Add paragraph on ROP gadgets and variable length instructions #245
Conversation
There was a problem hiding this comment.
Thank you!
This looks good, just have left a few nit picks.
Reviewed all commit messages.
Reviewable status: 0 of 1 files reviewed, all discussions resolved
book.md line 630 at r1 (raw file):
that should be protected and have been missed. On architectures such as x86 that has variable length instruction encoding
s/has/have/
book.md line 631 at r1 (raw file):
On architectures such as x86 that has variable length instruction encoding where instructions doesn't have any alignment requirements there will also
s/doesn't/do not/
book.md line 632 at r1 (raw file):
On architectures such as x86 that has variable length instruction encoding where instructions doesn't have any alignment requirements there will also exist gadgets that the compiler has not emitted as instructions. For example,
maybe s/exist/be/? But this is a matter of taste, so if you prefer "exist", let's keep "exist".
|
|
There was a problem hiding this comment.
Reviewable status: 0 of 1 files reviewed, all discussions resolved
book.md line 632 at r1 (raw file):
Previously, wanders (Anders Waldenborg) wrote…
I think I prefer "be". But maybe even
On architectures such as x86 that has variable length instruction encoding
where instructions doesn't have any alignment requirements it is possible
to find gadgets that the compiler has not emitted as instructions.
Oh yes, that's better!
There was a problem hiding this comment.
Reviewable status: 0 of 1 files reviewed, 1 unresolved discussion (waiting on @kbeyls and @wanders)
book.md line 632 at r1 (raw file):
On architectures such as x86 that has variable length instruction encoding where instructions doesn't have any alignment requirements there will also exist gadgets that the compiler has not emitted as instructions. For example,
If we're mentioning variable-length instructions, it might also be worth mentioning that this can also happen in other cases, e.g. literal pools embedded in the code, read-only data that gets mapped in the same segment as code etc. This kind of thing is particularly interesting in JITs when the input code (and therefore these values) is attacker controlled.
|
Previously, g-kouv (Georgia Kouveli) wrote…
Good point. I'll see if I can cover that too. |
wanders
force-pushed
the
varlen-isn-rop-gadget
branch
from
e53528a
to
4b635b4
Compare
There was a problem hiding this comment.
Reviewed 1 of 1 files at r2.
Reviewable status: all files reviewed (commit messages unreviewed), 1 unresolved discussion (waiting on @g-kouv)
book.md line 632 at r1 (raw file):
Previously, wanders (Anders Waldenborg) wrote…
Good point. I'll see if I can cover that too.
I like the text, it reads well and explains the idea well.
Georgia, what do you think?
book.md line 649 at r2 (raw file):
`66 b8 5f c3`. If the attacker can divert execution two bytes into that 4-byte instruction it will execute `5f c3`. Those bytes corresponds to the two single byte instructions `pop %rdi; ret` which is an useful ROP gadget.
s/an useful/a useful/?
wanders
force-pushed
the
varlen-isn-rop-gadget
branch
from
4b635b4
to
7e0de80
Compare
There was a problem hiding this comment.
Reviewable status: 0 of 1 files reviewed, 1 unresolved discussion (waiting on @g-kouv)
book.md line 632 at r1 (raw file):
Previously, kbeyls (Kristof Beyls) wrote…
I like the text, it reads well and explains the idea well.
Georgia, what do you think?
Georgia may not be available to do another review in the near future.
Let's land this improvement to the text.
We can always adapt it further in the future.
This change is