From owner-freebsd-amd64@FreeBSD.ORG Fri Feb 11 15:45:17 2005 Return-Path: Delivered-To: freebsd-amd64@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C66A416A4CE for ; Fri, 11 Feb 2005 15:45:17 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 551C343D45 for ; Fri, 11 Feb 2005 15:45:17 +0000 (GMT) (envelope-from zombyfork@gmail.com) Received: by rproxy.gmail.com with SMTP id a41so321727rng for ; Fri, 11 Feb 2005 07:45:16 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=bMOM822boS1wq0AwUcpeULNVI0Fs/p3W2h98ByeZLQKtzzKvk3MLnzuK6cB2orccco+/966iNBcHkfmb4YDBH3AoYIorAduylYad8TdzEF8nhQLhW5pYeHyz16taU75cdmmgHH/rK/Zyi0OeUNBveHI6QIKbWpO5pDkYPfcvBEA= Received: by 10.38.22.5 with SMTP id 5mr284926rnv; Fri, 11 Feb 2005 07:45:16 -0800 (PST) Received: by 10.38.22.22 with HTTP; Fri, 11 Feb 2005 07:45:16 -0800 (PST) Message-ID: <346a802205021107456c40fbd2@mail.gmail.com> Date: Fri, 11 Feb 2005 10:45:16 -0500 From: Coleman Kane To: Astrodog In-Reply-To: <2fd864e050211065931e2f425@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <420C649D.8070502@oranged.to> <346a8022050211063022cb57e2@mail.gmail.com> <2fd864e050211065931e2f425@mail.gmail.com> cc: freebsd-amd64@freebsd.org Subject: Re: FreeBSD x86 vs x86-64 Questions about Security X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cokane@cokane.org List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2005 15:45:17 -0000 I believe there is still a large overlap of opcodes in both architectures. For instance, NOP is still 0x90. In addition I believe the default operand size (i.e.: no REX prefix) in PM64 is 32-bit, just like PM32 (protected mode 64 vs. 32 bit). This would lead me to believe that many stack-smashing exploits may still apply. Now, other certain instructions, such as Jcc (0x7*) and JMPs (0xe9,a,b) default to 64-bit offsets. Now comes the fun part: Since the amd64 and ia32 are both little-endian, an exploit which makes use of these default-64bit instructions would only need their operands to be sign extended: IA-32 [OP] [DEST 0..7] [DEST 8..15] [DEST 16..23] [DEST 24..31] amd64: [OP] [DEST 0..7] [DEST 8..15] [DEST 16..23] [DEST 24..31] ... [DEST 56..63] So if OP is a CALL, or JMP or similar, you could use the same code, provided the destination address is the same. It will execute. Now if it succeeds, that is another matter which I have not looked into yet. I think the IA32 uses INT 0x80, while amd64 uses SYSCALL to handle syscalls. There are probably other significant differences as well. I would think that a sufficiently creative persone could come up with an exploit which works on both systems. On Fri, 11 Feb 2005 06:59:38 -0800, Astrodog wrote: > > > I think that FreeBSD-AMD64 will not be effected directly, in that > shellcode written for i386 won't work anymore. However, the security > flaw would still exist, so there's still a threat, its just one > script-kiddies won't catch. The i386 compat layer won't allow > vunerable i386 shellcode to run from within an AMD64 application, > since the ELF detection that makes COMPAT_IA32 work wouldn't kick in. > i386-compiled applications could still, theoretically, be exploited > with i386 shellcode though. However, AMD64 applications would not > execute the shellcode, or, rather, wouldn't actually be able to, > they'd just crash. > > --- Harrison Grundy > _______________________________________________ > freebsd-amd64@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-amd64 > To unsubscribe, send any mail to "freebsd-amd64-unsubscribe@freebsd.org" >