On 06/20/2016 02:08 PM, Michael Matz wrote:
P.S: Though I do feel these ROP counter measures are not much more than
security by obscurity; I guess enough obscurity indeed can at least lead
to harder to exploit programs.
I think security by obscurity is the wrong term for this. But I kind of
k
Hi,
On Fri, 17 Jun 2016, Bernd Schmidt wrote:
> > The "0xe9 " essentially is the leave+return opcode,
> > after all it jumps to them (let's ignore the possibility that the jump
> > target address might contain a 0xc3 byte). So if the attacker finds
> > some interesting gadget in I don't see
On 06/17/2016 08:29 AM, Michael Matz wrote:
Hi,
On Fri, 17 Jun 2016, Bernd Schmidt wrote:
On 06/17/2016 04:03 PM, Michael Matz wrote:
But does this really improve something? Essentially you're replacing
0xc9 0xc3
(the end of a function containing "leave;ret") with
0xe9
where the
On 06/17/2016 04:06 AM, Bernd Schmidt wrote:
This is another step to flesh out -mmitigate-rop for i386 a little more.
The basic idea was (I think) Richard Henderson's: if we could arrange to
have every return preceded by a leave instruction, it would make it
harder to construct an attack since it
On 06/17/2016 04:29 PM, Michael Matz wrote:
On Fri, 17 Jun 2016, Bernd Schmidt wrote:
On 06/17/2016 04:03 PM, Michael Matz wrote:
But does this really improve something? Essentially you're replacing
0xc9 0xc3
(the end of a function containing "leave;ret") with
0xe9
where the four
Hi,
On Fri, 17 Jun 2016, Bernd Schmidt wrote:
> On 06/17/2016 04:03 PM, Michael Matz wrote:
> > But does this really improve something? Essentially you're replacing
> >
> >0xc9 0xc3
> >
> > (the end of a function containing "leave;ret") with
> >
> >0xe9
> >
> > where the four rand
On 06/17/2016 04:03 PM, Michael Matz wrote:
But does this really improve something? Essentially you're replacing
0xc9 0xc3
(the end of a function containing "leave;ret") with
0xe9
where the four random bytes are different for each rewritten function
return (but correlated as they di
Hi,
On Fri, 17 Jun 2016, Bernd Schmidt wrote:
> This is another step to flesh out -mmitigate-rop for i386 a little more.
> The basic idea was (I think) Richard Henderson's: if we could arrange to
> have every return preceded by a leave instruction, it would make it
> harder to construct an att
On 06/17/2016 12:37 PM, Jakub Jelinek wrote:
Do you really need to require frame pointer for this?
I mean, couldn't you instead use what you do if a function needs frame
pointer and otherwise just replace the original ret with
pushq %rbp
movq%rsp, %rbp
jmp __rop
On Fri, Jun 17, 2016 at 12:06:48PM +0200, Bernd Schmidt wrote:
> This is another step to flesh out -mmitigate-rop for i386 a little more. The
> basic idea was (I think) Richard Henderson's: if we could arrange to have
> every return preceded by a leave instruction, it would make it harder to
> cons
This is another step to flesh out -mmitigate-rop for i386 a little more.
The basic idea was (I think) Richard Henderson's: if we could arrange to
have every return preceded by a leave instruction, it would make it
harder to construct an attack since it takes away a certain amount of
control ove
11 matches
Mail list logo
