From: Florian Weimer <fweimer@redhat.com>
To: Cary Coutant <ccoutant@gmail.com>
Cc: gnu-gabi@sourceware.org
Subject: Re: Flag for late RELRO application
Date: Mon, 01 Jan 2018 00:00:00 -0000 [thread overview]
Message-ID: <30bac825-fa96-f92c-f6a4-263da7132f61@redhat.com> (raw)
In-Reply-To: <CAJimCsHpn5u+=_nBQRBrHW22knS=YBtyxJQEOzfLcc=hrL7fcA@mail.gmail.com>
On 06/11/2018 09:52 PM, Cary Coutant wrote:
>> I would like to add a flag to gABI (visible in the dynamic section) which
>> indicates that the loader shall apply RELRO protection only after running
>> the ELF constructors from DT_INIT and DT_INIT_ARRAY.
>>
>> This would allow applications to allocate a mapping and store a pointer to
>> it in permanently read-only memory. On the mapping itself, the application
>> can set the protection flags (and keys) as needed.
>
> Why can't the application that wants to do this simply do the following?
>
> mprotect(&ptr, sizeof(ptr), PROT_READ|PROT_WRITE);
> ptr = ...;
> mprotect(&ptr, sizeof(ptr), PROT_READ);
The original mapping might have been PROT_READ | PROT_EXEC, and then the
PROT_EXEC is gone, which isn't good. Security policy may also preven
tthe PROT_WRITE → PROT_EXEC transition.
> We have RELRO to collect all the data together that the dynamic loader
> needs to initialize. I see no good reason to extend that feature to
> support an application-specific need, especially when it significantly
> expands the window during which the program is subject to attack.
> Initializers are just as prone to hacking as the rest of the program.
Initializers can access the process environment, true, but for many
applications, that is trusted and there is no boundary crossed. That
only comes later in the process (after running main).
In any case, I wanted to make this opt-in, so that applications or
libraries can choose the approach they prefer.
Thanks,
Florian
next prev parent reply other threads:[~2018-07-05 19:36 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-01 0:00 Florian Weimer
2018-01-01 0:00 ` Cary Coutant
2018-01-01 0:00 ` Florian Weimer [this message]
2018-01-01 0:00 ` Carlos O'Donell
2018-01-01 0:00 ` Florian Weimer
2018-01-01 0:00 ` Carlos O'Donell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=30bac825-fa96-f92c-f6a4-263da7132f61@redhat.com \
--to=fweimer@redhat.com \
--cc=ccoutant@gmail.com \
--cc=gnu-gabi@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).