MPS issue job003484

Title	MPS has predictable address space layout
Status	closed
Priority	nice
Assigned user	Gareth Rees
Organization	Ravenbrook
Description	The Virtual Memory Arena implementation assigns its own addresses, and so a client program that makes an identical series of calls to the MPS gets an identical series of addresses back. This defeats any address space layout that's enforced by the operating system and makes programs easier to attack. If I run this program repeatedly on Mountain Lion:     #include <stdio.h>     #include <stdlib.h>     int data;     int main() {         void *heap = malloc(4);         int stack = 0;         printf("data: %p text: %p stack: %p heap: %p\n",                &data, (void *)main, &stack, heap);         return 0;     } I get output like this:     data: 0x104479020 text: 0x104478eb0 stack: 0x7fff5b787b4c heap: 0x7f8df34000e0     data: 0x103b35020 text: 0x103b34eb0 stack: 0x7fff5c0cbb4c heap: 0x7fe430c000e0     data: 0x1034b6020 text: 0x1034b5eb0 stack: 0x7fff5c74ab4c heap: 0x7fe7e84000e0     data: 0x100330020 text: 0x10032feb0 stack: 0x7fff5f8d0b4c heap: 0x7f83e2c000e0 But suppose I use the MPS with an address space of 256 MiB     #include <stdio.h>     #include "mps.h"     #include "mpsavm.h"     #include "mpscmvff.h"     int main() {         mps_arena_t arena;         mps_arena_create(&arena, mps_arena_class_vm(), 1<<28);         mps_pool_t pool;         mps_pool_create(&pool, arena, mps_class_mvff(), 1 << 20, 16, 8, 0, 0, 1);         void *heap;         mps_alloc(&heap, pool, 4);         printf("heap: %p\n", heap);         mps_pool_destroy(pool);         mps_arena_destroy(arena);         return 0;     } Now the output is perfectly predictable:     heap: 0x110000000     heap: 0x110000000     heap: 0x110000000     heap: 0x110000000 Someone might legitimately think twice about using the MPS for a programming language runtime because of this: a fixed address space makes buffer overflow attacks much more reliable to carry out.
Analysis	None as yet.
How found	inspection
Evidence	None.
Observed in	1.111.0
Created by	Gareth Rees
Created on	2013-05-16 14:57:12
Last modified by	Gareth Rees
Last modified on	2016-09-04 15:28:25
History	2013-05-16 GDR Created.

Change	Effect	Date	User	Description
192138	closed	2016-09-04 15:28:25	Gareth Rees	Document security issues in the MPS.