Closed Bug 595045 Opened 14 years ago Closed 6 years ago

nanojit: harden via out of band constant table

Categories

(Tamarin Graveyard :: Baseline JIT (CodegenLIR), defect, P1)

x86
macOS
defect

Tracking

(Not tracked)

RESOLVED WONTFIX
Q1 12 - Brannan

People

(Reporter: rreitmai, Assigned: rreitmai)

References

Details

(Whiteboard: must-fix-candidate)

This approach requires constants to be placed in read-only, non-execute memory and the generated code to references them from this table.

The justification for this approach is that constants can be manipulated by an attacker to form valid instruction sequences.   If these potential instructions are indirectly referenced in non-executable memory then this type of attack is mitigated.
Blocks: 593517
Comment from edwsmith:

The above decisions could be contingent on the constant value.  small integer constants might deserve different treatment than large pointer-ish constants.  X86-64 currently emits double constants inline, but probably should put them in a table. X86-64 supports pc-relative addressing.
(continued from bug 593517)

> > We don't require PC-relative addressing to load from 
> > a constant table, since we know the address of the 
> > constant table.  We can use an immediate-address load.
> 
> True, but the effect is similar in that we'll need to burn an additional
> register to make this happen.  

What's an example that would need a new register?  Here are two x86
examples that don't need any new registers, or pc-relative addressing:

  mov eax, #12345   =>   mov eax, [#addr-of-12345]
  add eax, #12345   =>   add eax, [#addr-of-12345]
Assignee: nobody → rreitmai
Flags: flashplayer-qrb+
Priority: -- → P1
Target Milestone: --- → flash10.1.x-Salt
Status: NEW → ASSIGNED
Group: tamarin-security
Target Milestone: flash10.1.x-Salt → flash10.x - Serrano
Flags: flashplayer-bug+
Whiteboard: must-fix-candidate
Flags: flashplayer-injection-
Target Milestone: Q3 11 - Serrano → Q1 12 - Brannan
Status: ASSIGNED → NEW
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.