Shawn Webb

#FreeBSD's #StackClash mitigation landed: https://svnweb.freebsd.org/changeset/base/320317

A few thoughts:

1. I really like the new MAP_GUARD, which is useful for guarding between shared objects.
2. I'm not sure I like that MAP_GUARD mappings can be unmapped.
3. Guard mappings can be mapped over with MAP_FIXED. I don't like that.
4. No attention paid to the per-thread stack guard (libthr). Easy to fix, though.

If an attacker can do items 2 and 3, it's already game over, though.

Jun 24, 2017 at 6:31pmWeb
Show threadShawn WebbJun 24, 2017

What could be done to improve it:

1. Don't allow unmapping of guard pages.
2. Don't allow remapping guard pages with MAP_FIXED.
3. Use MAP_GUARD with libthr's stack guard.
4. Increase the default size of the stack guard.

#FreeBSD #HardenedBSD #infosec #StackClash