Hi!
On Fri, Sep 11, 2020 at 03:14:57PM -0500, Qing Zhao wrote:
> My understanding of how this scheme helps ROP is: the attacker usually uses
> scratch register to pass
Help obstruct ROP ;-)
> parameters to the sys call in the gadget, if clearing the scratch registers
> immediately before “ret”, then
> The parameters that are passed to sys call will be destroyed, therefore, the
> attack will likely failed.
But you do not need more than one non-zero argument for execv*, and that
is usually the same register as the normal return value register; all
other registers *should* be zero for a simple execv*("/bin/sh", ...)!
(There is also the system call number register, rax on x86-64, but if
overwriting that would be any effective, you could just do that one
always and everywhere. This is only an effective defence if there are
no gadgets that do the system call an attacker wants, and he has to
construct that sequence himself; but it very effective and cheap then).
Segher
