OpenBSD_Notes_re_DEP: Added an md file in docs/ explaining how to disable W^X protections on the filesystem you're using to execute Unicorn-using programmes, so that the OS will allow those programmes to run.
This commit is contained in:
parent
e1b65a6edb
commit
eeea39c717
|
@ -0,0 +1,69 @@
|
||||||
|
## Circumventing OpenBSD 6.0's W^X Protections
|
||||||
|
|
||||||
|
OpenBSD 6.0 and above enforces data-execution prevention (DEP or
|
||||||
|
W^X) by default, preventing memory from being mapped as
|
||||||
|
simultaneously writeable and executable (i.e., W|X). This causes
|
||||||
|
problems for Unicorn, if left in place. If you're seeing
|
||||||
|
errors like the following:
|
||||||
|
```
|
||||||
|
/home/git/unicorn >> ./sample_arm
|
||||||
|
Emulate ARM code
|
||||||
|
zsh: abort (core dumped) ./sample_arm
|
||||||
|
```
|
||||||
|
then W^X is likely the culprit. If we run it again with ktrace
|
||||||
|
and look at the output with kdump, we see that this is indeed
|
||||||
|
the issue:
|
||||||
|
```
|
||||||
|
82192 sample_arm CALL mmap(0,0x800000,0x7<PROT_READ|PROT_WRITE|PROT_EXEC>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0)
|
||||||
|
82192 sample_arm PSIG SIGABRT SIG_DFL
|
||||||
|
82192 sample_arm NAMI "sample_arm.core"
|
||||||
|
```
|
||||||
|
Right now, we're in the /home filesystem. Let's look at its mount
|
||||||
|
options in /etc/fstab:
|
||||||
|
```
|
||||||
|
1234abcdcafef00d.g /home ffs rw,nodev,nosuid 1 2
|
||||||
|
```
|
||||||
|
If we edit the options to include ```wxallowed```, appending
|
||||||
|
this after nosuid, for example, then we're golden:
|
||||||
|
```
|
||||||
|
1234abcdcafef00d.g /home ffs rw,nodev,nosuid,wxallowed 1 2
|
||||||
|
```
|
||||||
|
|
||||||
|
Note that this *does* diminish the security of your filesystem
|
||||||
|
somewhat, and so if you're particularly particular about such
|
||||||
|
things, we recommend setting up a dedicated filesystem for
|
||||||
|
any activities that require ```(W|X)```, such as unicorn
|
||||||
|
development and testing.
|
||||||
|
|
||||||
|
In order for these changes to take effect, you will need to
|
||||||
|
reboot.
|
||||||
|
|
||||||
|
_Time passes..._
|
||||||
|
|
||||||
|
Let's try this again. There's no need to recompile unicorn or
|
||||||
|
the samples, as (W^X) is strictly a runtime issue.
|
||||||
|
|
||||||
|
First, we double check to see if /home has been mounted with
|
||||||
|
wxallowed:
|
||||||
|
```
|
||||||
|
/home >> mount | grep home
|
||||||
|
/dev/sd3g on /home type ffs (local, nodev, nosuid, wxallowed)
|
||||||
|
```
|
||||||
|
Okay, now let's try running that sample again...
|
||||||
|
```
|
||||||
|
/home/git/unicorn/samples >> ./sample_arm
|
||||||
|
Emulate ARM code
|
||||||
|
>>> Tracing basic block at 0x10000, block size = 0x8
|
||||||
|
>>> Tracing instruction at 0x10000, instruction size = 0x4
|
||||||
|
>>> Emulation done. Below is the CPU context
|
||||||
|
>>> R0 = 0x37
|
||||||
|
>>> R1 = 0x3456
|
||||||
|
==========================
|
||||||
|
Emulate THUMB code
|
||||||
|
>>> Tracing basic block at 0x10000, block size = 0x2
|
||||||
|
>>> Tracing instruction at 0x10000, instruction size = 0x2
|
||||||
|
>>> Emulation done. Below is the CPU context
|
||||||
|
>>> SP = 0x1228
|
||||||
|
```
|
||||||
|
works fine.
|
||||||
|
|
Loading…
Reference in New Issue