This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[SECURITY] Merged .text and .rodata in linker scripts

From: Stefan Nürnberger <nuernberger at cs dot uni-saarland dot de>
To: "binutils at sourceware dot org" <binutils at sourceware dot org>
Date: Tue, 13 May 2014 18:14:41 +0200
Subject: [SECURITY] Merged .text and .rodata in linker scripts
Authentication-results: sourceware.org; auth=none

Hi,

I noticed that many linker scripts (e.g., elf32-i386 and elf64-x64)
merge the read-only data (.rodata, .eh_frame and the like) into one big
read-only and executable text segment.

While this is certainly correct from a memory protection perspective,
the security implications are severe since arbitrary data stored in the
read-only sections might be interpreted as instructions and can be
executed during a return-oriented programming (ROP) attack.

The attached source file (execute_rodata.c) demonstrates that (tested on
Linux 3.13.7 with NX bit enabled on a Core i7).

Furthermore, the fact that the file offset of the first ELF section is
usually set to zero implies that the ELF header, which precedes the
first section, will be mapped into the address space as well. Since the
.text section is usually the first section of the ELF file, this makes
the ELF header itself executable and unnecessarily adds ROP gadgets to
the address space.

My solution to this (see attached linker script) separates read-only
data from executable data and puts them in separate sections (.rodata
and .text). To overcome the issue that the ELF header is part of
executable data, the .rodata section is the first section to be loaded,
thereby making the ELF header part of .rodata, which means it is still
accessible, e.g. for routines that iterate over PHDRs.

I am aware that the original merge of .rodata and ELF header were
probably optimizations to save space. However, I would rather favour
security as a default (separate rodata & text) and provide a linker
option that optimizes space by merging rodata and text (the current
state-of-the-art).

Due to the fact that .rodata and .text must be loaded into separate
memory pages, the introduced alignment between .rodata and .text is at
most one page. Please correct me if I'm wrong, but as far as I
understand the ELF format and its section file offsets, there is no way
to ensure different memory pages without the alignment.

Many thanks,
Stefan


-- 

Stefan Nürnberger
PhD Student
------------------
Information Security & Cryptography Group
Saarland University

Mail : nuernberger@cs.uni-saarland.de
Web  : http://infsec.cs.uni-saarland.de/~nuernberger
Phone: +49 681 302-57 36 4

Attachment: execute_rodata.c
Description: Text document

Attachment: elf64-x64.x
Description: Text document

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: [SECURITY] Merged .text and .rodata in linker scripts
  - From: Ian Lance Taylor

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]