[Webkit-unassigned] [Bug 171870] New: Harden allocation of core function and executable types
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue May 9 11:38:30 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=171870
Bug ID: 171870
Summary: Harden allocation of core function and executable
types
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: oliver at apple.com
CC: fpizlo at apple.com, ggaren at apple.com,
jfbastien at apple.com, sbarati at apple.com
As they're prime targets for privilege escalation, achieving code control, etc, etc we should harden how we allocate JSFunctions and related objects by pushing them all into a separate subspace that is never used for any other object type.
Targets are JFSunction and subclasses and *Executable*.
This means that it will be marginally harder for an attacker to overwrite the executable linkage (still achievable, but would a bit more work to achieve control)
Not super high priority as i'm not sure how useful this would be -- attacker would need to pivot from a separate object class to the function. The question is whether we consider that to be a meaningful increase in attack complexity.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170509/fd7f23ba/attachment.html>
More information about the webkit-unassigned
mailing list