SROP mitigation committed

from OpenBSD Journal on 2016-05-12 03:28 (#1DEQ5)

In a recent email, Theo de Raadt explains the SROP mitigation technique, a recent team effort.

This is the first demonstration of a mitigation against SROP.
Utilizing a trick from kbind(2), the kernel now only accepts signalreturns from the PC address of the sigreturn(2) syscall in the signaltrampoline. Since the signal trampoline page is randomized placed perprocess, it is only known by directly returning from a signal handler.
As well, the sigcontext provided to sigreturn(2) now contains a magiccookie constructed from a per-process cookie XOR'd against the addressof the signal context. That part is similar to the LWN discussionmentioned above. I came to the same conclusion semi-independently asa result of Antoine's ports builds, which identified all the parts ofthe application software ecosystem I had to study. Woe is me!

Source	RSS or Atom Feed
Feed Location	http://undeadly.org/cgi?action=rss
Feed Title	OpenBSD Journal
Feed Link	http://undeadly.org/