Comment by colanderman
2 days ago
The instructions have to be trap instructions for it to work.
The conditional branch-backward instruction it is is almost as bad as the series of NOPs, since it is still likely to redirect an attacker to functioning code. (If the attacker can clear the mi flag first, these are just NOPs!)
Hence yes, this is a broken exploit mitigation.
And this is where the OpenBSD people will paraphrase Henry Spencer and say that those who do not understand OpenBSD are doomed to reinvent it badly. (Personally, I think that that's putting OpenBSD onto a pedestal. It's no ideal; one gets the same tradeoffs and problems as everywhere else.) In this case, the reinvention for LLVM targetting ARM, that credits seeing this committed to OpenBSD by Theo de Raadt, totally ignored that the original for gas targetting x86 both trapped and jumped.
I intentionally also pointed you to a collection of several critiques of the whole idea, long-since made. (-:
I think you're misunderstanding. 32 bit ARM has TWO instruction encodings. OpenBSD apparently only knows about one. In thumb encoding, the instruction is a branch, not a trap.
It can’t be a trap in regular ARM assembly, either, can it?
There, all instructions are 32 bits and D4D4 is only 16 bits.
2 replies →
Why, in your own words, is the jump supposed to be there? (Keep in mind this code is in between two functions.)
And why, in your own words, is it OK for the jump to be a conditional backwards jump?
So now you're saying this is a bad reinvention?
Your first comment says "it's intentional that it works this way".
[dead]