Federico Bento · Sep 13, 2019 · 12:30 PM UTC

Federico Bento

Federico Bento @uid1000

13 Sep 2019

"Control-Flow Integrity for the Linux kernel: A Security Evaluation" is the work I've done for my Masters thesis where I analyze how the PaX Team's (public) RAP holds up to stop ROP when applied to the Linux kernel. You may want to check out chapter 3. alunos.dcc.fc.up.pt/~up20140…

204

PaX Team · Sep 13, 2019 · 9:30 PM UTC

PaX Team @paxteam

13 Sep 2019

this is a sad joke for a 'thesis' i'm afraid. you should have kept true to your word and kept us in the loop about your findings to avoid all these errors.

Federico Bento · Sep 13, 2019 · 10:26 PM UTC

Federico Bento @uid1000

13 Sep 2019

You should also keep true to your word and assume defeat as I've found ways to bypass RAP on the public test patch?

PaX Team · Sep 18, 2019 · 9:42 PM UTC

PaX Team · Sep 18, 2019 · 9:42 PM UTC

PaX Team @paxteam

18 Sep 2019

Replying to @uid1000

section 3.3 is even worse. it shows an 'exploit' by changing memory directly from gdb. it only shows you couldn't even find a real bug or create one yourself to do it for real. second, you missed the fact that the xor cookie defense applies to all return addresses, iret included.

Sep 18, 2019 · 9:42 PM UTC

Federico Bento · Sep 18, 2019 · 10:08 PM UTC

Federico Bento @uid1000

18 Sep 2019

Replying to @paxteam

So what does assuming arbitrary r/w mean? gdb does just that, and it's easier for people to understand (not that you have experience with that). If you say so... I can't really verify that.

PaX Team · Sep 19, 2019 · 8:01 AM UTC

PaX Team @paxteam

19 Sep 2019

it's described in my H2HC15 presentation that you even linked to (reference ) but clearly never read or understood.

more replies