Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 17 Nov 2015 22:13:29 -0500
From: Daniel Micay <danielmicay@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Fwd: x86 ROP mitigation

On 17/11/15 05:11 PM, Rich Felker wrote:
> On Tue, Nov 17, 2015 at 01:52:07PM -0500, Daniel Micay wrote:
>> Is that really the right approach vs. preventing hijacking of flow
>> control via return pointers and function pointers? It doesn't really
>> seem like there's an end game in mind where it actually prevents ROP
>> rather than just removing many useful gadgets. Making useful ROP gadgets
>> harder to find doesn't mean much, since tools are used to find them and
>> the tools can be improved if it becomes necessary.
>>
>> i.e. why not just go with something like PaX's RAP
> 
> My understanding is that it's not ABI-compatible with non-RAP code, so
> you'd essentially be going with a whole new ABI. If so, this is going
> to be completely impractical for most users. Am I mistaken?

AFAIK, it's ABI compatible with code compiled with it. Hard to say since
the implementation is not yet public. You do need to use it everywhere
to truly take advantage of it though. It might still protect the
function pointers reachable by the attacker without full coverage but...
that's not at all ideal.

Mitigations like this aren't comparable to ones providing incomplete
detection of memory corruption like _FORTIFY_SOURCE where even a small
amount of coverage can end up preventing vulnerabilities from being
exploited. A ROP migitation is only removing an exploitation technique /
making exploitation unreliable (hopefully enough that it can't be brute
forced) / requiring additional bugs to work around it so... it's no good
if there are easy ways around it for an attacker. It actually has to
enforce something meaningful.

RAP is essentially breaking the exploitation technique across the board.
It's not insurmountable but it's not incomplete either. And it can be
improved from the meaningful starting point. It's really hard to see how
removing all usable ROP gadgets can succeed. Maybe it can, but it's hard
to believe without seeing a compelling roadmap.


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.