Theo de Raadt <deraadt@openbsd.org> wrote:
> Upon every system call entry, both the PC and SP are range-checked
> against the object they point to, vaguely providing an addition kind of
> MMU flag bit. This check hinders a variety of ROP pivot methods.
I want to add one more comment. I believe the benefit described
far outweighs the past expectation the pointer can point outside.
When I was writing this code, we found no "thread-lite" libraries that
pointed the pointer aligned and outside the object. They all moved the
pointer inside the object first, and then aligned it as required.
No comments:
Post a Comment