On Mon, Jun 18, 2018 at 09:28:04AM +0200, Jan Kurik wrote: > = Proposed System Wide Change: Build non-RELRO ELF binaries with > .plt.got isolation = > https://fedoraproject.org/wiki/Changes/.plt.got_Isolation > > > Owner(s): > * Florian Weimer <fweimer at redhat dot com> > > > Fedora 23 enabled hardening for all packages. However, some ELF > binaries still use lazy binding. This change proposes additional > hardening for them.
Hi, First of all, thanks a lot for all your work! I apologize in advance, since I'd not even heard of memory protection keys until reading this today, so my question below is probably quite stupid. > == Detailed description == > With the RELRO and BIND_NOW dynamic linker features, it is possible to > make the array of function pointers which is used to implement dynamic > linking (the GOT) read-only at run time. This makes it harder for > exploit writers to overwrite these function pointers and redirect > execution. > However, some ELF binaries are still built and linked without these > hardening features. Sometimes, this is due to package maintainer > preferences. Sometimes, there are technical reasons which preclude the > use of BIND_NOW because the way the application is written, it relies > on lazy binding. > This change proposes to link ELF binaries in such a way that the > <code>.plt.got</code> section is loaded as a separated page at run > time. As a result, it is possible to use a kernel feature called > [http://man7.org/linux/man-pages/man7/pkeys.7.html memory protection > keys] to make the GOT with its function pointer array read-only most > of the time. A sentence in this page jumped out at me - the one about the WRPKRU instruction being completely unprivileged and so memory protection keys not being very useful if the attacker may execute arbitrary instructions. So I thought "well maybe they have in mind something like allocate a key, make the page read-only, then trash the key and start executing the program", but then... > When the dynamic linker needs to perform a function > symbol binding, it can make the GOT temporarily writable, for the > current thread only. ...this came along. So what is supposed to stop an attacker who can inject arbitrary code into the program from modifying the keys? Or is this supposed to stop buffer-overflow exploits that overwrite the GOT and thus cause the attacker's code to be executed later? If so, then I apologize again, since it seems that this may be sufficient to prevent that type of attack indeed. G'luck, Peter -- Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org} p...@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/RXKTYQKBHLQ66QVAHBNWI3CEGZKSQ7ZB/
