From: Mark Kettenis <mark.kettenis@xs4all.nl>
To: ppluzhnikov@google.com
Cc: fche@redhat.com, mark.kettenis@xs4all.nl,
joseph@codesourcery.com, drow@false.org,
gdb-patches@sourceware.org, pedro@codesourcery.com,
uweigand@de.ibm.com
Subject: Re: RFC: Longjmp vs LD_POINTER_GUARD revisited
Date: Mon, 16 Nov 2009 16:19:00 -0000 [thread overview]
Message-ID: <200911161616.nAGGG2Wn017852@glazunov.sibelius.xs4all.nl> (raw)
In-Reply-To: <8ac60eac0911160739x6bbc1237w49556339ed855e66@mail.gmail.com> (message from Paul Pluzhnikov on Mon, 16 Nov 2009 07:39:45 -0800)
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1911 bytes --]
> Date: Mon, 16 Nov 2009 07:39:45 -0800
> From: Paul Pluzhnikov <ppluzhnikov@google.com>
>
> On Mon, Nov 16, 2009 at 7:13 AM, Frank Ch. Eigler <fche@redhat.com> wrote:
>
> > Well, it's nothing personal. If glibc made it trivial decrypt this
> > stuff on demand, it'd be just as easy for an attacker.
>
> That's exactly my point: the process itself can trivially discover the
> problem by executing two setjmps with known resume addresses (an
> implementation I did in my previous job (for a Valgrind-like checker)
> took less than 20 lines of assembly), so I wonder how much of a
> deterrent this really is.
Well, the whole purpose of encrypting the setjmp buffer this way is to
prevent an attacker from longjmp-ing to "shellcode" by overwriting the
setjmp buffer by exploiting some sort of buffer overflow. The fact
that an attacker can trivially write some shellcode to figure out the
cookie doesn't really help him because he'll still have to find a way
to execute that shellcode.
At the same time, this means that there's little benefit from coming
up with clever encrypting algorithms (a simple XOR is probably good
enough) and going through extreme lengths to hide the cookie. So I
don't think an agreed upon interface between glibc and GDB, on how to
find the cookie and which encrypting algorithm is used would have a
significant impact on security.
> > Maybe this is a case for something akin to libthread_db.
>
> Hmm, libc_db to subsume libthread_db, and answer all kinds of
> questions about glibc internals; wouldn't GDB's life be easier! OTOH,
> if the sysadmin is not careful to remove libc_db from a production
> system, then the attacker could just dlopen libc_db and hack away.
I'm not sure something similar to libthread_db is such a terribly goo
idea; it tends to be a bitch for cross-debugging. As to the security
implications of having such a libc_db, see my argument above.
next prev parent reply other threads:[~2009-11-16 16:19 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-15 17:35 Daniel Jacobowitz
2009-11-15 18:06 ` Eli Zaretskii
2009-11-15 18:30 ` Paul Pluzhnikov
2009-11-15 22:36 ` Daniel Jacobowitz
2009-11-15 23:06 ` Paul Pluzhnikov
2009-11-16 14:37 ` Daniel Jacobowitz
2009-11-16 14:55 ` Pedro Alves
2009-11-16 14:56 ` Pedro Alves
2009-11-16 15:05 ` Pedro Alves
2009-11-16 17:50 ` Daniel Jacobowitz
2009-11-15 18:39 ` Joseph S. Myers
2009-11-15 21:52 ` Mark Kettenis
2009-11-15 22:37 ` Daniel Jacobowitz
2009-11-16 15:15 ` Frank Ch. Eigler
2009-11-16 15:40 ` Paul Pluzhnikov
2009-11-16 15:43 ` Paul Pluzhnikov
2009-11-16 16:19 ` Mark Kettenis [this message]
2009-11-16 15:59 ` Mark Kettenis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200911161616.nAGGG2Wn017852@glazunov.sibelius.xs4all.nl \
--to=mark.kettenis@xs4all.nl \
--cc=drow@false.org \
--cc=fche@redhat.com \
--cc=gdb-patches@sourceware.org \
--cc=joseph@codesourcery.com \
--cc=pedro@codesourcery.com \
--cc=ppluzhnikov@google.com \
--cc=uweigand@de.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox