[LLVMdev] mmap and vm_protect on ARM+Apple systems
John Criswell
criswell at illinois.edu
Tue Nov 27 07:03:04 PST 2012
On 11/27/12 3:26 AM, David Chisnall wrote:
> On 27 Nov 2012, at 01:20, Jim Grosbach wrote:
>
>> They work by allocating RW memory, then switching the permissions to RX before running any code stored there. That requires special process permissions.
> Is this really required? The canonical way of getting around this restriction is to mmap the same physical page as RW in one location and RX in another. I've not tested this on ARM/Darwin, but it works on every R^X platform I've tried. You can then publish the address of the RX page and keep the RW page private inside the JIT, which makes exploiting the writeable-and-executable page very hard for malicious code because it needs to find both virtual addresses.
In this design, is the JIT and the JIT'ed program in the same address
space/process, or are they in different processes so that the JIT'ed
code never has access to the RW mapping of the frame?
If they're in the same process/address space (i.e., the JIT'ed program
does have access to the RW mapped page), then I think the argument that
having to guess two addresses to make an exploit work is a very weak
protection (especially since I would expect the JIT to arrange the
virtual address space so that fast bit masking could be used to compute
the RX address from the RW address and vice versa).
-- John T.
>
> David
>
>
> _______________________________________________
> LLVM Developers mailing list
> LLVMdev at cs.uiuc.edu http://llvm.cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev
More information about the llvm-dev
mailing list