A later entry in DEC's PDP6/10/20 series had a feature aimed at protecting proprietary software components. A jump to an execute-only page had to go to a special instruction, I think "JRST 1,". This let the proprietary software mark the allowed entry points. Rich ------ Quoting Henry Baker <hbaker1@pipeline.com>:
Address space layout randomization helps, but only slows down the attacker. If the attacker can do "memory scraping", which is normally quite easy if the attacker can gain read access, then the attacker need only search memory to find all of his widgets, and then use a "relocatable loader" for his malware.
Apparently, the most recent attack on Target, Neiman-Marcus, etc., credit cards utilized "memory scraping".
In any case, I found it very cool that hackers had inadvertently discovered the techniques of "threaded code interpreters" (utilized in Forth implementations) in order to implement "return-oriented programming".
Protecting instruction memory from reading may help a lot, but this may require new memory layouts which separate read-only constants (which must live in "read-only" but not "executable" pages) from instructions (which must live in "execute-only" pages).
Also, instructions could be tagged in such a way that only instructions with certain tags can be "jumped to", and only instructions with other tags can be "called". This would eliminate the ability to utilize subroutine "tails" for widgets.
Unfortunately, even with these constraints, any sufficiently large set of subroutine libraries will still have a Turing-complete set of widgets. In particular, a Forth implementation will certainly contain such a set, since that's the way Forth is implemented already!
It's clear that the only way to stop such "return-oriented programming" is to severely limit the access of most programs to most libraries.
At 12:54 PM 1/26/2014, Jon Ziegler wrote:
Address space layout randomization effectively prevents this sort of attack on most(?) modern operating systems. See: http://en.wikipedia.org/wiki/Address_space_layout_randomization Biological entities have a harder time, although there are some instances of science fiction that posit defense mechanisms.
Regards, Jon
On Jan 26, 2014, at 10:52 AM, Henry Baker <hbaker1@pipeline.com> wrote:
Consider the plight of a virus in a biological system....
...To reduce the number of bits that the virus has to carry, the virus relies on intimate knowledge of the existing host's own DNA & RNA, so that it can "repurpose" various DNA & RNA subsequences for its own uses....
...Modern computer viruses can do the same thing that biological viruses can do: find _existing_ bit sequences & repurpose them for the virus's own computation....
...Unfortunately, return-oriented programming is not just a theoretical construct, but a very real mechanism by which modern computer viruses and worms can take over a machine....
_______________________________________________ math-fun mailing list math-fun@mailman.xmission.com http://mailman.xmission.com/cgi-bin/mailman/listinfo/math-fun