A colleague pointed out that FPAC[1] in ARMV8.6-A likely prevents this attack, is that right?
I haven't fully digested the paper, but the gadgets seem to rely on AUT, and "Implementations with FPAC generate an exception on an AUT* instruction where the PAC is incorrect"
Bunnie Huang gave an excellent talk on this subject at BlueHat IL 2019 that goes very deep, including showing technical details of how attacks like this can be pulled off. Well worth the 45 minutes - https://www.bunniestudios.com/blog/?p=5519
Agree re: canaries, but when I learned about ROP I was told that ASLR typically is not employed on the text segment (due to lack of position independence) which is why ROP effectively acts a bypass for ASLR on the stack / heap and why we need things like control flow enforcement. Is this not the case or no longer the case?
Gcc these days compiles with -pie (Position Independent Executable) by default. This makes the text section position independent and able to be relocated, like a shared library.
You are correct that the main TEXT section used to typically not be position independent.
Windows uses relocations, not PIC, to enable different load addresses. That means the image in memory has its self references patched by adding the difference between compiled in load address and runtime load address. System DLLs can still share code with one another as long as they share the same load address in different processes for that reboot of the operating system.
Historically EXEs were either linked without relocations or had relocations stripped. They were always loaded first so ended up where they wanted, no relocation necessary. But /dynamicbase flag to linker opts in to setting a bit in the PE header and retaining relocations, so the EXE can be loaded elsewhere.
TL;DR: Windows supports ASLR on both executables and dynamic libraries.
There are limitations in sharing text segments in different processes, and extra memory usage mapping in text segments so relocations can be, uh, relocated, but once running there is no additional performance overhead. The runtime image is effectively "self-modified code" by the OS loader, patched to final addresses. No PIC register, no indirect references.
Right. You've described the performance impact: a ton of relocations hurts startup time, and the modified memory reduces sharing, costing additional memory. If startup time does not matter and memory is free, sure, it has no costs.
Diana can't just "decide to take her profits" at whatever price she'd like. If she wants $1m but Charlie isn't interested, she will have to lower her price until he is. This is how exchanges work, cryptocurrency or otherwise. If a stock falls to zero, do you think that Etrade dips into its own assets to provide an "off ramp" to its customers that weren't able to sell in time?
You're essentially saying that the exchange should artificially prop up the price of bitcoin with its own money during a panic.
https://jobs.netflix.com/jobs/294103648
"The overall market range for roles in this area of Netflix is typically $180,000 - $900,000."