Mitigating Control-Flow Exploits With x86 ISA Extensions

A lot of exploit styles (e.g. "return-oriented programming") rely on jumping or calling into code that was never meant to be executed "stand-alone" --- i.e., jumping to an instruction that was only ever supposed to be executed by falling through from the previous instruction or via a branch within its function. On x86 this includes destination "instructions" that are actually part of another multi-byte instruction. It seems to me these exploits could be made much harder by somehow marking the start of "valid" branch/call/return targets and faulting when control is transferred to other instructions inappropriately.

Here's a more specific proposal for x86:

• Add a new flag bit for code pages to enable "destination checking" on a per-page basis.
• An indirect control transfer is any return instruction that pops EIP off the stack, or any jump or call instruction whose operand is not a constant. When an indirect control transfer jumps to a page marked for destination checking, and the instruction at EIP is not 0x90 (NOP), fault.
• A toolchain would take advantage of this feature by marking code pages for destination checking, avoiding use of 0x90 for regular NOPs, and placing a 0x90 at every function entry point and after every call instruction. For bonus points, avoid generating 0x90 bytes inside other instructions.

Obviously there are a lot of ways to tweak this. For example "PUSH EBP" is very often the first instruction of a function, so you could whitelist that instruction as a valid function entry point. You could avoid having to place a NOP after a direct CALL instruction by checking if the instruction at EIP-5 is 0x9A (direct CALL). You could make false returns even harder by extending that special case to require the address we're returning from to be "close to" the destination of the direct CALL instruction.

This is obvious enough that I presume someone's worked on it already.

RIP Crazy Noodle

For several years Crazy Noodle Bar was one of our favourite restaurants in Newmarket. It served cheap tasty Hong Kong cafe food --- a mix of Chinese dishes and Chinese-style Western dishes. Last year it went on hiatus for six months and moved to another building a few blocks away. When it reopened, the menu quickly evolved away from its previous incarnation although there was still a resemblance and it was still pretty good.

A more disturbing change was the new decor, whose distinguishing feature was retro posters of Chairman Mao. He's an iconic figure in China, but he's also one of the top three most murderous dictators of the 20th century, so not someone I want to see celebrated. I put up with it.

It got worse. The staff showed up with Chinese military-ish uniforms, green with red epaulettes. Then last week, the name changed to Red Guard Noodle Bar. This is really the last straw. The Red Guards were Mao's vanguard of the Cultural Revolution, which was an awful and disastrous episode of Chinese history. I don't know what the proprietor of the cafe is thinking, but I'm not going back.

As an aside, I don't know why this isn't a scandal. Imagine the outcry if someone opened a "Stormtrooper Cafe" decorated with swastikas and pictures of Hitler and Röhm. I suppose it's because Mao mostly restricted his brutality to his own citizens.

Getting The Facts

I'd feel worse about the decline of traditional media if it wasn't so disappointing when they write about issues I have first-hand knowledge of.

Today's example is a story about the lack of pedestrian access from Gilles Ave to Broadway under the new Newmarket Viaduct. The article records complaints from Cameron Brewer and Andy Smith about how the project has neglected pedestrians. Reading it, you'd think a walkway would be a real boon for pedestrians accessing Newmarket. But a glance at a map shows the truth: every route along Gilles Ave to the under-Viaduct area must pass Alpers Ave or Mortimer Pass, both of which also provide direct access to Broadway. Therefore a walkway under the Viaduct would shorten the journey to and from Newmarket for approximately zero pedestrians. (I say this as someone who walks to work in Newmarket every day, often along Gilles Ave, and could actually use this walkway regularly.)

I'm ambivalent about whether this walkway should be built. On one hand it would be nice to have and I've been looking forward to it. On the other hand perhaps our money could build a new pedestrian route that's actually useful. But the quotes from Brewer and Smith, and the tone of the article, are overblown and misleading, and the introduction of a few geographic facts would have cleared things up. I won't mourn the loss of journalists who can't or won't do this.

Why I Work

Recently Pascal Finette quoted Tom Chi as saying:

When you come home from your job in the evening and pretty much all you want to do is slouch on the sofa, watch a movie and have a beer: Quit your job.

There have been many times when that's all I've wanted to do. Does that mean I should quit my job? No.

Before I worked full-time on Mozilla code, my job was computer science research. I'd have to say that was more fun and intellectually stimulating than my job at Mozilla. Does that mean I should quit my job? No.

