On 06/17/2016 04:06 AM, Bernd Schmidt wrote:
This is another step to flesh out -mmitigate-rop for i386 a little more.
The basic idea was (I think) Richard Henderson's: if we could arrange to
have every return preceded by a leave instruction, it would make it
harder to construct an attack since it takes away a certain amount of
control over the stack pointer. I extended this to move the leave/ret
pair to libgcc, preceded by a sequence of nops, so as to take away the
possibility of jumping into the middle of an instruction preceding the
leave/ret pair and thereby skipping the leave.
I don't think anyone on our team can take credit for the idea. We found
that folks working in this space were calling out leave;ret as being
harder to exploit.
The key being that to use leave;ret they have to control the frame
pointer and the saved return address. Typically they have control of
just the saved return address.
This has a performance impact when -mmitigate-rop is enabled, I made
some measurements a while ago and it looks like it's about twice the
impact of -fno-omit-frame-pointer.
Right. My idea is to use this mitigation for functions which aren't
protected by SSP (fixing the SSP epilogues is a distinct project,
Florian should have some details on what we need to do to make those
difficult to attack). So we're not paying the cost on every function,
just those which aren't protected by SSP.
Jeff
