anti-ROP mechanism in libc
by from OpenBSD Journal on (#1BQDQ)
Theo (deraadt@) writes in to the tech@ mailing list, with a clever idea that we would like to try.
This change randomizes the order of symbols in libc.so at boot time.More details are available on tech@. Please check the thread for any replies or updates.
This is done by saving all the independent .so sub-files into an ararchive, and then relinking them into a new libc.so in random order,at each boot. The cost is less than a second on the systems I amusing.
For now, this is only done for libc, because it is generally the mostgadget heavy library; spilled registers are more likely to pointwithin the libc segment; and also the gadgets are close to system callstubs. As a result of the change, gadgets are no longer found atfixed offsets from spilled registers.