[U-Boot] Does U-boot support ASLR?

Wolfgang Denk wd at denx.de
Fri Feb 10 08:07:29 CET 2012 

Dear Jason,

please keep the ML on Cc:

In message <4F33E93E.5070804 at ggsg.cisco.com> you wrote:
> 
>     Do you happen to have a reference to that presentation?  I'm very
> interested, as i thought ASLR was in place to make it harder.  I've done
> a weak google search but haven't turned up anything.

I'm sorry - I already searched when I wrote my first reply, but I
didn't save the link when I read this.  I am pretty much sure that it
was in an article posted on  http://www.heise.de/newsticker/ (and that
it was in German language), but then it's likely that a similar
article has been posted to  http://www.h-online.com/ .

I can find a few articles that talk about ways to outsmart ASLR, for
example
http://www.h-online.com/security/features/Return-of-the-sprayer-exploits-to-beat-DEP-and-ASLR-1171463.html
but none of the ones I checked contained the statement I quoted (that
ASLR actually makes it easier for crackers), or I didn't find it.


Yes, the ideas behind ASLR was to make breaking into systems harder,
and it does so for conventional attack methods.  But breaking into
systems is an art, and each new protection mechanism will attract
forces to break them.  In the end, you have to ask yourself if the
efforts for a protection mechanism is worth the increaseof security it
gives you.

As others have pointed out, U-Boot (while running in interactive mode)
is pretty much open for unlimited access anyway, so what is there to
protect?

And in production mode, U-Boot will just load and start some OS,
and will be gone within a few milliseconds - if configured correctly,
with little chances for break in.

Unless you attach a JTAG debugger - but then you are p0wned anyway.


Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
Alan Turing thought about criteria to settle the question of  whether
machines  can think, a question of which we now know that it is about
as relevant as the question of whether submarines can swim.
                                                   -- Edsger Dijkstra

More information about the U-Boot mailing list