Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 7 Aug 2017 18:35:32 -0500
From: "Gustavo A. R. Silva" <>
To: Kees Cook <>
Cc: Thomas Garnier <>,
 Kernel Hardening <>
Subject: Re: I want to help out

On 08/07/2017 04:42 PM, Kees Cook wrote:
> Welcome to the list!

Thank you, Kees. :)

> On Mon, Aug 7, 2017 at 1:52 PM, Gustavo A. R. Silva
> <> wrote:
>> On 08/07/2017 10:31 AM, Thomas Garnier wrote:
>>> You can take a look at this page [1] to get an idea on things to do.
>>> You can also look at the difference patches coming and going on the
>>> mailing list to see if anything interest you.
>>> Anything in particular you wanted to prototype?
>> I'm interested in mitigation efforts towards control flow infection, as
>> function pointer poisoning for both .init_array (I know there is some
>> ongoing work here) and .fini_array.
> I'd be curious to hear more about this work.

Yeah, this has to do with the use __ro_after_init for the case of .ctors 
(.init_array) ELF section.

The case of .dtors or .fini_array ELF section is similar. A heap 
overflow could overwrite a .fini_array function pointer. But I guess 
this could be detected by guard pages.

>> From the TODO list I think the following tasks are interesting:
>> * Split thread_info off of kernel stack.
>> * Move kernel stack to vmap area.
>> * Implement kernel relocation and KASLR for ARM
> All three of these are needed on 32-bit arm. The last is a tricky one,
> since kernel relocation is needed before KASLR can happen on ARM.

After reading this those first two 
tasks seem to be very challenging and even more interesting.

So, I guess the idea would be to follow this same approach:


Is this already working for arm64?

What would be a good strategy to start tackling those tasks?

>> If there is already some work in progress and there are some small tasks
>> pending to be completed, I'd like to help.
> More testing on arm64 VMAP_STACK would be great, if you have hardware available.

Oh, I guess this answer one of my questions above...

I'm sorry. I have a Beagle Bone Black, which is 32-bit.

>> Recently, I've been using Coccinelle to constify structures, and fixing a
>> variety of Coverity issues (API usage errors, NULL pointer dereferences,
>> control flow and code maintainability issues, etc..). I'm also using
>> Coccinelle to identify lock/unlock issues.
> This is good work to be getting done too!

Yeah, I've been doing this over the last three months and, the plan is 
to continue fixing similar issues for a whole year. :)

Gustavo A. R. Silva

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.