Theo de Raadt wrote in
<53203.1675056...@cvs.openbsd.org>:
|I was reading some openssl source code, in particular the x86 assembly
|language files (which accelerate some crypto operations), and I find
|many cases where data tables are intentionally inserted into text (code)
|segments, and those tables include the byte value 0xC3.
|
|By intentional, I mean there's a comment, don't let me judge the tone \
|of it:
|
|&set_label("AES_Td",64); # Yes! I keep it in the code segment!
This could get you going with only TEXT and stack/BSS!
Boost cache hotness and reduce memory wastage!!
It was a real thing -- i am in full sympathy to the neat idea (a
common thing at some time i lifed through).
...
|Far be it from me to suggest that the security experts over there in
|OpenSSL land are unaware of modern exploitation methods! Very far from
|that, very very far.
I would presume the above code to be very old. There were times
when that project was lingering "on empty", and speeding assembler
optimizations was major traffic on their ML.
On most operating systems code segment is readable anyway.
I would presume adjusting execution pointer to such a byte would
result in abortion because often compilations use
stack-protector-strong and such (sigh). (..Yes, yes..)
But congratulations to your idea, surely many interested readers
have an eye on it!
They have just finished their full QUIC implementation, by
sheer coincidence i was posting a very minor issue that day
shortly after, so i saw it in the tree.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
