Sure, thank you for your patient response. I will continue to refine my work and attempt to develop some countermeasures against ROP mitigation. If there's good news, I will contact OpenBSD again! By the way, the first idea I provided, which is "Zeroing registers before function returns," has already been applied by GCC and CLANG in one of their compiler flags. You might consider some of those approaches because, in my evaluation of their mitigation effectiveness, they reduced the number of gadgets in programs by an average of 60%. Here's the commit <https://github.com/gcc-mirror/gcc/commit/d10f3e900b0377b4760a090b0f90371bcef01686> related to this mechanism for you to look at.
Best regards, ZoE Theo de Raadt <dera...@openbsd.org> 于2023年10月13日周五 00:21写道: > > We would like to collaborate with OpenBSD in researching how to reduce > the > > number of gadgets and increase the difficulty of using gadgets. > > I've think I've vaguely explained how that works. > > All the mitigations efforst went like this: > > 1) come up with an idea > 2) write a complete working prototype > 3) test the change in simple demonstration programs > 4) next, test it in *ALL THE UPSTREAM CODE IN THE UNIVERSE* > a) evaluate if the idea is viable > i) performance > ii) measureably increasing resistance > iii) extremely low false positive problems > If these metrics are not satisfied, throw away idea or go back to 2) > b) fix ALL false positives in upstream code > > > In earlier emails you mentioned 3 ideas, but didn't make it beyond step 1. > > > However, our efforts can increase the difficulty of ROP > > attacks, which is meaningful > > I am not going to help with steps 2+, because I have other cross-platform > mitigations already in development and don't have time to do work on other > people's theories. > > Most importantly, I care more about solutions that improve fixed-length > instruction architectures, where polymorphic ROP isn't a concern. > > If I sound flippant, it is because I've spent decades working on > mitigations which help even when amd64 ROP remains possible, and your > first step was to disable them, bypass them, and most significantly -- > failed to mention that you gutted the mitigation group. > > > >
