| 1 |
On 29 Jan 2016 at 16:44, Alessandro Di Federico wrote: |
| 2 |
|
| 3 |
> On Thu, 28 Jan 2016 02:49:46 +0100 |
| 4 |
> "PaX Team" <pageexec@××××××××.hu> wrote: |
| 5 |
> |
| 6 |
> > because it's a useless security measure. for a non-executable .rodata |
| 7 |
> > section to make any sense, the following condition would have to hold: |
| 8 |
> > |
| 9 |
> > a bug (or set of bugs) is exploitable if and only if .rodata is |
| 10 |
> > executable. |
| 11 |
> > |
| 12 |
> > nobody has ever shown that there exists such a bug (or set of bugs) |
| 13 |
> > and in fact there's ample evidence that already executable code |
| 14 |
> > contains all the necessary gadgets an exploit would need. |
| 15 |
> |
| 16 |
> With a dirty one-liner run in my `/usr/bin` I've found 956 MiB of .text |
| 17 |
> and 444 MiB of .rodata, this means about a third of the opportunities |
| 18 |
> of finding the right gadget. |
| 19 |
|
| 20 |
all that is irrelevant i'm afraid. what matters is the simple condition |
| 21 |
above. do you know of any bugs that satisfy it? you see, you're asking |
| 22 |
for a change that has non-zero costs and for all we know, zero benefits. |
| 23 |
|
| 24 |
> Take a look at the following `readelf -l` of a `--rosegment` hello world |
| 25 |
> program: |
| 26 |
> |
| 27 |
> Program Headers: |
| 28 |
> Type Offset VirtAddr FileSiz MemSiz Flg Align |
| 29 |
> LOAD 0x000000 0x0000000000400000 0x00040d 0x00040d R E 0x1000 |
| 30 |
> LOAD 0x000410 0x0000000000401410 0x000318 0x000318 R 0x1000 |
| 31 |
> LOAD 0x000728 0x0000000000402728 0x000228 0x000229 RW 0x1000 |
| 32 |
> |
| 33 |
> The wasted disk space is practically zero, |
| 34 |
|
| 35 |
for a useless hello world. what is it for real apps? what is it when you |
| 36 |
page align section data that go into different segments? what fits in a |
| 37 |
single physical page above would end up in 2 or 3 pages, a 100% or 200% |
| 38 |
overhead if you really want to play this silly game. but before you care |
| 39 |
about the costs of --rosegment you should take a step back and demonstrate |
| 40 |
its non-zero benefits. |
| 41 |
|
| 42 |
> and there are 0x410 wasted bytes of memory due to `--rosegment` (the second |
| 43 |
> `PT_LOAD` is mapped at 0x401410), in addition to the 0x728 which are wasted |
| 44 |
> due to the RW segment. |
| 45 |
|
| 46 |
there's nothing wasted here, quite the opposite in fact, the linker was |
| 47 |
smart enough to pull 3 segments into one physical page which minimizes |
| 48 |
page cache waste on the kernel side and disk block usage on the filesystem |
| 49 |
side. |
| 50 |
|
| 51 |
> This means that `--rosegment` is a fully effective countermeasure only |
| 52 |
> if the `+x` segment is 0x1000 bytes large. |
| 53 |
|
| 54 |
you have yet to demonstrate that it's a countermeasure against anything ;). |
Archives