Friday, May 02, 2008

Self Protecting GOT

I had some time to kill over the past few days and I wanted to explore an idea I had a few months ago. The idea is to protect the ELF GOT (Global Offset Table) (and other segments of memory) from userland without the support of 'relro' functionality now found in the GNU dynamic linker. I accomplished it through techniques such as linker script modification and constructor functions. No kernel modifications are needed and I have tested it on a semi large project (Snort IDS).

You can find the draft version 1.1 of my writeup here. If you find any mistakes let me know and I will fix them.

5 comments:

Anonymous said...

Very interesting post, you should post more instead of so sporadically!

Anonymous said...

I didn't read it in its entirety so theres probably typos and such that I didn't see, but the general concept is sound and methodology is as well, although I'd probably implement it as a patch to the loader myself-- that way you're not doing runtime permission changes, and can avoid parsing the header all together, but thats just me

Chris Rohlf said...
This comment has been removed by the author.
Chris Rohlf said...

@blound

I try to post when I have something to say. There lots of security blogs out there with a lot better commentary than I.

@jf

I wanted to keep it all in userland. That way you can still protect your process, even if you don't control the box.

Unknown said...

The bitmask you use in your constructor method (0xfffff000), doesn't this assume that the page size will always be 4096 bytes? If so, what's the point of looking up the page size with the sysconf function if you ignore any other value than 4096 anyway? :-)