Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I am wary of any claim to CFI without secure tracking of the call-stack to verify the return destination. You need to compare return destinations against a shadow call-stack. If you dont protect this call stack then attackers will just evolve slightly. You can encrypt/decrypt the return address grsecurity style but we know that this can still be bypassed.


It looks like backwards-edge protection is in a different patch. Backwards-edge is a bit easier to implement.


Well I am not sure I agree. It seems to me that there are significant security complications due to the need of making a runtime comparison to determine the integrity of the return destination. How are we to be convinced that the value at the top of the shadow-stack is not attacker-controlled?


An attacker could modify the shadow stack, it's just rather difficult to find where it's randomly placed and would require arbitrary read/write capabilities. The kernel zeros out the register used to write to the shadow stack as soon as possible after use. It's not impossible to defeat, but does raise the bar significantly.

I encourage you to read the commit message of shadow call stack kernel patches, which as another commenter notes is only backwards edge protection; CFI is forwards edge protection.


do you know who works on such topics ?


I’m not sure what you mean. I’ve read a variety of papers and articles on this topic. Are you referring to the user that replied to me?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: