[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AE90C24D6B3A694183C094C60CF0A2F6026B723F@saturn3.aculab.com>
Date: Mon, 20 May 2013 15:35:58 +0100
From: "David Laight" <David.Laight@...LAB.COM>
To: "Eric Dumazet" <eric.dumazet@...il.com>,
"Florian Westphal" <fw@...len.de>
Cc: "David Miller" <davem@...emloft.net>,
"netdev" <netdev@...r.kernel.org>,
"H. Peter Anvin" <hpa@...or.com>, <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH net-next] x86: bpf_jit_comp: secure bpf jit against spraying attacks
> > What about emitting additional instructions at random locations in the
> > generated code itself?
> >
> > Eg., after every instruction, have random chance to insert
> > 'xor $0xcc,%al; xor $0xcc,%al', etc?
>
> This will be the latest thing I'll do.
>
> Frankly, whole point of BPF JIT is speed.
>
> If we have slow code, just use the interpretor instead.
Adding one of the standard nop opcodes wouldn't be too bad.
IIRC 0x90 is skipped very early on by modern cpu.
Adding one after every nth (or n-mth) instruction would
probably break the alternate instruction stream.
However the attacker could (probably) keep installing
code patterns until the guess pattern matched.
Also the code size changes might make the JIT compile fail
- maybe because of branch offsets, or just size.
David
Powered by blists - more mailing lists