|
|
|
|
|
|
by jerheinze
3321 days ago
|
|
|
See "Real-world Exploits against the Tor Browser" pages 9-10 where they conclude, > The reason is that these function pointers are
only accessed through an indirection layer, i.e., memory
objects on the heap contain a pointer to a virtual table
which is located in the code or data section of the application and contains a number of pointers to virtual
functions. Since the attackers can only disclose the virtual table pointer, but not the virtual table itself, as it is
not on the heap, they cannot disclose gadget addresses.
Note that, when only ASLR is applied, the address of
the virtual table is randomized with the same offset as
the ROP gadgets. Therefore, such an attack can bypass
ASLR but not selfrando. > We therefore conclude that selfrando can thwart most real-world exploits. Attackers can only succeed in
rare cases where they can disclose the complete heap
and data section. [1] : https://people.torproject.org/~gk/misc/Selfrando-Tor-Browser... |
|
|