FreeBSD x86 vs x86-64 Questions about Security

Astrodog astrodog at gmail.com
Fri Feb 11 07:51:32 PST 2005


On Fri, 11 Feb 2005 10:45:16 -0500, Coleman Kane <zombyfork at gmail.com> wrote:
> I believe there is still a large overlap of opcodes in both
> architectures. For instance, NOP is still 0x90. In addition I believe
> the default operand size (i.e.: no REX prefix) in PM64 is 32-bit, just
> like PM32 (protected mode 64 vs. 32 bit). This would lead me to
> believe that many stack-smashing exploits may still apply.
> 
> Now, other certain instructions, such as Jcc (0x7*) and JMPs
> (0xe9,a,b) default to 64-bit offsets. Now comes the fun part: Since
> the amd64 and ia32 are both little-endian, an exploit which makes use
> of these default-64bit instructions would only need their operands to
> be sign extended:
> 
> IA-32
> [OP] [DEST 0..7] [DEST 8..15] [DEST 16..23] [DEST 24..31]
> 
> amd64:
> [OP] [DEST 0..7] [DEST 8..15] [DEST 16..23] [DEST 24..31] ... [DEST 56..63]
> 
> So if OP is a CALL, or JMP or similar, you could use the same code,
> provided the destination address is the same. It will execute. Now if
> it succeeds, that is another matter which I have not looked into yet.
> I think the IA32 uses INT 0x80, while amd64 uses SYSCALL to handle
> syscalls.
> There are probably other significant differences as well.
> 
>   would think that a sufficiently creative persone could come up with
> an exploit which works on both systems.
> 

Definitly, but the differences that exist, are enough to prevent the
current stuff from happening. The lesson is still to keep your stuff
patched though.


More information about the freebsd-amd64 mailing list