Erik Bosman from VUSec published Framing signals - Return to portable exploits in 2014, describing a ~new *rop family, based on signal handlers. To mitigate this vector, his paper suggested to:
- use a canary in the sigreturn frame, noting that this approach, like stack-cookies, is bypassable if the attacker can leak the cookie’s value.
- use a cryptographic MAC of the sigreturn frame
- use a counter, but this complicate threads/forks handling on the kernel-side
Along with his article, he sent patches to implement his suggestions in Linux.
In February 2016, Scott Bauer suggested an other set of patches, based on Bosman’s ones.
In May 2016, based on Bauer’s patches, Theo de Raadt announced that OpenBSD now mitigates SROP by:
- Checking if sigreturn is called from sigtramp
- A per-process cookied xor’ed with the address of the signal context.
An attacker can simply jump at the end the
sigtramp function, and bypass the
cookie via an arbitrary read, but it’s better than nothing, a bit like stack