This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
Hi, I noticed that many linker scripts (e.g., elf32-i386 and elf64-x64) merge the read-only data (.rodata, .eh_frame and the like) into one big read-only and executable text segment. While this is certainly correct from a memory protection perspective, the security implications are severe since arbitrary data stored in the read-only sections might be interpreted as instructions and can be executed during a return-oriented programming (ROP) attack. The attached source file (execute_rodata.c) demonstrates that (tested on Linux 3.13.7 with NX bit enabled on a Core i7). Furthermore, the fact that the file offset of the first ELF section is usually set to zero implies that the ELF header, which precedes the first section, will be mapped into the address space as well. Since the .text section is usually the first section of the ELF file, this makes the ELF header itself executable and unnecessarily adds ROP gadgets to the address space. My solution to this (see attached linker script) separates read-only data from executable data and puts them in separate sections (.rodata and .text). To overcome the issue that the ELF header is part of executable data, the .rodata section is the first section to be loaded, thereby making the ELF header part of .rodata, which means it is still accessible, e.g. for routines that iterate over PHDRs. I am aware that the original merge of .rodata and ELF header were probably optimizations to save space. However, I would rather favour security as a default (separate rodata & text) and provide a linker option that optimizes space by merging rodata and text (the current state-of-the-art). Due to the fact that .rodata and .text must be loaded into separate memory pages, the introduced alignment between .rodata and .text is at most one page. Please correct me if I'm wrong, but as far as I understand the ELF format and its section file offsets, there is no way to ensure different memory pages without the alignment. Many thanks, Stefan -- Stefan Nürnberger PhD Student ------------------ Information Security & Cryptography Group Saarland University Mail : nuernberger@cs.uni-saarland.de Web : http://infsec.cs.uni-saarland.de/~nuernberger Phone: +49 681 302-57 36 4
Attachment:
execute_rodata.c
Description: Text document
Attachment:
elf64-x64.x
Description: Text document
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |