[PATCH] Adding diversity for security
Nadav Rotem
nrotem at apple.com
Thu Jan 23 22:19:03 PST 2014
On Jan 23, 2014, at 9:57 PM, Alp Toker <alp at nuanti.com> wrote:
>
> The feature is sufficient to decisively thwart the recent trend of "farming" sites that crawl, scrape and reapply cracks within hours of each new point release. These automated attacks will never do decompilation or analysis -- they just search and replace byte patterns.
>
> Reverse engineers aren't cheap to hire and these sites are only profitable because they're automated.
The original intent of the patch was to prevent Return-to-Program attacks, so this is slightly off-topic. The security industry is a lot mode advanced than what you describe. It is really easy to remove NOPs in order to get signatures, and modern anti viruses do stuff like that. Actually, even if you completely change register allocation and scheduling other techniques would identify the code. For example tracking the order of system calls and/or library calls. Personally, I don’t think that adding NOPs to the instruction stream is as useful as changing scheduling or register allocation because removing NOPs is easy. Also, by introducing NOPs you are increasing the landing area for ROP attacks. You simply have more code to jump into.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20140123/10ff5f14/attachment.html>
More information about the llvm-commits
mailing list