Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 23 Nov 2015 21:11:31 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Instruction encoding which prevents execution of
 a suffix

----- Original Message -----
> Suppose you have some critical kernel operation you want to protect
> against execution if some preconditions are not met.  Therefore, you
> check the precondition, and abort if it is not met.  But this does not
> really work because if attackers have control over the program counter,
> they can just enter the function after the checks.
> 
> What generic transformations exist (on x86_64) to make sure that an
> attacker cannot jump over the checks and execute only a suffix of the
> function?  I know of one approach—move the check into the kernel, before
> the critical operation—but this is not always desirable for
> architectural reasons.
> 
> I'd also prefer solutions which do not require changing *all* indirect
> jumps in the process image, and something that does not involve dynamic
> code generation (JIT).
> 

I'm certainly not an expert here, but I know enough to be dangerous.

If an attacker has full control (and in this case that should be the
assumption), there's nothing you can do short of some sort of processor
magic that doesn't exist today (that I'm aware of).

What if you did the checks inside the kernel operation. Some sort of
pre-shared secret of sorts to ensure the caller isn't new code.

Of course this would require a kernel patch that I imagine wouldn't be a
welcome change. Sometimes it's worth talking through problems like this
with silly ideas though.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.