User: Password:
|
|
Subscribe / Log in / New account

Spengler: False Boundaries and Arbitrary Code Execution

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 6, 2011 19:19 UTC (Thu) by spender (subscriber, #23067)
In reply to: Spengler: False Boundaries and Arbitrary Code Execution by cesarb
Parent article: Spengler: False Boundaries and Arbitrary Code Execution

See d.1 of http://pax.grsecurity.net/docs/pax-future.txt
You're only 8 years late ;)

-Brad


(Log in to post comments)

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 6, 2011 22:21 UTC (Thu) by cesarb (subscriber, #6266) [Link]

Cool. Has it ever been implemented?

My idea was a bit different; instead of XOR with an ASLR-randomized stack pointer, it would XOR with a cookie read from a global variable (initialized to a random number on a global constructor). So leaking the stack pointer would not be enough, you would need a leak of either the cookie or an obfuscated pointer (which you would then XOR with the expected unobfuscated pointer to recover the cookie). And, as a bonus, it does something useful even without ASLR enabled.

But what to XOR with is only a small detail (and a local decision even, since it is completely contained within each function, so different parts of the same program can XOR with values obtained in different ways even); the main idea, which is to XOR the return address in the stack, is the same both in my comment above and in your link ;-) . I completely forgot about the frame pointer, however (your link didn't).

The main problem with this idea is that it could break GDB badly (as mentioned in the link PaXTeam posted), unless an extension to the debugging format was developed to tell GDB where to find the cookie and which functions need it. Of course, the user can simply zero the cookie within gdb before debugging the program, to prevent the values from being obfuscated.

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 7, 2011 21:02 UTC (Fri) by PaXTeam (guest, #24616) [Link]

> Cool. Has it ever been implemented?

search google for the following titles/keywords:

"Embedded Firmware Diversity for Smart Electric Meters"
"Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow"
"G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries"
"HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity"
"Preventing memory error exploits with WIT"
"Control-Flow Integrity Principles, Implementations, and Applications" (in general, MSR's gleipnir project and the related papers)
"Automated Detection of Persistent Kernel Control-Flow Attacks"

of course this is just a small selection, this area of research goes back to decades (no, it didn't start in security ;-).

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 9, 2011 19:12 UTC (Sun) by nix (subscriber, #2304) [Link]

More examples to add to those PaXTeam suggested: glibc already does this with addresses inside jmp_bufs. This is not the only libc to do that. It is *widely* implemented.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds