Hardware-based buffer overflow defenses compared: SSM/ADI vs MPX
source link: https://lazytyped.blogspot.com/2016/12/hardware-buffer-overflow-defenses.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Hardware-based buffer overflow defenses compared: SSM/ADI vs MPX
One of the most common questions when discussing SPARC M7 SSM/ADI (Silicon Secured Memory/Application Data Integrity, from here on only referred to as ADI) is "how does it compare to XYZ?", where XYZ is some other architecture security feature. In this blog entry we'll see how ADI stacks against another buffer overflow protection security feature, Intel Memory Protection eXtensions (MPX).
Before starting, a somewhat obvious, but necessary, observation: these features do not provide security "by themselves", instead, they provide building blocks to develop protections on top. In other words, they are meant to, and need to, be (extensively) leveraged by software implementations to be in any way effective.
MPX introduces a couple of new registers and a handful of instructions that operate on them. The new registers BND[0..3] are 128 bits long, with 64-bit used to store the upper bound and 64-bit used to store the lower bound of a buffer. Three new instructions allow to check a pointer against said bounds: BNDCL (Bound Check Lower Bound), BNDCU (Bound Check Upper Bound) and BNDCN (Bound Check Upper Bound not in 1s Complement). For example, bndcl (%rax), %bnd0 compares the contents of RAX against the lower bound set in BND0. If the check fails, a new #BR exception is raised. BNDC* instructions are very fast, to reduce the performance penalty.
Of course, 4 bound registers aren't enough for every buffer used in a program, so MPX supports a number of ways to swap back and forth the necessary upper/lower bound values: BNDMK (Bound Make) stores a pair of addresses into one of the BNDx registers, BNDMOV (Bound Move) loads a pair from a location in memory and BNDLDX/BNDSTX manage the Bound Table, which stores information about a pointer and its bounds. Bound Tables are arranged in a two-level directory in memory and the root address is stored in BNDCFGU (user land, CPL=3) or BNDCFGS (kernel land, CPL=0). BND*X and BNDMOV instructions simplify bounds management, but do logically introduce a larger performance hit.
MPX relies heavily on the compiler/instrumentation to be effective: while the programmer can add manual checks, it's the compiler that needs to identify the places where a check is necessary and introduce the proper instruction sequences there. The smarter this logic is, the better the performance is going to be. A quick analysis of MPX performance (and more) is available on the AddressSanitizer wiki.
MPX is fully retro compatible, as its instructions use prefixes that are treated as NOPs on older architectures. This allows to build one single binary and distribute it around. The same also happens when MPX is disabled, which allows admins to toggle on/off the protection on a binary basis. MPX interoperates well with existing code, allowing to mix instrumented and non instrumented components into the same process (with some caveat). The idea there is to allow MPX to be introduced gradually in large applications, starting with the sensitive modules.
MPX vs ADI
Recommend
-
26
Security Advisory 1901 Summary : Read buffer overflow & double free Date : June 2019 Affected versions : VLC media player 3.0.6 and earlier ID : VideoLAN-SA-1901 CVE re...
-
13
As a preface, when I originally found this bug I was unfamiliar the class of “null byte buffer overflow” even existed. I was simply fuzzing a standard web application’s input field and ran into a very interesting behavior...
-
26
Release Date: January 30, 2020 (updated January 31, 2020 to correct affected versions) Summary: Sudo's pwfeedback option can be used to provide visual feedback when the user is inputting their passw...
-
29
with-current-buffer does not move point By using our site, you acknowledge that you have read and unders...
-
13
Hi, Memcached team, Recently, I revealed a buffer overflow vulnerability which may cause DOS attack. The exploit details can be found as following. Affect Version memcached-1.6.0 memc...
-
4
Day 17: How to write a buffer overflow exploit • hackerschool • I’ve declared this week to be the week of networks & security. Today I started...
-
9
Details (Keywords: csectype-bounds, sec-high, Whiteboard: [necko-triaged][adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage]) The bug i...
-
9
Fix a read head-buffer-overflow in esm The check forgot to account for the terminal zero. Request to merge...
-
7
Stack buffer overflow basic 1 登录靶机后,在当前目录发现 3 个文件: .passwd : 明显是目标文件,但是还没有权限打开 ch13 : 由 ch13.c 编译而成的脚本文...
-
8
News Analysis New attack bypasses hardware defenses for Spectre flaw in Intel and ARM CPUs Though not...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK