[LLVMdev] [PATCH] Protection against stack-based memory corruption errors using SafeStack
Volodymyr Kuznetsov
vova.kuznetsov at epfl.ch
Fri Nov 14 07:31:59 PST 2014
Hi Stephen,
On Fri, Nov 14, 2014 at 5:39 AM, Stephen Checkoway <s at pahtak.org> wrote:
> Hi Volodymyr,
>
> On Nov 4, 2014, at 2:14 PM, Volodymyr Kuznetsov <vova.kuznetsov at epfl.ch>
> wrote:
>
> > With such protection in place, overwriting the return addresses or
> pivoting the stack would become nearly impossible in practice, along with
> many ROP attacks that are based on it.
>
> I agree that overwriting the return address becomes more difficult, but
> stack pivoting is still doable. On x86, overwriting a function pointer to
> point to
>
> xchg eax, esp
> ret
>
> which is just two bytes, 0x94 0xc3, will pivot the stack to eax and start
> a return-oriented program when the function pointer is called.
>
Yes, good point indeed! Protecting against this would require preventing an
attacker from arbitrary overwriting function pointers, which will be the
topic of our next set of patches ;)
- Volodymyr Kuznetsov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20141114/9c3a08a6/attachment.html>
More information about the llvm-dev
mailing list