Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 26 Sep 2016 10:55:16 -0700
From: "LeMay, Michael" <>
Subject: Re: [RFC] Support for segmentation-hardened SafeStack

On 9/23/2016 03:22, Szabolcs Nagy wrote:
> * LeMay, Michael <> [2016-09-22 23:00:45 +0000]:
>> I submitted several patches to LLVM and Clang to harden SafeStack using segmentation on x86-32 [1].  See [2] for general background on SafeStack.
> ...
>> [1]
>> [2]
> is all runtime support in the libc with your patches?
> (i.e. no static linked interposition code from compiler-rt)

For programs linked against my patched version of musl with 
segmentation-hardened SafeStack enabled, the SafeStack library in 
compiler-rt is not needed.

> can you call into non-instrumented code?
> (as Rich noted this looks like a new abi on i386)
> i assume the segmented variant breaks abi while the
> non-segmented one does not.

Restricting segment limits does introduce additional considerations that 
are not applicable to the original version of SafeStack, as I described 
in the reply to Rich that I just sent.

> what is the unsafe stack size of the main thread?
> how much is the resource usage overhead?

I arbitrarily chose to allocate a main-thread unsafe stack that is twice 
as large as the main-thread safe stack.  The unsafe stack sizes for new 
threads are computed similarly to the safe stack sizes.  I'll post the 
current revision of my patches soon for the sake of discussion.

> what happens if unsafe stack allocation fails?

A limitation of my current patches is that there is no support for 
dynamically expanding the size of the unsafe stack.  By the way, I think 
that this is also a limitation of the current compiler-rt support for 
the original version of SafeStack.

> how does the stack get deallocated at thread exit?
> i assume they are consistent with normal stack
> handling if this is done in musl.. except for the
> main thread.

Yes, the unsafe stack gets deallocated when non-main threads exit.

> can signal handlers work with sigaltstack?

That's an interesting question.  One thing to consider is that the 
kernel will only switch the safe stack when sigaltstack is used, not the 
unsafe stack.  Furthermore, for the segmentation-based hardening to 
apply to the stack passed to sigaltstack, that stack would need to be 
allocated above the restricted limits of DS and ES.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.