| Prev Next | Secure Lazy Binding | Slide #31 |
pass a per-thread cookie and its address
kernel saves value from first call in each thread in struct proc, p_kbind_cookie
mismatch in later call? sigexit(SIGILL)
generate new value and copy it out to supplied address
reserve space for the cookie in TCB
problems:
have to (finally...) push TCB management code into ld.so
cookie is easy to find; lots of code in libpthread has to access it, probably plenty of ROP gadgets
probably will remove
| EuroBSDCon 2014 | Copyright © 2014 Philip Guenther |