Re: F29 System Wide Change: Build non-RELRO ELF binaries with .plt.got isolation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 18, 2018 at 09:28:04AM +0200, Jan Kurik wrote:
> = Proposed System Wide Change: Build non-RELRO ELF binaries with
> .plt.got isolation =
> https://fedoraproject.org/wiki/Changes/.plt.got_Isolation
> 
> 
> Owner(s):
>   * Florian Weimer <fweimer at redhat dot com>
> 
> 
> Fedora 23 enabled  hardening for all packages. However, some ELF
> binaries still use lazy binding. This change proposes additional
> hardening for them.

Hi,

First of all, thanks a lot for all your work!  I apologize in advance,
since I'd not even heard of memory protection keys until reading this
today, so my question below is probably quite stupid.

> == Detailed description ==
> With the RELRO and BIND_NOW dynamic linker features, it is possible to
> make the array of function pointers which is used to implement dynamic
> linking (the GOT) read-only at run time. This makes it harder for
> exploit writers to overwrite these function pointers and redirect
> execution.
> However, some ELF binaries are still built and linked without these
> hardening features. Sometimes, this is due to package maintainer
> preferences. Sometimes, there are technical reasons which preclude the
> use of BIND_NOW because the way the application is written, it relies
> on lazy binding.
> This change proposes to link ELF binaries in such a way that the
> <code>.plt.got</code> section is loaded as a separated page at run
> time. As a result, it is possible to use a kernel feature called
> [http://man7.org/linux/man-pages/man7/pkeys.7.html memory protection
> keys] to make the GOT with its function pointer array read-only most
> of the time.

A sentence in this page jumped out at me - the one about the WRPKRU
instruction being completely unprivileged and so memory protection
keys not being very useful if the attacker may execute arbitrary
instructions.  So I thought "well maybe they have in mind something
like allocate a key, make the page read-only, then trash the key and
start executing the program", but then...

> When the dynamic linker needs to perform a function
> symbol binding, it can make the GOT temporarily writable, for the
> current thread only.

...this came along.  So what is supposed to stop an attacker who can
inject arbitrary code into the program from modifying the keys?

Or is this supposed to stop buffer-overflow exploits that overwrite
the GOT and thus cause the attacker's code to be executed later?
If so, then I apologize again, since it seems that this may be
sufficient to prevent that type of attack indeed.

G'luck,
Peter

-- 
Peter Pentchev  roam@{ringlet.net,debian.org,FreeBSD.org} pp@xxxxxxxxxxxx
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/RXKTYQKBHLQ66QVAHBNWI3CEGZKSQ7ZB/

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux