-
Notifications
You must be signed in to change notification settings - Fork 1
Home
WrinkleFree edited this page Feb 24, 2015
·
6 revisions
As of now the hardened code aborts when called from an unhardened function (such as a library), because the check code looks for an id that does not exist.
We need to find a way to determine if the caller is an external or internal call, if it's a valid external call, we can skip the abort.
- Maintain state, disable all checks if execution starts in shared library (non-hardened function).
- Function pointers, it may be possible to differentiate function pointers in LLVM. If we can identify function pointers, we can replace all function pointers by a wrapper that has the right ID but returns anyway, since it might be called by an external function. For this to work, the assumption that the only way an external library can call a hardened function is if we give it a function pointer.
- store a function table, mapping ranges, and verify if the caller address is one of the functions in the table, we could use the symbol tables of the libraries for this, requires that the libraries have symbol tables.
- https://www.trust.cased.de/fileadmin/user_upload/Group_TRUST/PubsPDF/rop-against-cfi.pdf The section about COTS CFI implementations, specifically the use of "springboard" sections for lib calls.
- MoCFI disables the check when its from an external source, need to investigate how, https://www.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_TRUST/PubsPDF/MoCFI-NDSS-2012.pdf (search term "function prologues")
- longjmp