
Trapsleds - protomyth
https://marc.info/?l=openbsd-tech&m=149792179514439&w=2
======
dsjoerg
Delightfully context-free

~~~
failrate
I thought it was self-explanatory, but let me provide a little context: a NOP-
sled can be used to increase reliability in software (especially for ROMs
exposed to hard radiation). It can also be used in various attacks. The letter
describes how the author has built in a replacement for NOPs at the assembler
level that should make software more secure without adverse effect.

Unless you were making a joke about context-free replacement.

~~~
jstanley
I was under the impression that NOP sleds were inserted by the attacker when
they can't quite be sure where exactly their code will begin executing. They
just transfer execution to about the region the NOP sled will be, and then
slide through to the start of the payload.

Modifying NOP sleds at compile time is not going to defend against this.

~~~
wahern
OpenBSD uses W^X aka DEP aggressively. In fact, for OpenBSD 6.1 a program
can't even disable W^X unless the binary was mounted on a filesystem with the
wxallowed option.

Thus, attackers can't insert NOP sleds. They have to rely on the sleds already
in the code. From what I gather from the announcement, toolchains often insert
NOPs as padding, inadvertently creating NOP sleds. This is an attempt to fix
that.

------
philprx
Imho, there are quite a number of opcode different from 0x90 that are in fact
treated as NOPs making this mitigation of low result

