mirror of
https://github.com/RGBCube/serenity
synced 2025-07-25 16:47:36 +00:00
Base: Document readonly atexit mitigation
This commit is contained in:
parent
f2ce751a32
commit
a59fc324bd
1 changed files with 23 additions and 0 deletions
|
@ -74,6 +74,29 @@ Date: Mon Jan 20 22:12:04 2020 +0100
|
|||
Kernel: Add a basic implementation of unveil()
|
||||
```
|
||||
|
||||
### Readonly atexit
|
||||
|
||||
[Readonly atexit](https://isopenbsdsecu.re/mitigations/atexit_hardening/) is a mitigation originating from OpenBSD.
|
||||
Thanks to it, an attacker can no longer use the atexit region to escalate from arbitrary-write to code-execution.
|
||||
|
||||
It was first added in the following [commit](https://github.com/SerenityOS/serenity/commit/553361d83f7bc6499dc4821eff9b23a6549bd99c),
|
||||
and was later [improved](https://github.com/SerenityOS/serenity/commit/fb003d71c2becf0b3ea148aad08642e5a7ea35bc)
|
||||
to incur no additional cost during program initialization and finalization:
|
||||
|
||||
```
|
||||
commit 553361d83f7bc6499dc4821eff9b23a6549bd99c
|
||||
Author: Andreas Kling <kling@serenityos.org>
|
||||
Date: Sat Jan 30 10:34:41 2021 +0100
|
||||
|
||||
LibC: Protect the atexit() handler list when not writing to it
|
||||
|
||||
Remap the list of atexit handlers as read-only while we're not actively
|
||||
writing to it. This prevents an attacker from using a memory write
|
||||
primitive to gain code execution via the atexit list.
|
||||
|
||||
This is based on a technique used in OpenBSD. :^)
|
||||
```
|
||||
|
||||
### Syscall call-from verification
|
||||
|
||||
[Syscall call-from verification](https://marc.info/?l=openbsd-tech&m=157488907117170&w=2) is
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue