from Hacker News

Fun with Gentoo: Why don't we just shuffle those ROP gadgets away?

by crtxcr on 1/26/23, 2:57 PM with 80 comments

  • by atlgator on 1/26/23, 8:36 PM

    I remember my Gentoo days freshman year in college. I spent more time compiling updates than actually using the computer.

  • by jchw on 1/26/23, 4:35 PM

    I like this idea. I have an idea for something that would be cool, if impractical: Imagine a GCC wrapper that doesn't actually link, but produces a bundle that performs the linking in randomized order in realtime and then runs.

    I think that you could do this quite well on NixOS, and I'm now intrigued to try to rig up a proof-of-concept when I can find the time.

    Side-effect: Does not work for libraries without a significantly more complex wrapper that certainly could not work for all libraries. Though, you could re-order the objects within a static library fairly easily.

  • by vlovich123 on 1/26/23, 3:35 PM

    I wonder if just shuffling it on every release (even minor) isn’t sufficient (and actually even publishing that order). That doesn’t have full security benefit (attackers have a finite set of options) but keeps reproducible builds and the ability to distribute pre-linked binaries while raising the attack complexity significantly since no two machines are likely running the exact same version. That means an exploit has to try several different versions. Taking this a step further, create link N randomly sorted copies per version and randomly distribute those. Now the space to search through is large and the probability of picking the correct gadget variant goes down with 1/MN where there are M releases being attacked and N variants per release that might be installed (a targeted attack or an attack of a specific version only gets 1/N). Additionally, deterministic builds maintain your ability to audit binaries and their providence fairly easily (only grows linearly) while the risk of noticing the attempt without a successful exploit is N-1/N.

    I’m not saying it’s perfect but it seems like a reasonable defense for binary distribution. As someone who used to run Gentoo, I’d say most people are in favor of the faster times to install a new package.

    EDIT: extending this idea further, I wonder if compilers can’t offer a random seed to supply that causes a random layout of the sections within a built execution so that even statically linked binaries benefit from this.

  • by somat on 1/26/23, 4:19 PM

    Openbsd also puts a fair amount of work into removing ROP gadgets.

    For example.

    https://marc.info/?l=openbsd-cvs&m=152824407931917

  • by ShredKazoo on 1/27/23, 3:18 AM

    Lack of reproducible builds seems like a big cost here.

    I wonder if there's a way to do just-in-time random relinking such that the performance cost is low, but the security benefit is still strong.

    Just-in-time gets you reproducible builds, and also addresses the "local attackers who can read the binary or library" problem.

    There would be a performance cost in terms of startup time, but since the number of possible permutations is a factorial function of the number of possible linking orders, it seems like even a very coarse-grained random relinking can go a long way.

    You could accomplish this by doing static analysis of a binary to generate a file full of hints for ways to rewrite the binary such that its behavior is provably equivalent to the original. Then there could be a wrapper (perhaps at the shell or OS level) which uses the hints to randomly relink on the fly just prior to execution.

    Another advantage is that this approach should be feasible on an OS like Ubuntu where everything is precompiled.

    However the static analysis part could be a little tricky? I'm not familiar with the state of the art in static analysis of compiled binaries.

    Performance-sensitive users could be given a way to turn the feature off, in cases where fast startup time was more important than security.

  • by phkahler on 1/26/23, 3:23 PM

    >> As a side-effect, reproducible builds, which this technique breaks, are less of a concern anyway (because you've compiled your system from source).

    Reproducible builds verify the source code and build process (including options) were the same. Not sure how important each aspect is.

    Also, if for some reason you rebuild a dependency, you'll need to relink everything that depends on that. This could get messy, but it's still interesting.

  • by frankjr on 1/26/23, 6:11 PM

    I'm guessing "dev-libs/openssl shuffleld" should go into "/etc/portage/package.env" instead (in the appendix).

  • by lucideer on 1/26/23, 3:18 PM

    > The potential issue comes from the assumption that all .o files will be given continuously in the command line. The assumption appear to hold, but could blow up down the road. But well, it's hack.

    Other than this issue (which may well be a large / unsolvable one), I wonder what other disadvantages to this approach there might be. Does this hack have any potential for a Gentoo profile or mainlining?

  • by matzf on 1/26/23, 5:41 PM

    Don't try this with C++, unless you're certain that there are no interdependencies or side-effects in global variable initialisation. The link order (usually) affects the order in which initialisers are executed.

  • by gigel82 on 1/27/23, 1:49 AM

    How does this work with dynamic libraries (shared objects). In Windows land, you get a .lib with a .dll and afaik that has hardcoded function addresses. You statically link the "import library" .lib with your exe, so if you randomize the function addresses and rebuild just the .dll later, it blows up (you need to rebuild all exes as well).

    Is dynamic linking in Unix world truly runtime-only (a-la "GetLibrary" / "GetProcAddress")?

  • by hermitdev on 1/26/23, 5:12 PM

    One gap to this approach: gcc can use argument files (pass a file that contains the actual arguments). I've only really seen this with build systems that expect to work on large numbers of arguments that will not fit on the command line. Still, something to be aware of.

  • by yazzku on 1/26/23, 11:45 PM

    Deep feels from that web design. Simple, aesthetic, functional.

  • by ngneer on 1/27/23, 2:07 AM

    Why not prevent control transfer to the ROP gadget?

  • by kwhitefoot on 1/26/23, 5:42 PM

    ROP gadgets?