Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Sounds like libraries should only get to patch themselves.

(Some difficulty with this one though. For instance you probably have to ban running arbitrary code at load time, but you should do this anyway because it will stop people from writing C++.)



They're all in a single address space, there's nothing you can do to stop one part of a binary patching any other part.


I already said the way to do it in my previous comment. Don't let arbitrary code run before page permissions are locked down.


If you're running in the binary you can call mprotect(2), and even if that is blocked you can cause all kinds of mischief. The original motivation for rings of protection on i286 was so that libraries could run in a different ring from the binary (usually library in ring 2 and program in ring 3), using a call gate (a very controlled type of call) to dispatch calls from the binary to the library, which stops the binary from modifying the library and IIRC libraries from touching each other. But x86-64 got rid of the middle rings.


> If you're running in the binary you can call mprotect(2)

Darwin doesn't let you make library regions writable after dyld is finished with them. (Especially iOS where codesigning also prevents almost all other ways to get around this.)

Something like OpenBSD pledge() can also revoke access to it in general.

> But x86-64 got rid of the middle rings.

x86 is a particularly insecure architecture but there's no need for things to be that way. That's why I mentioned PAC, which prevents other processes (including the kernel) from forging pointers even if they can write to another process's memory.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: