| Prev Next | Secure Lazy Binding | Slide #30 |
pass a per-process cookie
kernel saves value from first call in struct process, ps_kbind_cookie
mismatch in later call? sigexit(SIGILL)
variable placed in PT_OPENBSD_RANDOMIZE segment, filled with random bytes by kernel
_dl_bind() loads the cookie before calculating the GOT/PLT changes to pass to the kernel
attacker can't use ld.so's "load the cookie" code with its own changes
...but the variable's address is static offset within ld.so memory
| EuroBSDCon 2014 | Copyright © 2014 Philip Guenther |