RETGUARD, the OpenBSD next big thing in exploit mitigation

在OpenBSD环境下搭建各种服务器的相关讨论。

版主: lionuxchenjun天地乾坤

回复
头像
acheng
锌 Zn
帖子: 581
注册时间: 2011-07-07 21:52

RETGUARD, the OpenBSD next big thing in exploit mitigation

帖子 acheng » 2017-08-22 20:17

From Theo de Raadt:
This year I went to BSDCAN in Ottawa. I spent much of it in the 'hallway track', and had an extended conversation with various people regarding our existing security mitigations and hopes for new ones in the future. I spoke a lot with Todd Mortimer(mortimer@). Apparently I told him that I felt return-address protection was impossible, so a few weeks later he sent a clang diff to address that issue...
有人在undeadly上问这个东西到底是什么,如何防范攻击。 Darren Tucker 解释了一下(反正就是用于防范缓冲溢出攻击就对了):
By Darren Tucker (dtucker) on 2017-08-21 08:08
> Maybe somebody is motivated to explain the concept or some of the terms. I'd appreciate it.

(I'm probably oversimplifying, but here goes):

Traditional buffer overflow exploits rely on jamming some executable code into memory then getting that executed somehow, eg by overwriting the return address of the stack frame to return your code. Various techniques make this harder these days, eg marking writable memory as non-executable ("W^X").

Because of this, exploit writers came up with a way to use existing pieces of code in a process which are already marked as executable which is known as "Return Oriented Programming" (ROP). You find snippets of code that each do a small part of the exploit and end in a "return" instruction (these are known as "gadgets") that together do the thing you want. You then cook up a fake stack with frames that say "return to this address then this address then this address" to chain the gadgets together, overwrite the real stack with this and when the function returns it'll follow the chain and do what you want.

What this change does is: instead of storing the plain return address on the stack when making a function call, it stores the return address to return to scrambled a value that is unknown to the attacker and is later unscrambled before being used. Since the attacker can't predict the scrambling value it should be harder for them to cook up this fake stack that makes the code do what they want because when they get unscrambled and used the frames will point off to unpredictable places instead of their intended gadgets.

回复

在线用户

正浏览此版面之用户: Ahrefs [Bot] 和 6 访客