Comment by blkhp19
5 years ago
Perhaps a dumb question, but why don't things like signed pointers prevent this? Are they just not that good of a security measure?
5 years ago
Perhaps a dumb question, but why don't things like signed pointers prevent this? Are they just not that good of a security measure?
The article explains bypassing exactly this (PA/PAC).
> Vulnerability discovery remains a fairly linear function of time invested. Defeating mitigations remains a matter of building a sufficiently powerful weird machine. Concretely, Pointer Authentication Codes (PAC) meant I could no longer take the popular direct shortcut to a very powerful weird machine via trivial program counter control and ROP or JOP. Instead I built a remote arbitrary memory read and write primitive which in practise is just as powerful and something which the current implementation of PAC, which focuses almost exclusively on restricting control-flow, wasn't designed to mitigate.
Signed pointers are just a mitigation. With enough time to find other primitives/constructs (from less severe but more common bugs) you will work around them.