[Webkit-unassigned] [Bug 171870] New: Harden allocation of core function and executable types

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=171870

            Bug ID: 171870
           Summary: Harden allocation of core function and executable
                    types
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: oliver at apple.com
                CC: fpizlo at apple.com, ggaren at apple.com,
                    jfbastien at apple.com, sbarati at apple.com

As they're prime targets for privilege escalation, achieving code control, etc, etc we should harden how we allocate JSFunctions and related objects by pushing them all into a separate subspace that is never used for any other object type.

Targets are JFSunction and subclasses and *Executable*.

This means that it will be marginally harder for an attacker to overwrite the executable linkage (still achievable, but would a bit more work to achieve control)

Not super high priority as i'm not sure how useful this would be -- attacker would need to pivot from a separate object class to the function. The question is whether we consider that to be a meaningful increase in attack complexity.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170509/fd7f23ba/attachment.html>