Seth David Schoen <sch...@loyalty.org> wrote: > It makes perfect sense to me that the tables in particular ought to go > back in .rodata (as they are, well, read-only data). I wouldn't think > that optimizations should be allowed to bypass code/data separation > policies.
However that is the decision that was intentionally made. There are comments celebrating it. > Currently I see the .text section of something as simple as /bin/ls with > 623 0xc3 bytes that disassemble as retq instructions, plus an additional > 116 0xc3 bytes that are part of a longer instruction. For the .text > section in the /usr/bin/openssl binary, it seems to be 316 and 145, > respectively (presumably because so much of the actual functionality has > been broken out into libssl and libcrypto). You will know the answer if you use the tools. > So, would the marginal > benefit of moving the tables to .rodata, without other attempts to reduce > ROP gadget availability in libraries and binaries, be very high in terms > of the feasibility of ROP to an attacker? We have some rather substantial gadget reduction from other methods, and it makes a big difference. [1] What we don't need is old garbage moving the needle in the opposite direction. But you can judge this for yourself using the online tools. You don't need to ask the rhetorical question. I have my own assessment of the situation, but you don't need to take my word for it either. [1] Todd Mortimer did most of that work. If you want to be even more safe, use a fixed-size instruction architecture with RETGUARD, then even the epilogues are unusable. He's given two talks about this, the 2nd slide presentation is better.
