nanojit: harden against writes to executable code pages

ASSIGNED
Unassigned

Status

Tamarin
Baseline JIT (CodegenLIR)
ASSIGNED
8 years ago
7 years ago

People

(Reporter: Rick Reitmaier, Unassigned)

Tracking

(Blocks: 1 bug)

unspecified
Future
Bug Flags:
flashplayer-injection -
flashplayer-qrb +
flashplayer-bug +

Details

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
This attack relies on being able to overwrite code generated by the JIT during the period in which the memory protection bits have not yet transition to r-x (i.e. they are still rw-).

One approach to foiling this type of attack would be to compute a CRC value as instructions are written to the page, making the page r-x and then recomputing the CRC (based on page contents) to ensure that it has not deviated.

Another defense against this type of attack is to shrink the time that the code is vulnerable,  so setting page protections as each page is processed might be a valid approach.
(Reporter)

Comment 1

8 years ago
Related and not discussed in the iSEC report, is bug 506693, which proposes that jit code pages be dual-mapped in the address space, with one mapping RW and the other mapping RX.
Blocks: 593517
(Reporter)

Comment 2

8 years ago
Created attachment 473881 [details] [diff] [review]
wip - includes other mitigation techniques

work-in-progress patch that computes a CRC checksum for each method that has previously been generated and is on a executable page.

Prior to switching the pages to rw- we gather up these CRCs and later use them to re-validate the contents of each method on the page.

see code bordered by the define NJ_HARDENING_CODE_CRC

Updated

8 years ago
Assignee: nobody → rreitmai
Status: NEW → ASSIGNED
Flags: flashplayer-qrb+
Priority: -- → P1
Target Milestone: --- → flash10.1.x-Salt
(Reporter)

Updated

8 years ago
Group: tamarin-security
(Reporter)

Comment 3

8 years ago
Related is bug 506693; dual mapping of code pages.

Updated

8 years ago
See Also: → bug 506693

Updated

8 years ago
Target Milestone: flash10.1.x-Salt → flash10.x - Serrano

Updated

8 years ago
Flags: flashplayer-bug-
Whiteboard: must-fix-candidate

Updated

8 years ago
Flags: flashplayer-bug- → flashplayer-bug+

Comment 4

7 years ago
Can we fold this bug into 506693?
Flags: flashplayer-injection-

Updated

7 years ago
Depends on: 641055
(Reporter)

Comment 5

7 years ago
(In reply to comment #4)
> Can we fold this bug into 506693?

Different techniques and the bugs are cross-listed so I don't see value in doing so.

Updated

7 years ago
Target Milestone: Q3 11 - Serrano → Q1 12 - Brannan

Comment 6

7 years ago
Rick, following your recent comments on hardening, please re-assign this bug to a doable target release. Removing Andre blocker.
No longer depends on: 641055
(Reporter)

Comment 7

7 years ago
I don't believe this should be assigned as its not yet proven this is a worthwhile deterrent.

Target is future and its unassigned.
Assignee: rreitmai → nobody
Target Milestone: Q1 12 - Brannan → Future

Updated

7 years ago
Priority: P1 → --
Whiteboard: must-fix-candidate
You need to log in before you can comment on or make changes to this bug.