Disregarding the condescending nature of your comment - I can't find a reference... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		nineteen999 on Dec 24, 2019 \| parent \| context \| favorite \| on: OpenBSD system-call-origin verification Disregarding the condescending nature of your comment - I can't find a reference to the actual whitelisting methodology in this article. Several other comments in this thread claim that this is a flag set on ELF section headers, which can be done entirely before the binary is delivered to the system and executed. So in my opinion you need to try harder than this. If someone can show this is done by configuring the local dynamic linker, so that the end user has full control of the mechanism, then I'm all ears.

clarry on Dec 24, 2019 [–]

If an attacker can ship a malicious binary and run it on the target system, then this defense mechanism is 100% pointless.

It's trying to mitigate exploits, but if your attacker is already running arbitrary code, they don't need those exploits. They're way past that phase.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact