SROP mitigation
Erik Bosman from VUSec published Framing signals - Return to portable exploits in 2014, describing another ROP-like exploit technique, based on signal handlers. To mitigate this vector, his paper suggested to:
- use a canary in the
sigreturn
frame, noting that this approach, like stack-cookies, is bypassable if the attacker can leak the cookie’s value. - use a cryptographic MAC of the
sigreturn
frame, which is also leakable. - use a counter, but this complicate threads/forks handling on the kernel-side.
Along with his article, he sent patches to implement his suggestions in Linux.
In February 2016, Scott Bauer suggested an other set of patches, based on Bosman’s ones.
In May 2016, based on Bauer’s patches, Theo de Raadt announced that OpenBSD now mitigates SROP by:
- Checking if
sigreturn
is called from asigtramp
site. - Adding a per-process cookie xor’ed with the address of the signal context,
in the
sigcontext
itself.
An attacker can simply jump at the end the sigtramp
function, and bypass the
cookie via an arbitrary read, but it’s better than nothing, a bit like stack
cookies.