FreeBSD x86 vs x86-64 Questions about Security
Coleman Kane
zombyfork at gmail.com
Fri Feb 11 07:45:17 PST 2005
I believe there is still a large overlap of opcodes in both
architectures. For instance, NOP is still 0x90. In addition I believe
the default operand size (i.e.: no REX prefix) in PM64 is 32-bit, just
like PM32 (protected mode 64 vs. 32 bit). This would lead me to
believe that many stack-smashing exploits may still apply.
Now, other certain instructions, such as Jcc (0x7*) and JMPs
(0xe9,a,b) default to 64-bit offsets. Now comes the fun part: Since
the amd64 and ia32 are both little-endian, an exploit which makes use
of these default-64bit instructions would only need their operands to
be sign extended:
IA-32
[OP] [DEST 0..7] [DEST 8..15] [DEST 16..23] [DEST 24..31]
amd64:
[OP] [DEST 0..7] [DEST 8..15] [DEST 16..23] [DEST 24..31] ... [DEST 56..63]
So if OP is a CALL, or JMP or similar, you could use the same code,
provided the destination address is the same. It will execute. Now if
it succeeds, that is another matter which I have not looked into yet.
I think the IA32 uses INT 0x80, while amd64 uses SYSCALL to handle
syscalls.
There are probably other significant differences as well.
I would think that a sufficiently creative persone could come up with
an exploit which works on both systems.
On Fri, 11 Feb 2005 06:59:38 -0800, Astrodog <astrodog at gmail.com> wrote:
>
>
> I think that FreeBSD-AMD64 will not be effected directly, in that
> shellcode written for i386 won't work anymore. However, the security
> flaw would still exist, so there's still a threat, its just one
> script-kiddies won't catch. The i386 compat layer won't allow
> vunerable i386 shellcode to run from within an AMD64 application,
> since the ELF detection that makes COMPAT_IA32 work wouldn't kick in.
> i386-compiled applications could still, theoretically, be exploited
> with i386 shellcode though. However, AMD64 applications would not
> execute the shellcode, or, rather, wouldn't actually be able to,
> they'd just crash.
>
> --- Harrison Grundy
> _______________________________________________
> freebsd-amd64 at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-amd64
> To unsubscribe, send any mail to "freebsd-amd64-unsubscribe at freebsd.org"
>
More information about the freebsd-amd64
mailing list