RE: ppc asm

["Andersen, Thomas Bjoern" <TBAndersen () kpmg com>]

Some time ago I came across:
http://packetstorm.decepticons.org/papers/unix/m68koverflows

which says:
------[ Instruction cache

The biggest problem of them all would be the "dirty" i-cache.
The shellcode can't be executed unless the i-cache is cleaned first.
There isn't any cleaning code inside the program we can call/use.

Solutions:
        After a user/kernel/user call the cache is clean.
        1) You could insert the shellcode before the overflow, after a
syscall
           the cache would be clean. And it can be executed.
        2) Redirect the execution through libc (syscall wrapper)
           This can be done by using framepointer and intruction pointer at
the 
           same time: instruction pointer = address of wrapper
                      framepointer points to a location with the shellcode
address

-----Original Message-----
From: KF [mailto:dotslash () snosoft com]
Sent: Friday, November 30, 2001 12:32 AM
To: Troy Bollinger; vuln-dev () security-focus com
Subject: Re: ppc asm


I have heard the the use of fork() can also help with a dirty
instruction cache... does anyone 
else have any insight on this?
-KF 

> One thing I've noticed on ppc is that when you write to the stack,
> you're really writing to the data cache.  Then when execution begins,
> the instructions are fetched from the instruction cache -- which isn't
> always the same as what you put into the data cache.  I'm not saying
> that a xor decoder won't work, but you'll probably need to include a
> series of cache sync instructions (dcbst,sync,icbi,isync?).  There may
> also be issues when using a multiprocessor box or a 64bit box.  More
> information on this can be found in the "PowerPC Microprocessor Family:
> The Programming Environment" chapter 5.  This book is available in pdf
> form at:
http://www-3.ibm.com/chips/techlib/techlib.nsf/techdocs/852569B20050FF778525
699600719DF2/$file/6xx_pem.pdf
> --
> Troy Bollinger <troy () austin ibm com>
> Network Security Analyst
> PGP keyid: 1024/0xB7783129
> Troy's opinions are not IBM policy


________________________________________________________________________________

In KPMG's opinion, non-encrypted communication via the Internet is not to be considered secure.  
For that reason, it is KPMG's policy that uninvited use of the Internet concerning exchange of confidential information 
with our clients must not take place.  When exchanging information, the client is held liable.  
This e-mail may contain confidential information and is intended solely for the addressee, and any disclosure of this 
information is strictly prohibited and may be unlawful.  If you have received this e-mail by mistake, please notify us 
immediately and delete this mail.
This footnote also confirms that this e-mail message has been swept by MIMEsweeper for the presence of computer viruses.