Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday September 13 2017, @06:03AM   Printer-friendly
from the going-back dept.

Return-oriented programming (ROP) is now a common technique for compromising systems via a stack-smashing vulnerability. Although restrictions on executing code on the stack have mostly put an end to many simple stack-smashing attacks, that does not mean that they are no longer a threat. There are various schemes in use for defeating ROP attacks. A new mechanism called "RETGUARD" is being implemented in OpenBSD and is notable for its relative simplicity. It makes use of a simple return-address transformation to disrupt ROP chains to hinder their execution and takes the form of a patch to the LLVM compiler adding a new flag.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Virindi on Wednesday September 13 2017, @08:58PM (1 child)

    by Virindi (3484) on Wednesday September 13 2017, @08:58PM (#567457)

    Ahh, I understand what you are saying now. That seems pretty similar to the idea of "two stacks", just that the first stack has pointers to the second one.

    I'm sure that would work fine, but I am not sure how that would help any more than two stacks. You'd still need to at some point store the "next available data region" pointer when making a call. At that point you really just have two stack pointers.

    So is the purpose simply to prevent one data frame from hitting another data frame*? The large amount of potentially wasted memory seems like a high cost for just that benefit.

    *Obviously data to return corruption would be protected in the same way as with two stacks (it's far away, you have to find it, etc). I am talking about the additional advantage.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by FatPhil on Thursday September 14 2017, @04:14AM

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Thursday September 14 2017, @04:14AM (#567633) Homepage
    The idea is to separate the control from the data. That way malicious data is never more than untrusted octets sitting in a region where you should expect untrusted octets. Of course, if you're a shitty coder, you'll permit untrusted data to overwrite other untrusted data, and thus change the logic flow of the program, but that's a different kind of exploit than one where the attacker irectly controls your IP.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves