Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 Nov 2015 11:45:05 +0100
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Instruction encoding which prevents execution of a suffix

Suppose you have some critical kernel operation you want to protect
against execution if some preconditions are not met.  Therefore, you
check the precondition, and abort if it is not met.  But this does not
really work because if attackers have control over the program counter,
they can just enter the function after the checks.

What generic transformations exist (on x86_64) to make sure that an
attacker cannot jump over the checks and execute only a suffix of the
function?  I know of one approach—move the check into the kernel, before
the critical operation—but this is not always desirable for
architectural reasons.

I'd also prefer solutions which do not require changing *all* indirect
jumps in the process image, and something that does not involve dynamic
code generation (JIT).

Florian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.