SROP mitigation

Erik Bosman from VUSec published Framing signals - Return to portable exploits in 2014, describing another ROP-like exploit technique, based on signal handlers. To mitigate this vector, his paper suggested to:

• use a canary in the sigreturn frame, noting that this approach, like stack-cookies, is bypassable if the attacker can leak the cookie’s value.
• use a cryptographic MAC of the sigreturn frame, which is also leakable.
• use a counter, but this complicate threads/forks handling on the kernel-side.

Along with his article, he sent patches to implement his suggestions in Linux.

In February 2016, Scott Bauer suggested an other set of patches, based on Bosman’s ones.

In May 2016, based on Bauer’s patches, Theo de Raadt announced that OpenBSD now mitigates SROP by:

• Checking if sigreturn is called from a sigtramp site.
• Adding a per-process cookie xor’ed with the address of the signal context, in the sigcontext itself.

An attacker can simply jump at the end the sigtramp function, and bypass the cookie via an arbitrary read, but it’s better than nothing, a bit like stack cookies.