MitiGator to the rescue!https://twitter.com/halvarflake/status/845946208690585600?s=09 …
-
-
Show this thread -
In fact, I'm outraged at the suggestion W^X is of any use here. There's an entry point to EVAL in this process that one can conveniently return into. Chain it up with a call to READ, and bingo, platform independent sploit payload.
Show this thread
End of conversation
New conversation -
-
-
A memory safe language still has a substantial trusted computing base of potentially memory unsafe code. Those mitigations don't lose their value. Making it trivial to exploit a heap overflow vulnerability like this once it's found isn't a great plan: https://github.com/rust-lang/rust/blob/c661e385fd81afef808f414867cc44a6c897195e/src/liballoc_system/lib.rs#L332-L333 ….
-
Umm, returning to scheme_eval_string makes any control of instruction pointer in a process instant easy code execution, W^X or not.
-
An attacker being able to overwrite a function pointer or return address doesn't mean they can run any code in the process. They need to choose code that the CFI implementation permits calling from there and they need to be able to point it at the dynamic address of that code.
-
scheme_eval_string is a legit entry point. Your CFI won't save you.
-
Not quite sure what you mean by that. Clang CFI will permit calling it if the type signature matches the calling site, which it might. An attacker will often only have control over function pointers in the heap via use-after-free, etc. and those often have restrictive types.
-
I might be confused about what clang CFI is doing there differently, going to read up on it. The CFI implementations I'm familiar with are mainly concerned about jumping into the middle of a function body for ROP primitive building.
-
That's Microsoft CFG and what Intel CET do for function pointers (along with not allowing function pointers to call functions that are identified as not indirectly callable) but Clang CFI is type-based.
-
Just noticing: if any of these control flow mechanisms stop an exploit, they do so regardless of whether W^X is active.
- 8 more replies
New conversation -
-
-
When you're NOT dynamically generating code, it's still good to have W^X even in a memory-safe language, because there can still be exploits of unsafe library calls.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.