From: Carlos O'Donell <carlos@redhat.com>
To: Florian Weimer <fweimer@redhat.com>, gnu-gabi@sourceware.org
Subject: Re: Flag for late RELRO application
Date: Mon, 01 Jan 2018 00:00:00 -0000 [thread overview]
Message-ID: <0e56bdc1-95a1-8626-cba1-2f0ef937f5ab@redhat.com> (raw)
In-Reply-To: <1e8cc2f8-1726-7fed-f905-05610417c8af@redhat.com>
On 06/11/2018 01:37 PM, Florian Weimer wrote:
> On 06/11/2018 06:29 PM, Carlos O'Donell wrote:
>> If you have to markup existing code with
>> attributes to get this to work, you might as well collect them
>> into a special section and use a 'late RELRO' flag for it,
>> extending the existing RELRO framework.
>
> Again, is this really worth the complexity?
Consider the behaviour the flag will enable.
Say it becomes wildly successful, and all application authors turn
it on. Now, everyone is using "LATE" (flag) + "RELRO." Maybe even
against your recommendations.
If we wish to further harden such binaries (applying some of RELRO
earlier again), would we have a way to do so easily?
Do we have to define the "late RELRO" flag in such a way as to guide
implementations to make choices that allow them to continue to be
able to incrementally harden applications?
For example:
DT_FLAGS:
* DF_LATE_RELRO flag set in DT_FLAGS if the dynamic loader should
run all constructors and initializers before marking all relocations
read-only.
Special Sections:
* ".data.re.ro.late" - SHT_PROGBITS, SHF_ALLOC+SHF_WRITE
This section holds data that must be writable until after all
constructors and initializers have been run.
Implementation considerations:
* The guidance to linker implementations is that DF_LATE_RELRO should
only be set if an input section contained data in the section
".data.rel.ro.late" to disambiguate the data that really needs the
late RELRO semantics from those that don't. So we can eventually
harden in two stages. For now the linker can choose to merge everything
together and let the dynamic loader delay RELRO.
In this way we define the flag, *and* a section for late RELRO in such
a way that we can find these uses later if we want to move them or further
harden such binaries. This is a bit more work, but I think it will pay
dividends if we ever need to do further hardening.
Thoughts?
Cheers,
Carlos.
next prev parent reply other threads:[~2018-06-11 18:32 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-01 0:00 Florian Weimer
2018-01-01 0:00 ` Carlos O'Donell
2018-01-01 0:00 ` Florian Weimer
2018-01-01 0:00 ` Carlos O'Donell [this message]
2018-01-01 0:00 ` Cary Coutant
2018-01-01 0:00 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0e56bdc1-95a1-8626-cba1-2f0ef937f5ab@redhat.com \
--to=carlos@redhat.com \
--cc=fweimer@redhat.com \
--cc=gnu-gabi@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).