comex · Feb 9, 2017 · 7:35 AM UTC

comex @comex

9 Feb 2017

oh i see grsecurity has /finally/ published their RAP thing, and they still claim it is “ROP-proof”. I guess I should go break it.

comex · Feb 9, 2017 · 8:08 AM UTC

comex @comex

9 Feb 2017

took a very quick look - am I missing something or is there no protection on memcpy? is that something reserved for the full version? -_-

comex · Feb 9, 2017 · 8:21 AM UTC

comex @comex

9 Feb 2017

and on some functions the return address check is just wrong. like this - see the problem? ghostbin.com/paste/kwznb

PaX Team · Feb 9, 2017 · 12:57 PM UTC

PaX Team @paxteam

9 Feb 2017

this is why the commercial version is claimed to be ROP-proof. lots of little things under the hood there ;).

comex · Feb 9, 2017 · 7:56 PM UTC

comex @comex

9 Feb 2017

pax_ret is the return addr encryption, right? well, I'd be interested in seeing the implementation… if it ever becomes public

PaX Team · Feb 9, 2017 · 8:38 PM UTC

PaX Team · Feb 9, 2017 · 8:38 PM UTC

PaX Team @paxteam

9 Feb 2017

Replying to @comex

it's a general macro to help instrument assembly code. right now only KERNEXEC makes use of it but i'll add RAP too.

Feb 9, 2017 · 8:38 PM UTC

PaX Team · Feb 9, 2017 · 8:40 PM UTC

PaX Team @paxteam

9 Feb 2017

the asm instrumentation is really no different from what the plugin does though so you can study/work with that.