[Defense in depth] uBPF interpreter should defend against ROP attacks #81
Comments
|
I'm interested in this feature for 64-bit Arm. Do you plan to push it in the future? Thanks! |
|
I have a PR for this, but for now, it's on the back burner as my project decided to disable the interpreter by default as a security measure (enabling the interpreter in kernel mode was deemed too much of a threat). This reduces the risk, but the risk was still deemed too high. I can go ahead and rebase the fix and push an update. |
Alan-Jowett
changed the title
|
Closing this as it should be fixed now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The uBPF interpreter can be used by an ROP attack to launch the execution of arbitrary byte code.
Assume attacker can control return pointer and RDI (Linux) or RCX (Windows). They can then trigger the interpreter to run arbitrary pages of data as BPF instructions by setting return address = ubpf_exec and RDI/RCX as pointer to pointer to BPF byte code.
While not a bug in uBPF itself, it does make exploiting other bugs easier.
Proposed mitigation is:
Store a mask in a global variable.
Generate random mask on startup.
Store ubpf_vm::inst as the result of mask XOR pointer.
Load ubpf_vm::inst after mask XOR stored pointer.
As a result, a call to ubpf_exec with RDI/RCX pointing to byte code will fail as the decode of the pointer will result in an invalid memory address. The attacker would need to first read the mask, XOR the pointer, write the resulting value, which raises the bar significantly.
The text was updated successfully, but these errors were encountered: