oss-sec mailing list archives

Re: Re: Fwd: x86 ROP mitigation

From: Daniel Micay <danielmicay () gmail com>
Date: Tue, 17 Nov 2015 22:13:29 -0500

On 17/11/15 05:11 PM, Rich Felker wrote:

On Tue, Nov 17, 2015 at 01:52:07PM -0500, Daniel Micay wrote:

Is that really the right approach vs. preventing hijacking of flow
control via return pointers and function pointers? It doesn't really
seem like there's an end game in mind where it actually prevents ROP
rather than just removing many useful gadgets. Making useful ROP gadgets
harder to find doesn't mean much, since tools are used to find them and
the tools can be improved if it becomes necessary.

i.e. why not just go with something like PaX's RAP


My understanding is that it's not ABI-compatible with non-RAP code, so
you'd essentially be going with a whole new ABI. If so, this is going
to be completely impractical for most users. Am I mistaken?


AFAIK, it's ABI compatible with code compiled with it. Hard to say since
the implementation is not yet public. You do need to use it everywhere
to truly take advantage of it though. It might still protect the
function pointers reachable by the attacker without full coverage but...
that's not at all ideal.

Mitigations like this aren't comparable to ones providing incomplete
detection of memory corruption like _FORTIFY_SOURCE where even a small
amount of coverage can end up preventing vulnerabilities from being
exploited. A ROP migitation is only removing an exploitation technique /
making exploitation unreliable (hopefully enough that it can't be brute
forced) / requiring additional bugs to work around it so... it's no good
if there are easy ways around it for an attacker. It actually has to
enforce something meaningful.

RAP is essentially breaking the exploitation technique across the board.
It's not insurmountable but it's not incomplete either. And it can be
improved from the meaningful starting point. It's really hard to see how
removing all usable ROP gadgets can succeed. Maybe it can, but it's hard
to believe without seeing a compelling roadmap.

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

x86 ROP mitigation Solar Designer (Nov 17)
- Message not available
  - Re: Fwd: x86 ROP mitigation Bernd Schmidt (Nov 17)
    - Re: Fwd: x86 ROP mitigation Jeff Law (Nov 17)
    - Re: Re: Fwd: x86 ROP mitigation Daniel Micay (Nov 17)
    - Re: Re: Fwd: x86 ROP mitigation Josh Bressers (Nov 17)
    - Re: Re: Fwd: x86 ROP mitigation Daniel Micay (Nov 17)
    - Re: Re: Fwd: x86 ROP mitigation Josh Bressers (Nov 17)
    - Re: Re: Fwd: x86 ROP mitigation Daniel Micay (Nov 17)
    - Re: Re: Fwd: x86 ROP mitigation Rich Felker (Nov 17)
    - Re: Re: Fwd: x86 ROP mitigation Daniel Micay (Nov 17)
    - Re: Fwd: x86 ROP mitigation Solar Designer (Nov 17)
    - Re: Fwd: x86 ROP mitigation Florian Weimer (Nov 18)
    - Data on Linux attacks (was Re: [oss-security] Re: Fwd: x86 ROP mitigation) Josh Bressers (Nov 18)
    - Re: Data on Linux attacks (was Re: [oss-security] Re: Fwd: x86 ROP mitigation) Kurt Seifried (Nov 18)
    - Re: Re: Fwd: x86 ROP mitigation Steve Grubb (Nov 18)
    - Re: Re: Fwd: x86 ROP mitigation Fabio Pagani (Nov 18)
    - Re: Fwd: x86 ROP mitigation Solar Designer (Nov 19)
    - Re: Re: Fwd: x86 ROP mitigation Jonathan Salwan (Nov 19)
    - Re: Fwd: x86 ROP mitigation Solar Designer (Nov 17)
    - Re: Fwd: x86 ROP mitigation Bernd Schmidt (Nov 18)

(Thread continues...)