> On Wed, Feb 20, 2019 at 2:53 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > BTW, the attack that inspired grsecurity's RANDKSTACK is described in > > these slides (lots of steps, see slide 79): > > https://www.slideshare.net/scovetta/stackjacking > > Sorry, as PaX Team reminded me, I misremembered this. RANDKSTACK > already existed. It was STACKLEAK that was created in response to this > particular attack. I still think this attack is worth understanding to > see what hoops must be jumped through when dealing with stack > randomization (and other defenses). Yes, I actually went through a number of stack-based attacks, including above, in order to understand what we are trying to protect against. If you are interested, I wrote some notes here mainly for organizing my own thoughts and understanding: https://docs.google.com/document/d/1h1gRuZpOjVxaaDag-MxOrASka0OEBeApQOl8OK2GIVY/edit?usp=sharing It also has references to slidedecks of relevant attacks. I am going to update them now based on our good discussion here. Anyhow, I am glad that we arrived to conclusion here and I know how to proceed. So, I will start working on randomizing after pt_regs in direction that Andy outlined. With regards to disabling iopl(), this is pretty separate thing. If anyone wants to run with this and submit a patch, please go ahead, I can also do it a bit later (after a study of it since I never used it before) if noone finds bandwidth in the meantime. Best Regards, Elena.
