* Re: Ada exception vulnerability?
2013-07-30 14:45 Ada exception vulnerability? Diogenes
@ 2013-07-30 21:30 ` erlo
0 siblings, 0 replies; 2+ messages in thread
From: erlo @ 2013-07-30 21:30 UTC (permalink / raw)
On 07/30/2013 04:45 PM, Diogenes wrote:
> I'm reading the paper at http://mirror.die.net/misc/defcon-20/speaker%20presentations/branco-oakley-bratus/rodrigobranco.txt
>
> Does anyone know if GNAT/Ada exceptions on Linux are currently vulnerable to this attack?
>
> Diogenes
>
By the looks of the output from readelf, I would think so:
erlo@beeblebrox:~/Proj/Ada/Exception_test/obj$ readelf -S main
There are 31 section headers, starting at offset 0x2208:
Section Headers:
[Nr] Name Type Addr Off Size ES Flg
Lk Inf Al
[ 0] NULL 00000000 000000 000000 00
0 0 0
[ 1] .interp PROGBITS 08048154 000154 000013 00 A
0 0 1
[ 2] .note.ABI-tag NOTE 08048168 000168 000020 00 A
0 0 4
[ 3] .note.gnu.build-i NOTE 08048188 000188 000024 00 A
0 0 4
[ 4] .gnu.hash GNU_HASH 080481ac 0001ac 00017c 04 A
5 0 4
[ 5] .dynsym DYNSYM 08048328 000328 000500 10 A
6 1 4
[ 6] .dynstr STRTAB 08048828 000828 000759 00 A
0 0 1
[ 7] .gnu.version VERSYM 08048f82 000f82 0000a0 02 A
5 0 2
[ 8] .gnu.version_r VERNEED 08049024 001024 000040 00 A
6 2 4
[ 9] .rel.dyn REL 08049064 001064 000140 08 A
5 0 4
[10] .rel.plt REL 080491a4 0011a4 000108 08 A
5 12 4
[11] .init PROGBITS 080492ac 0012ac 00002e 00 AX
0 0 4
[12] .plt PROGBITS 080492e0 0012e0 000220 04 AX
0 0 16
[13] .text PROGBITS 08049500 001500 00050c 00 AX
0 0 16
[14] .fini PROGBITS 08049a0c 001a0c 00001a 00 AX
0 0 4
[15] .rodata PROGBITS 08049a28 001a28 0001c2 00 A
0 0 4
[16] .eh_frame_hdr PROGBITS 08049bec 001bec 00004c 00 A
0 0 4
[17] .eh_frame PROGBITS 08049c38 001c38 000160 00 A
0 0 4
[18] .gcc_except_table PROGBITS 08049d98 001d98 000024 00 A
0 0 4
[19] .ctors PROGBITS 0804af04 001f04 000008 00 WA
0 0 4
[20] .dtors PROGBITS 0804af0c 001f0c 000008 00 WA
0 0 4
[21] .jcr PROGBITS 0804af14 001f14 000004 00 WA
0 0 4
[22] .dynamic DYNAMIC 0804af18 001f18 0000d8 08 WA
6 0 4
[23] .got PROGBITS 0804aff0 001ff0 000004 04 WA
0 0 4
[24] .got.plt PROGBITS 0804aff4 001ff4 000090 04 WA
0 0 4
[25] .data PROGBITS 0804b084 002084 000028 00 WA
0 0 4
[26] .bss NOBITS 0804b0c0 0020ac 0001e4 00 WA
0 0 32
[27] .comment PROGBITS 00000000 0020ac 00004d 01 MS
0 0 1
[28] .shstrtab STRTAB 00000000 0020f9 00010e 00
0 0 1
[29] .symtab SYMTAB 00000000 0026e0 000e70 10
30 52 4
[30] .strtab STRTAB 00000000 003550 001048 00
0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings)
I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
O (extra OS processing required) o (OS specific), p (processor specific)
erlo@beeblebrox:~/Proj/Ada/Exception_test/obj$ readelf
--debug-dump=frames main
Contents of the .eh_frame section:
00000000 00000014 00000000 CIE
Version: 1
Augmentation: "zR"
Code alignment factor: 1
Data alignment factor: -4
Return address column: 8
Augmentation data: 1b
DW_CFA_def_cfa: r4 (esp) ofs 4
DW_CFA_offset: r8 (eip) at cfa-4
DW_CFA_nop
DW_CFA_nop
... and much more to follow.
The Ada source looks like this:
with Ada.Text_IO;
with Ada.Exceptions;
use Ada.Exceptions;
procedure Main is
My_Exception : exception;
begin
Ada.Text_IO.Put_Line("Howdy");
raise My_Exception;
exception
when My_Exception =>
Ada.Text_IO.Put_Line("Caught exception");
end Main;
The program is built with gnat 4.6:
erlo@beeblebrox:~/Proj/Ada/Exception_test/src$ gnat
GNAT 4.6
Copyright 1996-2010, Free Software Foundation, Inc.
Best regards
Erlo
^ permalink raw reply [flat|nested] 2+ messages in thread