From: Florian Weimer <fw@deneb.enyo.de>
To: "Richard Earnshaw \(lists\)" <Richard.Earnshaw@arm.com>
Cc: Jeff Law <law@redhat.com>, gcc-patches <gcc-patches@gcc.gnu.org>
Subject: Re: RFC: stack/heap collision vulnerability and mitigation with GCC
Date: Wed, 28 Jun 2017 06:45:00 -0000 [thread overview]
Message-ID: <87k23wwqym.fsf@mid.deneb.enyo.de> (raw)
In-Reply-To: <ad0fb64c-6b0d-b3da-d01d-34d4d62385ee@arm.com> (Richard Earnshaw's message of "Thu, 22 Jun 2017 10:53:21 +0100")
* Richard Earnshaw:
> I can't help but feel there's a bit of a goode olde mediaeval witch hunt
> going on here. As Wilco points out, we can never defend against a
> function that is built without probe operations but skips the entire
> guard zone. The only defence there is a larger guard zone, but how big
> do you make it?
Right. And in the exploitable cases we have seen, there is a
dynamically sized allocation which the attacker can influence, so it
seems fairly likely that in a partially hardended binary, there could
be another call stack which is exploitable, with a non-hardened
function at the top.
I think a probing scheme which assumes that if the caller moves the
stack pointer into more than half of the guard area, that's the
callers fault would be totally appropriate in practice. If possible,
callee-only probing for its own stack usage is preferable, but not if
it means instrumenting all functions which use the stack.
> Yes, you'd need a system recompile to deploy it in full, but even a
> fairly limited rebuild of critical libraries (libc, libstdc++) would
> help.
And we'd be mostly interested in protecting dynamically sized stack
allocations anyway, and perhaps the occasional BUFSIZ and PATH_MAX
rrays.
next prev parent reply other threads:[~2017-06-28 6:45 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-19 17:07 Jeff Law
2017-06-19 17:29 ` Jakub Jelinek
2017-06-19 17:45 ` Jeff Law
2017-06-19 17:51 ` Jakub Jelinek
2017-06-19 21:51 ` Jeff Law
2017-06-20 8:03 ` Uros Bizjak
2017-06-20 10:18 ` Richard Biener
2017-06-20 11:10 ` Uros Bizjak
2017-06-20 12:13 ` Florian Weimer
2017-06-20 12:17 ` Uros Bizjak
2017-06-20 12:20 ` Uros Bizjak
2017-06-20 12:27 ` Richard Biener
2017-06-20 21:57 ` Jeff Law
2017-06-20 15:59 ` Jeff Law
2017-06-19 18:00 ` Richard Biener
2017-06-19 18:02 ` Richard Biener
2017-06-19 18:15 ` Florian Weimer
2017-06-19 21:57 ` Jeff Law
2017-06-19 22:08 ` Jeff Law
2017-06-20 7:50 ` Eric Botcazou
2017-06-19 17:51 ` Joseph Myers
2017-06-19 17:55 ` Jakub Jelinek
2017-06-19 18:21 ` Florian Weimer
2017-06-19 21:56 ` Joseph Myers
2017-06-19 22:05 ` Jeff Law
2017-06-19 22:10 ` Florian Weimer
2017-06-19 19:05 ` Jeff Law
2017-06-19 19:45 ` Jakub Jelinek
2017-06-19 21:41 ` Jeff Law
2017-06-20 8:27 ` Richard Earnshaw (lists)
2017-06-20 15:50 ` Jeff Law
2017-06-19 18:12 ` Richard Kenner
2017-06-19 22:05 ` Jeff Law
2017-06-19 22:07 ` Richard Kenner
2017-06-20 8:21 ` Eric Botcazou
2017-06-20 15:50 ` Jeff Law
2017-06-20 19:48 ` Jakub Jelinek
2017-06-20 20:37 ` Eric Botcazou
2017-06-20 20:46 ` Jeff Law
2017-06-20 8:17 ` Eric Botcazou
2017-06-20 21:52 ` Jeff Law
2017-06-20 22:20 ` Eric Botcazou
2017-06-21 17:31 ` Jeff Law
2017-06-21 19:07 ` Florian Weimer
2017-06-21 7:56 ` Andreas Schwab
2017-06-20 9:27 ` Richard Earnshaw (lists)
2017-06-20 21:39 ` Jeff Law
2017-06-21 8:41 ` Richard Earnshaw (lists)
2017-06-21 17:25 ` Jeff Law
2017-06-22 9:53 ` Richard Earnshaw (lists)
2017-06-22 15:30 ` Jeff Law
2017-06-22 16:07 ` Szabolcs Nagy
2017-06-22 16:15 ` Jeff Law
2017-06-28 6:45 ` Florian Weimer [this message]
2017-07-13 23:21 ` Jeff Law
2017-07-18 19:54 ` Florian Weimer
2017-06-20 23:22 Wilco Dijkstra
2017-06-21 8:34 ` Richard Earnshaw (lists)
2017-06-21 8:44 ` Andreas Schwab
2017-06-21 8:46 ` Richard Earnshaw (lists)
2017-06-21 8:46 ` Richard Earnshaw (lists)
2017-06-21 9:03 ` Wilco Dijkstra
2017-06-21 17:05 ` Jeff Law
2017-06-21 17:47 ` Wilco Dijkstra
2017-06-22 16:10 ` Jeff Law
2017-06-22 22:57 ` Wilco Dijkstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k23wwqym.fsf@mid.deneb.enyo.de \
--to=fw@deneb.enyo.de \
--cc=Richard.Earnshaw@arm.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=law@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).