Indirection redirection memory4/8/2023 The call goes to the beginning of an actual function, and that the targetįunction has the same prototype as the caller was expecting. Targets for a corrupted indirect function call.ĬFI attempts to block this sort of exploit by restricting indirect calls to Note that anĮxploit need not redirect a call to the beginning of another function itĪrbitrary point within the kernel image. Changes over the years have made it hard forĪttackers to inject their own code into the kernel, but if they can forceĮxecution to an arbitrary location, that matters little. If an indirect callĬan be redirected to an attacker-chosen location, there are few limits to Indirect calls into an attractive target for attackers. This mechanism is flexible and performs well, but it also makes those Indirect function calls allow forĪ clean separation between generic and low-level code. To the appropriate open() function defined in the file_operations When the time comes to, for example, open a file (which may be a specialįile corresponding to a device), the core kernel will make an indirect call Device drivers,įilesystems, and other kernel subsystems interface with the generic, coreĬode by providing functions to be called to carry out specific actions. The kernel depends heavily on indirect function calls - calls where theĭestination address is not known at compile time. ![]() Quite a bit of work was needed to make this feature work wellįor the kernel, but the result appears to be production-ready and able toĭefend Linux systems from a range of attacks. CFI defends against exploits byĮnsuring that indirect function calls have not been redirected by anĪttacker. However: The small performance drop must be weighed against the benefits of virtual memory, which are too numerous to list here.Among the many changes merged for the 5.13 kernel is support for the LLVMĬontrol-flow integrity (CFI) mechanism. Perhaps you can sabotage the OS by allocating 4k chunks from mmap, in which case the TLB misses might be felt with only a few megs of working set, depending on your processor. If your operating system allows "big pages", the TLB might be able to cover a very large address space indeed. Above the size of available swap space and RAM, the application will be terminated by the OS.Above the size of available RAM, performance will drop due to swapping.(This might happen before or after you run out of L2 cache space, depending on a number of factors.) Above the size of the memory addressed by the TLB, performance will drop due to TLB misses.Above the L2 cache size, performance will drop to RAM latency.Above the L1 cache size, performance will drop due to L2 cache latency.Use a command line parameter to change the size. Give your test program a big chunk of memory and start randomly reading and writing locations in memory. ![]() You can see the effect of this in action by writing a test program. If your process accesses a page without a TLB entry, then the CPU must make an additional memory access to fetch the page table entry for that page. Parts of the page table will be cached in the translation lookaside buffer, accessing pages with entries in the buffer incur no additional penalty. While your process is running, the page table does not change very often. However, the cost of the check is very small. It's not just for pointer indirection, but any memory access (other than, say, DMA). Yes, you are paying the price for that extra check.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |