Of course, with a memory-safe language, W^X is not a needed mitigation. With runtime compilation, it is, as illustrated here, even in the way.https://twitter.com/TheMichaelBurge/status/978381073506643968 …
-
-
Not quite sure what you mean by that. Clang CFI will permit calling it if the type signature matches the calling site, which it might. An attacker will often only have control over function pointers in the heap via use-after-free, etc. and those often have restrictive types.
-
I might be confused about what clang CFI is doing there differently, going to read up on it. The CFI implementations I'm familiar with are mainly concerned about jumping into the middle of a function body for ROP primitive building.
-
That's Microsoft CFG and what Intel CET do for function pointers (along with not allowing function pointers to call functions that are identified as not indirectly callable) but Clang CFI is type-based.
-
Just noticing: if any of these control flow mechanisms stop an exploit, they do so regardless of whether W^X is active.
-
In the more narrow cases where they actually stop a vulnerability from being exploited, they don't really need that, but for powerful primitives like arbitrary write they aren't much good at making it harder to exploit if the attacker can just overwrite executable code.
-
We're talking about a very specific case here: having Racket in memory. Now w.r.t. CFI, there are two subcases: 1. CFI stops the attack. W^X is not needed. 2. CFI doesn't stop the attack. Attacker calls scheme_eval_string(). W^X doesn't stop the attack.
-
Or as a corrolary: if you can call eval(), W^X is security theater.
-
It can essentially always be bypassed even without eval(...) or an interpreter though. It only puts up a small barrier to exploitation, but that can be very valuable when considering how difficult it can be to make reliable memory corruption exploits.
- 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.