Giving the impression that you buy this new Intel processor and your problems are solved -- you don't get better than that coarse-grained forward edge check without significant static analysis and source code changes, something that was already done for the kernel in 2014 w/ RAP
1
4
For userland, there will be a rude awakening when people realize how much there is to do (@paxteam spent a lot of time on it), which slapping CET support in the compiler does nothing to address
2
3
... and then you're still stuck with a browser & a JIT engine, and all your CFI goes out of the window if an attacker gets arbitrary r/w first.
2
1
8
I mean, reality is: Most pwnage happens through the browser now, and CFI is simply not effective in the presence of all mainstream JITs.
2
3
1
15
When using out-of-process JIT (As in Edge), the JIT code is RO in JIT process. Thus, CFI hashes compared on fwd-edges and the compare itself are in RO mem. i.e. XFG/RAP fwd-edges still work. Same is true for RAP backward-edges (ret hashes and compares are in RO memory as-well).
1
Right. So can you elaborate why would attacker's arbitrary read/write break RAP's CFI? Shadow-stack should also always remain read-only. In RFG it was only hidden but still writable which lead it indeed to be not effective, but this isn't true for CET-like shadow-stack.
1
1
Arbitrary RW means I can have a callchain that goes from C++FuncA -> JITedCodeB -> C++FuncC, and I can then make the JIT engine garbage-collect JITedCodeB and put different code there. Not violating any CFI constraints, but executing arbitrary code.
3
6
1
24
That basically means you already have a poor CFI constrain at the start, whereby what you call from C++FuncA doesn’t validate its target (basically all JIT is equally trusted). And of course, CFI won’t do anything against data oriented attacks, which can equally influence exec :)
1
1
and how will you make sure that the replacement has a matching return type hash (and the rest of it is useful enough to do your bidding)?
Jun 17, 2020 · 8:03 PM UTC
1
1