Vulnerability Development mailing list archives
RE: ppc asm
From: "Andersen, Thomas Bjoern" <TBAndersen () kpmg com>
Date: Fri, 30 Nov 2001 09:20:36 +0100
Some time ago I came across: http://packetstorm.decepticons.org/papers/unix/m68koverflows which says: ------[ Instruction cache The biggest problem of them all would be the "dirty" i-cache. The shellcode can't be executed unless the i-cache is cleaned first. There isn't any cleaning code inside the program we can call/use. Solutions: After a user/kernel/user call the cache is clean. 1) You could insert the shellcode before the overflow, after a syscall the cache would be clean. And it can be executed. 2) Redirect the execution through libc (syscall wrapper) This can be done by using framepointer and intruction pointer at the same time: instruction pointer = address of wrapper framepointer points to a location with the shellcode address -----Original Message----- From: KF [mailto:dotslash () snosoft com] Sent: Friday, November 30, 2001 12:32 AM To: Troy Bollinger; vuln-dev () security-focus com Subject: Re: ppc asm I have heard the the use of fork() can also help with a dirty instruction cache... does anyone else have any insight on this? -KF
One thing I've noticed on ppc is that when you write to the stack, you're really writing to the data cache. Then when execution begins, the instructions are fetched from the instruction cache -- which isn't always the same as what you put into the data cache. I'm not saying that a xor decoder won't work, but you'll probably need to include a series of cache sync instructions (dcbst,sync,icbi,isync?). There may also be issues when using a multiprocessor box or a 64bit box. More information on this can be found in the "PowerPC Microprocessor Family: The Programming Environment" chapter 5. This book is available in pdf form at:
http://www-3.ibm.com/chips/techlib/techlib.nsf/techdocs/852569B20050FF778525 699600719DF2/$file/6xx_pem.pdf
-- Troy Bollinger <troy () austin ibm com> Network Security Analyst PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy
________________________________________________________________________________ In KPMG's opinion, non-encrypted communication via the Internet is not to be considered secure. For that reason, it is KPMG's policy that uninvited use of the Internet concerning exchange of confidential information with our clients must not take place. When exchanging information, the client is held liable. This e-mail may contain confidential information and is intended solely for the addressee, and any disclosure of this information is strictly prohibited and may be unlawful. If you have received this e-mail by mistake, please notify us immediately and delete this mail. This footnote also confirms that this e-mail message has been swept by MIMEsweeper for the presence of computer viruses.
Current thread:
- RE: ppc asm Andersen, Thomas Bjoern (Nov 30)