OpenBSD Journal

syscall call-from verification

Contributed by rueda on from the hard-as-nails-(in-the-coffin-of-exploit-techniques) dept.

Theo de Raadt (deraadt@) has committed code for a new exploit-prevention mechanism:

[…]
Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.

This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions.  It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.
[…]

The full commit details are well worth reading, as is the manual page for the (new) msyscall(2), and some associated discussion on tech@.

As this change involves ABI breakage, upgrading via snapshots is the easiest way to avoid trouble.

(Comments are closed)


Comments
  1. By brynet (Brynet) on https://brynet.biz.tm/

    Slight correction, Theo meant "syscalls must be on a un-writeable page" above.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]