Closed
Bug 595045
Opened 14 years ago
Closed 6 years ago
nanojit: harden via out of band constant table
Categories
(Tamarin Graveyard :: Baseline JIT (CodegenLIR), defect, P1)
Tracking
(Not tracked)
RESOLVED
WONTFIX
Q1 12 - Brannan
People
(Reporter: rreitmai, Assigned: rreitmai)
References
Details
(Whiteboard: must-fix-candidate)
This approach requires constants to be placed in read-only, non-execute memory and the generated code to references them from this table. The justification for this approach is that constants can be manipulated by an attacker to form valid instruction sequences. If these potential instructions are indirectly referenced in non-executable memory then this type of attack is mitigated.
Assignee | ||
Comment 1•14 years ago
|
||
Comment from edwsmith: The above decisions could be contingent on the constant value. small integer constants might deserve different treatment than large pointer-ish constants. X86-64 currently emits double constants inline, but probably should put them in a table. X86-64 supports pc-relative addressing.
Comment 2•14 years ago
|
||
(continued from bug 593517) > > We don't require PC-relative addressing to load from > > a constant table, since we know the address of the > > constant table. We can use an immediate-address load. > > True, but the effect is similar in that we'll need to burn an additional > register to make this happen. What's an example that would need a new register? Here are two x86 examples that don't need any new registers, or pc-relative addressing: mov eax, #12345 => mov eax, [#addr-of-12345] add eax, #12345 => add eax, [#addr-of-12345]
Assignee: nobody → rreitmai
Flags: flashplayer-qrb+
Priority: -- → P1
Target Milestone: --- → flash10.1.x-Salt
Assignee | ||
Updated•14 years ago
|
Group: tamarin-security
Updated•13 years ago
|
Flags: flashplayer-bug+
Whiteboard: must-fix-candidate
Updated•13 years ago
|
Flags: flashplayer-injection-
Target Milestone: Q3 11 - Serrano → Q1 12 - Brannan
Updated•12 years ago
|
Status: ASSIGNED → NEW
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•