Hi, On Fri, 17 Jun 2016, Bernd Schmidt wrote:
> This is another step to flesh out -mmitigate-rop for i386 a little more. > The basic idea was (I think) Richard Henderson's: if we could arrange to > have every return preceded by a leave instruction, it would make it > harder to construct an attack since it takes away a certain amount of > control over the stack pointer. I extended this to move the leave/ret > pair to libgcc, preceded by a sequence of nops, so as to take away the > possibility of jumping into the middle of an instruction preceding the > leave/ret pair and thereby skipping the leave. But does this really improve something? Essentially you're replacing <random bytes1> 0xc9 0xc3 <random bytes2> (the end of a function containing "leave;ret") with <random bytes1> 0xe9 <four random bytes> <random bytes2> where the four random bytes are different for each rewritten function return (but correlated as they differ exactly by their position difference). I'm not sure why the latter sequence is better? Ciao, Michael.
