oss-sec mailing list archives
Re: Fwd: x86 ROP mitigation
From: Jeff Law <law () redhat com>
Date: Wed, 18 Nov 2015 11:20:42 -0700
On 11/17/2015 06:57 PM, Solar Designer wrote:
There's not a lot of detail at this point. For function's that don't escape, the compiler has visibility of both the call and return sites. So for those we can look at indirection, address mangling and the like. It's something Bernd is just starting to experiment with.I'd like more detail on the plan of dealing with function epilogues, if there is a plan for that.
Once something escapes, then we may be looking at something like stack-protector-all or somehow emitting a sequence that's painful to try and exploit while being semantically equivalent. The concern is that with the cost of stack-protector-all there'll be resistance to using that as the mitigation technique.
No, it's based on some experiments that show changing the stack protector epilogue can result in an epilogue sequence that is painful to exploit.I'm not sure if this fits under:* Look into an idea Florian had for improving stack-protector epilogues.or if that's (more likely) something entirely different.
jeff
Current thread:
- Re: Fwd: x86 ROP mitigation, (continued)
- Re: Fwd: x86 ROP mitigation Florian Weimer (Nov 18)
- Data on Linux attacks (was Re: [oss-security] Re: Fwd: x86 ROP mitigation) Josh Bressers (Nov 18)
- Re: Data on Linux attacks (was Re: [oss-security] Re: Fwd: x86 ROP mitigation) Kurt Seifried (Nov 18)
- Re: Re: Fwd: x86 ROP mitigation Steve Grubb (Nov 18)
- Re: Re: Fwd: x86 ROP mitigation Fabio Pagani (Nov 18)
- Re: Fwd: x86 ROP mitigation Solar Designer (Nov 19)
- Re: Re: Fwd: x86 ROP mitigation Jonathan Salwan (Nov 19)
- Re: Fwd: x86 ROP mitigation Solar Designer (Nov 17)
- Re: Fwd: x86 ROP mitigation Bernd Schmidt (Nov 18)
- Re: Re: Fwd: x86 ROP mitigation Florian Weimer (Nov 18)
- Re: Fwd: x86 ROP mitigation Jeff Law (Nov 18)