
Code-Pointer Integrity [pdf] - cpeterso
https://www.usenix.org/system/files/conference/osdi14/osdi14-paper-kuznetsov.pdf
======
Animats
This is only for pointers into instruction space, not data space.

There's an argument for using a separate stack for subroutine return points. A
few CPUs have been built with hardware for that. (One from the 1980s only had
a 20-deep call stack, which was kind of limiting.) That achieves much of what
this paper proposes.

This is a solution to one specific type of attack - overrunning the stack and
overwriting a return pointer. That's a problem, but only one of many pointer-
related problems. Fixing subscript-out-of-range problems more generally is
much more useful.

~~~
willvarfar
(Mill team)

All exploit mitigation checks most welcome!

The Mill has a hardware managed stack and various other security-related
details, many of which are good old ideas not previously making it into
silicon. But defence is best in depth. More details
[http://millcomputing.com/topic/security/](http://millcomputing.com/topic/security/)

------
oscargrouch
Something like this make the burden of annotating lifetime like someone would
do in Rust, to avoid the insecure parts of C and C++ kind of a complete
productivity lost, unless you are fan of metaprogramming...

This can make those languages king again, given they are still unbeatable when
someone needs performance and fine tunning..

I wonder if this could really meant, we can use those languages for rockets,
cars and airplanes, without worrying, the human lives lost or burning large
sums of money because of dangling pointers family of bugs..

~~~
cwzwarich
It's a dynamic check for correctness, which you'd probably want to avoid in a
rocket or an airplane.

~~~
willvarfar
Tangentially related, I was struck the first time I saw a compass on an
airliner seat-back display... Is the plane's navigation system really
interfacing with a Windows CE entertainment system? And how do you isolate it
so a crashing entertainment system (we've all seen blue screens of death on
the seat backs) doesn't adversely affect the flight system? I'm imagining
optical isolators, or a separate compass just for the seat backs, or ...
Hopefully it is isolated physically and not just by code review!

Extending this, it is easy to imagine modern military aircraft are
interconnected so their radar etc interacts with others. How do you protect
it?

(And is, say, 2.6% CPU a price worth paying up front to do so?)

~~~
pjmlp
They aren't connected.

For example, car systems use real-time micro kernel and systems only talk via
the network with something like CAN bus.

This already provides some isolation.

Then you have MISRA for C and C++ code, High Integrity C++, Ada and Ada SPARK,
and code generation based on formal methods. This coupled with static code
analysis and rigorous certification processes that all of these systems are
being used as they should.

You can get an idea of these issues are discussed from the High Integrity
Software conference programme.

[http://www.his-2014.co.uk/programme.html](http://www.his-2014.co.uk/programme.html)

~~~
willvarfar
Yet in the real world things get hacked over the network all the time. When
two systems talk, there is the potential - _tendency_ , even - for the
protocol handling on one side or the other to be exploitable.

~~~
pjmlp
Are you planning to open the plane fuselage or car chassis to plug into the
network cabling?

~~~
willvarfar
I am replying to someone saying that these checks are too slow for use in
aeroplanes by reflecting on how modern aeroplanes _are_ part of a network.

And who would be surprised to find some kind of plug on the pcb in the seat
rest?

~~~
pjmlp
As I mentioned on my post entertainment system is not connected to the flight
system.

~~~
willvarfar
So you are saying that the commercial airliners have separate compass etc to
drive those seat back displays?

Because it was quite a storm when hacking via in-flight wifi and entertainment
systems was demonstrated by Ruben Santamarta at Black Hat...

------
ahomescu1
Duplicate of:
[https://news.ycombinator.com/item?id=8442049](https://news.ycombinator.com/item?id=8442049)

------
willvarfar
On behalf of the silent majority, we really appreciate work in this area! We
all depend on systems written in memory-unsafe languages and the idea that
exploit mitigation techniques are just a compile away is very heartening.

