x86 ROP mitigation

[Solar Designer <solar () openwall com>]

Bernd, all -

A few days ago, Bernd Schmidt posted this gcc patch:

https://gcc.gnu.org/ml/gcc-patches/2015-11/msg01773.html

"This adds a new -mmitigate-rop option to the i386 port. The idea is to
mitigate against certain forms of attack called "return oriented
programming" that some of our security folks are concerned about.
[...]
This patch is a small step towards preventing this kind of attack.
I have a few more steps queued (not quite ready for stage 1), but
additional work will be necessary to give reasonable protection."

This was followed with a few tweets:

TTYtter> /th zz7
zz0> (x13) <RichFelker> #gcc i386 ROP mitigation https://gcc.gnu.org/ml/gcc-patches/2015-11/msg01773.html
zz1> <@solardiz> @RichFelker This is ridiculous as it is, but I'll defer judgement until I see further steps that Bernd 
has queued
zz2> <@RichFelker> @solardiz I have concerns about the deg to which is possible, but doesn't just reducing the freq of 
these bytes reduce chance of exploit?
zz3> <@solardiz> @RichFelker I think this patch alone doesn't help at all. It might break some pre-existing exploits, 
but so would many non-security options.
zz4> <@stevecheckoway> @solardiz @RichFelker I agree. This doesn't seem useful. ROP using only intended instructions 
works just fine (as does ROP without returns).
zz5> <@joshbressers> @stevecheckoway @solardiz @RichFelker I'm certainly not smart enough to help with this, but we 
should work together, don't just complain.
zz6> <@solardiz> @joshbressers @stevecheckoway @RichFelker I think one of us should ask Bernd to outline his plan and 
let the community comment on it
zz7> <@joshbressers> @solardiz @stevecheckoway @RichFelker You need to engage about this on oss-security. There is a 
plan, that patch is step 1.

Bernd, I'd appreciate it if you describe your plan in a reply to this
e-mail.  Please keep oss-security CC'ed.

Thank you for your work!

Alexander