On gmp-devel mailing list I read that ARM PAC BTI support is just being added for aarch64 platforms.
In a video about "What is BTI"
https://vimeo.com/1019370992
it is stated that support can be checked with sting "bti" in /proc/cpuinfo.
Latest Raspberry PiOS does not support:I wanted to learn more on BTI support and searched the web for "debian bti":
https://wiki.debian.org/ToolChain/PACBTI
Since Raspberry PiOS is based on Debian the information should be relevant.
It states that compiler support is available only for gcc 13 and later.
Unfortunately:
It also shows code for a ROP attack:And attack works:The proposed compile flag "-mbranch-protection=standard" does not prevent (because gcc 12):
Will next Raspberry PiOS be based on Trixie, the successor of Bookworm?
Will that contain gcc version 13 or higher?
In a video about "What is BTI"
https://vimeo.com/1019370992
it is stated that support can be checked with sting "bti" in /proc/cpuinfo.
Latest Raspberry PiOS does not support:
Code:
pi@raspberrypi5:~ $ grep "bti" /proc/cpuinfo pi@raspberrypi5:~ $ https://wiki.debian.org/ToolChain/PACBTI
Since Raspberry PiOS is based on Debian the information should be relevant.
It states that compiler support is available only for gcc 13 and later.
Unfortunately:
Code:
pi@raspberrypi5:~ $ gcc --versiongcc (Debian 12.2.0-14) 12.2.0Copyright (C) 2022 Free Software Foundation, Inc.This is free software; see the source for copying conditions. There is NOwarranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.pi@raspberrypi5:~ $ It also shows code for a ROP attack:
Code:
#include <stdio.h>void target() { printf("ROP attack worked\n"); }void hello() { int xxx; printf("Trying to overwrite return address of hello()\n"); *((&xxx) - 0x5) = target;}int main() { hello();}Code:
pi@raspberrypi5:~ $ gcc rop.c rop.c: In function ‘hello’:rop.c:8:19: warning: assignment to ‘int’ from ‘void (*)()’ makes integer from pointer without a cast [-Wint-conversion] 8 | *((&xxx) - 0x5) = target; | ^pi@raspberrypi5:~ $ ./a.out | head -3Trying to overwrite return address of hello()ROP attack workedROP attack workedpi@raspberrypi5:~ $ Code:
pi@raspberrypi5:~ $ gcc -mbranch-protection=standard rop.c rop.c: In function ‘hello’:rop.c:8:19: warning: assignment to ‘int’ from ‘void (*)()’ makes integer from pointer without a cast [-Wint-conversion] 8 | *((&xxx) - 0x5) = target; | ^pi@raspberrypi5:~ $ ./a.out | head -3Trying to overwrite return address of hello()ROP attack workedROP attack workedpi@raspberrypi5:~ $ Will next Raspberry PiOS be based on Trixie, the successor of Bookworm?
Will that contain gcc version 13 or higher?
Statistics: Posted by HermannSW — Wed Nov 13, 2024 11:39 pm — Replies 2 — Views 65