
Some near-term arm64 hardening patches - chmaynard
https://lwn.net/SubscriberLink/804982/7955d88a2305bb84/
======
libeclipse
With BTI can the attacker not just write a BTI opcode to the start of the jump
location? Usually you would jump to a buffer that you control the contents of
(i.e. shellcode)

~~~
pcwalton
W^X prevents that straightforward attack, by not allowing writable buffers to
be executed. The typical way to defeat W^X is ROP chains with gadgets
consisting of pieces of code already present in the binary. BTI, in turn, is a
defense against _that_.

It's very much a cat and mouse game.

~~~
monocasa
So now we're going to see the next step be making gadgets out of code
fragments that happen to begin with BTI.

The real end game here is memory safety.

~~~
wahern
There are ways to compile that elide ROP gadgets. It's easier on architectures
like ARM than x86. OpenBSD has taken this approach:

    
    
       Number of ROP gadgets in 6.3-release arm64 kernel
         69935
       Number of ROP gadgets in 6.4-beta arm64 kernel
         46
    

[https://www.openbsd.org/papers/eurobsdcon2018-rop.pdf](https://www.openbsd.org/papers/eurobsdcon2018-rop.pdf)

Note: As described later in the presentation, those 46 remaining gadgets are
in the boot code, which is erased after booting.

~~~
monocasa
I'm not convinced that a conditional branch to the ret followed by breakpoints
between it and the ret is enough to remove the usefulness of the gadget as
much as they say.

~~~
saagarjha
Why?

~~~
monocasa
It's exactly the kind of roadblock that people who do offensive security are
great at finding loopholes around.

~~~
saagarjha
I mean, that's really been their job every time a new mitigation is
developed…the introduction of NX led to the use of ROP, which has been joined
by JOP techniques as efforts to remove return gadgets gain momentum.

~~~
monocasa
This is more like fitting shellcode into something that can be strcpyed. Not
really that much of a complication from an attack perspective.

