blob: 1d3a0a8fdbd8adafa5619ed06122f185cb4c58a0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
I got this idea when I read that vale-lang somehow obfuscates/encrypts
pointers before passing them to FFI / "unsafe code". SLUL uses the
"C ABI" natively, so there is no distiction between "foreign" and
"non-foreign" functions, so this technique could instead be applied
to *all* cross-module calls that cause an opaque type to enter or leave
the module that it is defined in.
Implementation idea:
* xor all opaque or internal pointers with values encoded into the binary.
- use a pattern that forces ones into bits that are always 0, to trigger traps:
- use 1.......... (high bit) to trigger a page fault
- use ..........1 (low bit) to trigger an alignment fault
* opaque pointers are xor'ed with a per-type value.
* internal pointers (i.e. fields inside opaque types) are xor'ed with a
per-field value.
* return adresses are xor'ed with a per-function value.
(tail calls need special handling, so this only works for private functions
where the caller knows the xor value of the callee)
this would acheive the following:
* exploits that swap one pointer with another stop working if:
- there is a type confusion attack
- the pointers are in different fields
- the pointers are of different kinds (opaque pointer, internal pointer, return pointer)
* supporting different versions in an exploit gets trickier
(and there could be a tool to change the xor values!
or it could be changed at load time!)
|