← Back to context

Comment by ordu

7 hours ago

> The alternative they present is arguably less secure because the function pointer will remain writable for the life of the process

The article mentions this, and also points to mprotect which you can use to protect the pointer.

Why people jump to criticize without reading first? BTW, you can ask an LLM to check your critique, before posting, if you don't want to read the text.

5 comments

ordu

Reply
IAmLiterallyAB  7 hours ago

Yes but at best their "solution" is equally secure, not any better.

  • ordu  5 hours ago

    They argue, and I tend to agree, that their solution is more secure.

    1. It impiles some function pointers to be writable temporarily, not all of them.

    2. It doesn't hide writable pointers from a cursory glance not familiar with IFUNC.

    • anarazel  4 hours ago

      The GOT has to be initially writable regardless of ifunc, even with relro, to apply relocations.

  • kstrauser  5 hours ago

    Would xz still have been able to alter opensshd without IFUNC?

    • rwmj  2 hours ago

      Yes, liblzma could have used multiple routes to take over sshd. Once you're running inside the process it's game over. The exact details, like how they used ifunc and an audit hook, are very interesting, but ultimately not that important.