CWE-587 Question

[njshanahan]

Is it possible to change the jumpToFixedAddr function in CWE-587 to use a different fixed address? HARD filters out addresses within kernel space to avoid false detections. We've shown that changing FIXED_ADDR_FUNC to an arbitrary, un-aligned address within the executable's .text section allows HARD to detect this exploit (prior to the segmentation fault).

[rtadros125]

@njshanahan We can add a condition here to define a different value for LMCO (we define the macro BIN_SOURCE_LMCO when binarySource is configured to LMCO). So to confirm, you're asking to replace the 0x2000020000 value? And please give me the value you want.

[njshanahan]

Yes, that is correct. I somewhat arbitrarily chose 0x10260 (to fall within testgenTestFunc()) and verified the processor successfully detected the exploit.

<JUMP-TO-FIXED-A[  654.410000] Security violation detected by HARD pipeline!
[  654.410000] Responsible Process is test_587.riscv (PID = 140)
[  654.410000] SSITH HARD | Offending Instruction  = 0x00813423
[  654.410000] SSITH HARD | Program Counter Value  = 0x000000000001029E
[  654.410000] SSITH HARD | Reported Fault Code    = 0x00000000
[  654.410000] SSITH HARD | Reporting Pipeline ID  = 107
[  654.410000] Killing test_587.riscv...
[  654.410000] Offending process terminated.
DDR>
Killed

Are you ok with specifying the LMCO FIXED_ADDR_FUNC value as 0x10260?

[rtadros125]

@njshanahan Sure. Just to double confirm: I will only update the debian value, but leave the FreeRTOS value as is.

[njshanahan]

@rtadros125 Yes please. I appreciate your help!