1 |
On 29 Jan 2016 at 16:44, Alessandro Di Federico wrote: |
2 |
|
3 |
> On Thu, 28 Jan 2016 02:49:46 +0100 |
4 |
> "PaX Team" <pageexec@××××××××.hu> wrote: |
5 |
> |
6 |
> > because it's a useless security measure. for a non-executable .rodata |
7 |
> > section to make any sense, the following condition would have to hold: |
8 |
> > |
9 |
> > a bug (or set of bugs) is exploitable if and only if .rodata is |
10 |
> > executable. |
11 |
> > |
12 |
> > nobody has ever shown that there exists such a bug (or set of bugs) |
13 |
> > and in fact there's ample evidence that already executable code |
14 |
> > contains all the necessary gadgets an exploit would need. |
15 |
> |
16 |
> With a dirty one-liner run in my `/usr/bin` I've found 956 MiB of .text |
17 |
> and 444 MiB of .rodata, this means about a third of the opportunities |
18 |
> of finding the right gadget. |
19 |
|
20 |
all that is irrelevant i'm afraid. what matters is the simple condition |
21 |
above. do you know of any bugs that satisfy it? you see, you're asking |
22 |
for a change that has non-zero costs and for all we know, zero benefits. |
23 |
|
24 |
> Take a look at the following `readelf -l` of a `--rosegment` hello world |
25 |
> program: |
26 |
> |
27 |
> Program Headers: |
28 |
> Type Offset VirtAddr FileSiz MemSiz Flg Align |
29 |
> LOAD 0x000000 0x0000000000400000 0x00040d 0x00040d R E 0x1000 |
30 |
> LOAD 0x000410 0x0000000000401410 0x000318 0x000318 R 0x1000 |
31 |
> LOAD 0x000728 0x0000000000402728 0x000228 0x000229 RW 0x1000 |
32 |
> |
33 |
> The wasted disk space is practically zero, |
34 |
|
35 |
for a useless hello world. what is it for real apps? what is it when you |
36 |
page align section data that go into different segments? what fits in a |
37 |
single physical page above would end up in 2 or 3 pages, a 100% or 200% |
38 |
overhead if you really want to play this silly game. but before you care |
39 |
about the costs of --rosegment you should take a step back and demonstrate |
40 |
its non-zero benefits. |
41 |
|
42 |
> and there are 0x410 wasted bytes of memory due to `--rosegment` (the second |
43 |
> `PT_LOAD` is mapped at 0x401410), in addition to the 0x728 which are wasted |
44 |
> due to the RW segment. |
45 |
|
46 |
there's nothing wasted here, quite the opposite in fact, the linker was |
47 |
smart enough to pull 3 segments into one physical page which minimizes |
48 |
page cache waste on the kernel side and disk block usage on the filesystem |
49 |
side. |
50 |
|
51 |
> This means that `--rosegment` is a fully effective countermeasure only |
52 |
> if the `+x` segment is 0x1000 bytes large. |
53 |
|
54 |
you have yet to demonstrate that it's a countermeasure against anything ;). |