flat assembler
Message board for the users of flat assembler.

Index > OS Construction > Random Memory Address Segment System (RMASS)


If I use RAMS in my OS (see diagrams), what method would be appropriate in your oppinion?
0: With spaces of random length in between segments to load applications and data using the same method, for example.
0%
 0%  [ 0 ]
No RAMS
85%
 85%  [ 6 ]
1: Segments packed together without spaces in between. The remaining space is reserved for applications and data.
14%
 14%  [ 1 ]
Total Votes : 7

Author
Thread Post new topic Reply to topic
Adam Kachwalla



Joined: 01 Apr 2006
Posts: 150
Adam Kachwalla
If you've heard about Windows Server "Longhorn" sticking system files in random addresses of the memory to reduce the amount of remote code execution attacks, and I had a slight improvisation to that idea.

Longhorn loads the whole file, exactly as it is in the memory, as an exact copy. If a hacker finds out the address, he/she will be able to place a piece of malicious code over there in the same position of the file.

I thought about that for a while, and decided that, although the chance of that happening now would be low, why not make it extremely lower?

Break up the system file into segments, and then loading them in random positions (with JMPs in between) may increase the security because one piece of code will be in the upper half of the RAM, and the next piece of code in the sequence is in the lower half, for example. It should not affect performance of the RAM, as the name stands for Random Access Memory.

So, let's say the contents of the kernel for Example OS X was disassembled and translated to FASM. The code may look something like the following:

Original Example OS X Kernel on the hard drive:
Code:
INSTRUCTION1
INSTRUCTION2
INSTRUCTION3
INSTRUCTION4
INSTRUCTION5
INSTRUCTION6
INSTRUCTION7
INSTRUCTION8
INSTRUCTION9
INSTRUCTION10
INSTRUCTION11
INSTRUCTION12
INSTRUCTION13
INSTRUCTION14
INSTRUCTION15
INSTRUCTION16    


The Example OS X kernel when loaded into the RAM:
Code:
JMP [ISET1]
RB 7235
ISET4:
  INSTRUCTION13
  INSTRUCTION14
  INSTRUCTION15
  INSTRUCTION16
  ;And that is the end of the set of instructions.
RB 6218
ISET2:
  INSTRUCTION5
  INSTRUCTION6
  INSTRUCTION7
  INSTRUCTION8
 JMP ISET3
RB 9672
ISET1:
  INSTRUCTION1
  INSTRUCTION2
  INSTRUCTION3
  INSTRUCTION4
 JMP ISET2
RB 7359
ISET3:
  INSTRUCTION9
  INSTRUCTION10
  INSTRUCTION11
  INSTRUCTION12
 JMP ISET4
RB 5972
    


I want to know what you think about this idea. And yes. I want to know how good you think it is, any improvements you can make to it, and how bad you think it is.

Also, I would like to know the longest JMP in ASM history, so I can account for that in my code. Also tell me exactly what value you put after the JMP, and whether it was a 16-bit, 32-bit, or 64-bit instruction so I can try it out myself!

The longest JMP I have tried is 5 bytes long:

Code:
USE64
JMP 1000000000    


Description: Method 0: With spaces in between segments
Method 1: Segments packed together without spaces in between.
Filesize: 40.11 KB
Viewed: 585 Time(s)

RMASS.GIF




Last edited by Adam Kachwalla on 25 Apr 2007, 10:07; edited 1 time in total
Post 25 Apr 2007, 09:26
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Imho not necessary, and could end up introducing too much overhead.

Address Space Randomization was added to avoid simple buffer overflow (and heap smashing, etc.) exploit code by not being able to rely on hardcoded addresses. Imho your segmentation idea (you might want to call it "sections" or "chunks" instead to avoid confusion with x86 segments) doesn't add much extra safety.

Also, keep in mind that the randomization is done at the linear level, not the physical level... doesn't make sense to add randomization to physical ram level, if code has already gained ring0 access (which is necessary for tampering with linear->physical mappings), you're already screwed.
Post 25 Apr 2007, 10:06
View user's profile Send private message Visit poster's website Reply with quote
Adam Kachwalla



Joined: 01 Apr 2006
Posts: 150
Adam Kachwalla
Ikesyay! I forgot about those x86 segments!
Post 25 Apr 2007, 10:12
View user's profile Send private message Reply with quote
hidden



Joined: 14 Feb 2007
Posts: 49
hidden
Quote:
It should not affect performance of the RAM, as the name stands for Random Access Memory.
It wouldn't affect performance of the RAM, it would affect performance of the full system and not because RAM isn't Random Access Memory, but because processor wouldn't able to use its integrated instruction cache and predecoding instructions + extra jumps that affect performance too.
Post 25 Apr 2007, 18:44
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.