"static_wrapper" imports in the FFI

[Tyson Whitehead]

On March 16, 2010 20:01:32 Iavor Diatchki wrote:
> Optionally disabling executable heap blocks would be a separate patch.
>  As far as I know, the only reason that the heap is executable is to
> support the adjustor thunks used to implement "wrapper" imports.  The
> "static_wrapper" patch provides a way to install Haskell callbacks in
> many C libraries without the need for adjustor thunks.

I believe this is the code in "rts/Adjustor.c" and "rts/sm/Storage.c".  It (or 
it gets ffi to) write a small bit of assembler that adds a hard coded pointer 
(to a StablePtr) to the argument list and jump to a hard coded address.  It 
then has to fiddle with the executable bits on the memory page it wrote the 
code into in order to allow the system the execute it.

This leaves me to ask though, could you not also tighten up the security here 
by just getting the the system to turn off the writable bit when it also turns 
on the executable one?  I realize this implies that you will only get one of 
these per page, but still that might not be that bad if  you don't generate 
very many and recycle them.

As a compromise, you could also just temporarily make pages writable when you 
add to them, thus greatly minimizing the attack window.  If you could get the 
OS could freeze all other threads while doing this there would be no window.   
If there generation and usage is/could be localized to OS threads, then 
modification would always be safe if OS thread works on their own page.

I scanned the ghc source (all c, h, cmm, hs, and lhs files), and the only usage 
of import "wrappers" seems to be in System.Console.Terminfo.Base.

Cheers!  -Tyson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://www.haskell.org/pipermail/glasgow-haskell-users/attachments/20100317/48515c5d/attachment.bin