigns its own addresses, and so a client program that makes an identical series of calls to the MPS gets an identical series of addresses back. This defeats any address space layout that's enforced by the operating system and makes programs easier to attack.

If I run this program repeatedly on Mountain Lion:

    #include <stdio.h>
    #include <stdlib.h>

    int data;

    int main() {
        void *heap = malloc(4);
        int stack = 0;
        printf("data: %p text: %p stack: %p heap: %p\n",
               &data, (void *)main, &stack, heap);
        return 0;

I get output like this:

    data: 0x104479020 text: 0x104478eb0 stack: 0x7fff5b787b4c heap: 0x7f8df34000e0
    data: 0x103b35020 text: 0x103b34eb0 stack: 0x7fff5c0cbb4c heap: 0x7fe430c000e0
    data: 0x1034b6020 text: 0x1034b5eb0 stack: 0x7fff5c74ab4c heap: 0x7fe7e84000e0
    data: 0x100330020 text: 0x10032feb0 stack: 0x7fff5f8d0b4c heap: 0x7f83e2c000e0

But suppose I use the MPS with an address space of 256 MiB

    #include <stdio.h>

    #include "mps.h"
    #include "mpsavm.h"
    #include "mpscmvff.h"

    int main() {
        mps_arena_t arena;
        mps_arena_create(&arena, mps_arena_class_vm(), 1<<28);
        mps_pool_t pool;
        mps_pool_create(&pool, arena, mps_class_mvff(), 1 << 20, 16, 8, 0, 0, 1);
        void *heap;
        mps_alloc(&heap, pool, 4);
        printf("heap: %p\n", heap);
        return 0;

Now the output is perfectly predictable:

    heap: 0x110000000
    heap: 0x110000000
    heap: 0x110000000
    heap: 0x110000000

Someone might legitimately think twice about using the MPS for a programming language runtime because of this: a fixed address space makes buffer overflow attacks much more reliable to carry out.
AnalysisNone as yet.
How foundinspection
Observed in1.111.0
Created byGareth Rees
Created on2013-05-16 14:57:12
Last modified byGareth Rees
Last modified on2016-09-04 15:28:25
History2013-05-16 GDR Created.


Change Effect Date User Description
192138 closed 2016-09-04 15:28:25 Gareth Rees Document security issues in the MPS.