ROP attack mitigation
Jeff Law
law@redhat.com
Mon May 13 22:08:00 GMT 2019
On 5/13/19 3:48 PM, Zack Vu wrote:
> Given that essentially no CPUs today support CET and given that CPUs
> remain deployed for perhaps 10 years, even more considering that CPU
> performance has plateaued, isn't there a moral imperative
> to mitigate ROP attacks using approaches other than just CET?
> The two I mentioned would help in the short term; no need to wait many years.
Red Hat's decision was to not focus on ROP mitigation in the compiler,
but instead to focus on being CET ready. This was after looking very
seriously at ROP mitigations as well as CET timeframes.
Your priorities may differ. The GCC project welcome implementations of
usable mitigations. The really hard part is getting enough mitigations
in place to actually spoil ROP attacks in a meaningful way. Nibbling on
the edges doesn't really get you anywhere.
jeff
More information about the Gcc
mailing list