|
|
|
|
|
|
by Sirened
1284 days ago
|
|
|
The question we have to ask ourselves is whether OpenBSDs mitigations are taking away enough attack surface (or in this case, exploitation tools) to make it worth the engineering and user cost. I'd argue that things like msyscall and mstack don't at all because they cost attackers only a couple of minutes of time once to develop a bypass technique (ie move the stack pointer before a syscall, reuse the authorized syscall instruction) that they can apply everywhere. This greatly contrasts with mitigations like ASLR where each time an attacker wants to bypass the mitigation they are forced to develop a novel, program dependent strategy to leak some information. This is a huge pain and has definitely killed some otherwise exploited bugs because no such leak could be devised. |
|
|
If you read up on library order randomization/re-link and retguard, you may find your technique won't be so reusable, even once you do manage to locate a syscall stub in libc.