Return-oriented programming (ROP) is now a common technique for compromising systems via a stack-smashing vulnerability. Although restrictions on executing code on the stack have mostly put an end to many simple stack-smashing attacks, that does not mean that they are no longer a threat. There are various schemes in use for defeating ROP attacks. A new mechanism called "RETGUARD" is being implemented in OpenBSD and is notable for its relative simplicity. It makes use of a simple return-address transformation to disrupt ROP chains to hinder their execution and takes the form of a patch to the LLVM compiler adding a new flag.
(Score: 2) by Virindi on Thursday September 14 2017, @09:25AM (1 child)
How? It would have to be written to when you make a call. I am not aware of some easy mechanism to achieve this.
I double checked the Intel reference manual, and attempting a call instruction when the next stack location is a non-write page results in a processor exception. So if you want to implement this in software, you'd have to have the OS deal with this exception and check on whether a call instruction was actually made (and not a normal memory write), make the push, then resume. This seems like a heck of a lot of overhead for every call!
Or am I missing something?
(Score: 2) by Wootery on Thursday September 14 2017, @01:49PM
You're right, there would be an awful amount of overhead there.
I don't think there's any efficient mechanism to restrict access to a page to only certain functions.