i just stumbled upon the fact that debian doesn't yet make use of[...]
the Intel CET security feature, while many other distributions
(Ubuntu, Fedora, Suse, Arch Linux) do.
i just stumbled upon the fact that debian doesn't yet make use of theIt's indeed nonzero on my testing and sid machines, with coreutils 8.32-4.1.
Intel CET security feature, while many other distributions
(Ubuntu, Fedora, Suse, Arch Linux) do.
The idea is to insert endbr instructions,
(which are just NOPs on older CPUs) at the beginning
of functions to identify valid call targets to mitigate
ROP attacks.
You can do a quick test with
objdump -d /usr/bin/mv | grep endbr | wc -l
which outputs a nonzero number if the feature is used.
On 2022-09-05 22:44:52 +0200 (+0200), Felix Potthast wrote:
i just stumbled upon the fact that debian doesn't yet make use of[...]
the Intel CET security feature, while many other distributions
(Ubuntu, Fedora, Suse, Arch Linux) do.
Forgive me if this is a dumb question, but were you running on a
Linux 5.18 kernel when you tested this? The default kernel on the
current Debian release is too old to support it, but there is a 5.18
kernel in the bullseye-backports suite. This is from my workstation
running a relatively up to date Debian unstable booted on a 5.18.x
kernel, as you can see:
fungi@dhole:~$ uname -v
#1 SMP PREEMPT_DYNAMIC Debian 5.18.14-1 (2022-07-23)
fungi@dhole:~$ objdump -d /bin/mv | grep endbr | wc -l
2
fungi@dhole:~$ objdump -d /bin/mv | grep endbr
4230: f3 0f 1e fa endbr64 4270: f3 0f 1e fa endbr64
objdump -d /usr/bin/mv | grep endbr | wc -l
i just stumbled upon the fact that debian doesn't yet make use of the
Intel CET security feature, while many other distributions
(Ubuntu, Fedora, Suse, Arch Linux) do.
On Mon, 2022-09-05 at 22:44 +0200, Felix Potthast wrote:
i just stumbled upon the fact that debian doesn't yet make use of the
Intel CET security feature, while many other distributions
(Ubuntu, Fedora, Suse, Arch Linux) do.
Allegedly Intel CET provides weak protection, although perhaps it
improved since the 2016 analysis by grsecurity folks: https://grsecurity.net/effectiveness_of_intel_cet_against_code_reuse_attacks
i just stumbled upon the fact that debian doesn't yet make use of the
Intel CET security feature, while many other distributions
(Ubuntu, Fedora, Suse, Arch Linux) do.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 24:29:52 |
Calls: | 6,707 |
Calls today: | 1 |
Files: | 12,239 |
Messages: | 5,352,251 |