Of course, with a memory-safe language, W^X is not a needed mitigation. With runtime compilation, it is, as illustrated here, even in the way.https://twitter.com/TheMichaelBurge/status/978381073506643968 …
Umm, returning to scheme_eval_string makes any control of instruction pointer in a process instant easy code execution, W^X or not.
-
-
An attacker being able to overwrite a function pointer or return address doesn't mean they can run any code in the process. They need to choose code that the CFI implementation permits calling from there and they need to be able to point it at the dynamic address of that code.
-
scheme_eval_string is a legit entry point. Your CFI won't save you.
-
Not quite sure what you mean by that. Clang CFI will permit calling it if the type signature matches the calling site, which it might. An attacker will often only have control over function pointers in the heap via use-after-free, etc. and those often have restrictive types.
-
I might be confused about what clang CFI is doing there differently, going to read up on it. The CFI implementations I'm familiar with are mainly concerned about jumping into the middle of a function body for ROP primitive building.
-
That's Microsoft CFG and what Intel CET do for function pointers (along with not allowing function pointers to call functions that are identified as not indirectly callable) but Clang CFI is type-based.
-
Just noticing: if any of these control flow mechanisms stop an exploit, they do so regardless of whether W^X is active.
-
In the more narrow cases where they actually stop a vulnerability from being exploited, they don't really need that, but for powerful primitives like arbitrary write they aren't much good at making it harder to exploit if the attacker can just overwrite executable code.
-
We're talking about a very specific case here: having Racket in memory. Now w.r.t. CFI, there are two subcases: 1. CFI stops the attack. W^X is not needed. 2. CFI doesn't stop the attack. Attacker calls scheme_eval_string(). W^X doesn't stop the attack.
- 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.