RFR: 8264130: PAC-RET protection for Linux/AArch64 [v2]
Andrew Dinn
adinn at openjdk.java.net
Thu Nov 11 16:34:33 UTC 2021
On Thu, 11 Nov 2021 15:30:29 GMT, Alan Hayward <duke at openjdk.java.net> wrote:
> Am I right is saying that for Macos, all generated code is remapped RO before execution?
Ah, no, it seems the code cache is not RWX all the time as far as Java threads are concerned. The Macos/AArch64 code is strategically calling pthread_jit_write_protect_np at Java <-> JVM transition points.
That ensures that executable regions are executable but not writable (RX) from a Java thread when running JITted Java code and are writable but not executable (RW) when it calls into JVM code.
> An additional concern I have is that if the globals data was attacked then the UseROPProtection flag could be flipped, and all code after that point would be generated without ROP protection. Marking all the globals data as RO would fix that. Alternatively remove UseROPProtection and then in the macroassembler always generate PAC code, using just the subset of instructions that are NOPs on non-PAC hardware. Or alternatively only generate PAC code based on a #define set at build time. Each option has its own downsides.
Globals data can legitimately be written during JVM startup (perhaps in some cases also during execution?). So, they cannot simply be marked as RO.
I am not sure this concern is really warranted. If an attacker is already able to overwrite UseROPProtection then a concern over the resulting omission of JITted ROP protection seems like attending to the loud banging of the stable door while Shergar has already been diced into stew meat.
-------------
PR: https://git.openjdk.java.net/jdk/pull/6334
More information about the build-dev
mailing list