This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: i386/prologues: ROP mitigation for normal function epilogues

From: Bernd Schmidt <bschmidt at redhat dot com>
To: Michael Matz <matz at suse dot de>
Cc: GCC Patches <gcc-patches at gcc dot gnu dot org>
Date: Fri, 17 Jun 2016 16:18:50 +0200
Subject: Re: i386/prologues: ROP mitigation for normal function epilogues
Authentication-results: sourceware.org; auth=none
References: <5ff22dae-cdfe-6c94-2428-7c8726b7d294 at redhat dot com> <alpine dot LSU dot 2 dot 20 dot 1606171446090 dot 13156 at wotan dot suse dot de>

On 06/17/2016 04:03 PM, Michael Matz wrote:

But does this really improve something?  Essentially you're replacing

  <random bytes1> 0xc9 0xc3 <random bytes2>

(the end of a function containing "leave;ret") with

  <random bytes1> 0xe9 <four random bytes> <random bytes2>

where the four random bytes are different for each rewritten function
return (but correlated as they differ exactly by their position
difference).

I'm not sure why the latter sequence is better?

I think I'm missing what you're trying to say. The latter sequence doesnot contain a return opcode hence it ought to be better?



Bernd

Follow-Ups:
- Re: i386/prologues: ROP mitigation for normal function epilogues
  - From: Michael Matz

References:
- i386/prologues: ROP mitigation for normal function epilogues
  - From: Bernd Schmidt
- Re: i386/prologues: ROP mitigation for normal function epilogues
  - From: Michael Matz

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]