This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [2/2] i386 ROP mitigation

From: Bernd Schmidt <bschmidt at redhat dot com>
To: Uros Bizjak <ubizjak at gmail dot com>
Cc: GCC Patches <gcc-patches at gcc dot gnu dot org>, Florian Weimer <fweimer at redhat dot com>
Date: Wed, 18 Nov 2015 13:28:16 +0100
Subject: Re: [2/2] i386 ROP mitigation
Authentication-results: sourceware.org; auth=none
References: <56464C48 dot 4080406 at t-online dot de> <CAFULd4ankbuc6X0qpe2tZtZRLdO_TY+ksHCJc1fig3YaR0UKrg at mail dot gmail dot com>

On 11/16/2015 07:18 PM, Uros Bizjak wrote:

On Fri, Nov 13, 2015 at 9:47 PM, Bernd Schmidt <bernds_cb1@t-online.de> wrote:

This adds a new -mmitigate-rop option to the i386 port. The idea is to
mitigate against certain forms of attack called "return oriented
programming" that some of our security folks are concerned about.>

LGTM, and since the whole thing is protected by a -mmitigate-rop it
looks safe for mainline SVN.

Thanks. Committed with some minor changes: I've added a sentence to thedocumentation to clarify that this is in an early stage of development:


@item -mmitigate-rop
+@opindex mmitigate-rop
+Try to avoid generating code sequences that contain unintended return
+opcodes, to mitigate against certain forms of attack. At the moment,
+this option is limited in what it can do and should not be relied
+on to provide serious protection.


Bernd

References:
- [2/2] i386 ROP mitigation
  - From: Bernd Schmidt
- Re: [2/2] i386 ROP mitigation
  - From: Uros Bizjak

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]