PaX Team · Oct 29, 2019 · 11:40 AM UTC

PaX Team

PaX Team @paxteam

29 Oct 2019

a myth from the same academic jokers^Wresearchers who graced us with their ASLR 'research' in the past: in res.mdpi.com/d_attachment/ap… table 2 shows RAP vulnerable to ret2user (it isn't, after all we invented KERNEXEC/i386 in 2003 and UDEREF in 2006 :) but everybody else not...

Jesse Larrew · Oct 29, 2019 · 8:51 PM UTC

Jesse Larrew @JesseLarrew

29 Oct 2019

In fairness, the authors cite another paper for the RAP statement. The cited paper argues that RAP is vulnerable to ret2user attacks, because it doesn't protect register contents on the kernel's interrupt stack. Is that not the case? (I don't know how RAP works personally.)

PaX Team · Oct 30, 2019 · 8:41 AM UTC

PaX Team · Oct 30, 2019 · 8:41 AM UTC

PaX Team @paxteam

30 Oct 2019

Replying to @JesseLarrew

didn't say they were the only ones to be wrong about this nor that this statement alone was the only wrong one (it's the inconsistency compared to the others). re: ret2user, i told you what PaX features had solved it over a decade ago :). and no, it's not RAP's job.

Oct 30, 2019 · 8:41 AM UTC