Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20151117153951.GA28672@openwall.com>
Date: Tue, 17 Nov 2015 18:39:51 +0300
From: Solar Designer <solar@...nwall.com>
To: Bernd Schmidt <bernds_cb1@...nline.de>
Cc: oss-security@...ts.openwall.com
Subject: x86 ROP mitigation

Bernd, all -

A few days ago, Bernd Schmidt posted this gcc patch:

https://gcc.gnu.org/ml/gcc-patches/2015-11/msg01773.html

"This adds a new -mmitigate-rop option to the i386 port. The idea is to
mitigate against certain forms of attack called "return oriented
programming" that some of our security folks are concerned about.
[...]
This patch is a small step towards preventing this kind of attack.
I have a few more steps queued (not quite ready for stage 1), but
additional work will be necessary to give reasonable protection."

This was followed with a few tweets:

TTYtter> /th zz7
zz0> (x13) <RichFelker> #gcc i386 ROP mitigation https://gcc.gnu.org/ml/gcc-patches/2015-11/msg01773.html
zz1> <@solardiz> @RichFelker This is ridiculous as it is, but I'll defer judgement until I see further steps that Bernd has queued
zz2> <@RichFelker> @solardiz I have concerns about the deg to which is possible, but doesn't just reducing the freq of these bytes reduce chance of exploit?
zz3> <@solardiz> @RichFelker I think this patch alone doesn't help at all. It might break some pre-existing exploits, but so would many non-security options.
zz4> <@stevecheckoway> @solardiz @RichFelker I agree. This doesn't seem useful. ROP using only intended instructions works just fine (as does ROP without returns).
zz5> <@joshbressers> @stevecheckoway @solardiz @RichFelker I'm certainly not smart enough to help with this, but we should work together, don't just complain.
zz6> <@solardiz> @joshbressers @stevecheckoway @RichFelker I think one of us should ask Bernd to outline his plan and let the community comment on it
zz7> <@joshbressers> @solardiz @stevecheckoway @RichFelker You need to engage about this on oss-security. There is a plan, that patch is step 1.

Bernd, I'd appreciate it if you describe your plan in a reply to this
e-mail.  Please keep oss-security CC'ed.

Thank you for your work!

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.