I work at Mozilla because I think God gave me talent to use for the maximum good of all, not for self-gratification. I work at Mozilla because it's the most important work I can imagine doing. And it's not just me; one of the great things about Mozilla is that many, if not most, of its people have a similar kind of motivation. Mozilla is full of very smart people who have spent years dealing with difficult and frustrating problems, often turning down lucrative offers to do other things, because they believe in what we do. I love them for it.

It would be nice if important tasks were always exciting, energizing and exhilarating. But real life just isn't always like that. Making Flash less painful for our users, or tracking down bizarre graphics driver bugs, or struggling to convince megacorporations to do the right thing, is just draining.

However, it's important to keep a sense of perspective. Most of us are paid ridiculously well to do a job which is generally less stressful or challenging than many other kinds of work. If we make a few small sacrifices, no-one should be overimpressed.

Seeking Relevance

In the media scrum around the papal election, a lot of commentators called for the Catholic church to "modernize" to "stay relevant". As a Protestant I agree my Catholic brothers and sisters could make changes for the better, but "modernizing to stay relevant" has often been a siren song that has, and still does, lead many Christian groups to heresy, torpor, and --- ironically --- irrelevance.

The problem is that calls for "relevance" tend to promote the erosion or rejection of tenets of the historic Christian faith --- such as belief in miracles, divine judgement, the authority of scripture, or even the existence of God himself --- in an effort to make Christianity more palatable to modern people. Many Protestant denominations have wholly or partly gone down this path, including New Zealand Presbyterianism of which I am a member. The effects have been disastrous along many axes. Many congregations have ceased to be Christian in all but name, and are incapable of carrying out God's work in the world. By refusing to officially apostasize, they create vast confusion over what Christianity means and (further) undermine the unity that Jesus' followers should have. And instead of making Christianity more appealing, this drive for "relevance" ultimately kills the congregations that follow it. It's easy to see empirically: unbelieving congregations tend to age and dwindle, and healthy and growing congregations tend to be more orthodox. These trends make perfect sense: if a congregation loses its "saltiness" and becomes a secular club with Christian trappings, why would the average person prefer it over another secular club without the tomfoolery? Not to mention that there can be no evangelism, no spiritual regeneration, and no working of God beyond common grace.

The institutional hegemony of the Roman Catholic church has a lot of downsides, but it has enabled them to mostly avoid going down this path --- for which I am grateful. I pray that they'll continue to ignore misguided calls to change course.

For the church to stay relevant, we must keep teaching the classic gospel of Jesus and keep making disciples in his name. To increase our relevance we need do nothing new, but do the old things better: more Christian unity, more evangelism, more faithful living, more prayer, more love. This won't happen with sweeping pronouncements, election of Popes, or even writing of blogs, but as individual Christians quietly choose to put Jesus ahead of themselves every hour of every day.

There Is No Such Thing As Computer Security

Attention Boeing, US Department of Defense, and everyone else: Please stop automating your planes, armies, etc and connecting them to computer networks. Their security will fail and you will lose control of those assets, with dire consequences.

Seriously, why can't everyone see this? Was Lockheed being hacked via RSA not a clear enough sign?

It's US military's conversion to drones that worries me the most in this vein. There's some seriously asymmetric warfare coming.

Technical Advantages Of A Web-Only Platform

Canonical's new Mir display server, and the discussion/controversy around it, illustrate some of the technical advantages of FirefoxOS.

By supporting nothing but Web applications, we've raised the level of abstraction for our platform APIs so applications are completely oblivious to how cross-process rendering and event delivery are implemented. We can evolve our implementation and our IPC protocols at will without breaking applications. (In fact we're in the middle of doing just that.)

Because Web applications expose a scene graph, we are able to gather scene graphs across processes, and combine and composite them together in the compositor process. Exchanging scene graphs instead of just surfaces lets us do sophisticated effects such as animation and scrolling of application content directly in the compositor. That has some complexity, but it's less complex and more efficient than having apps independently do their own compositing and coordinate with the system compositor.

Then it's interesting to consider what happens when you run Web apps on a non-Web mobile platform. You have to load up a browser stack that's going to look quite similar to FirefoxOS, and run it on top of the native stack and system compositor, much of whose functionality it duplicates. There's significant overhead there compared to FirefoxOS.

Avoiding that duplication also means there's less work to do for us developers. Most of the cross-process compositing work we've done for FirefoxOS is generic work that pays off for Firefox all platforms. In fact, that's true for most of the Gecko work we've done (and will do) for FFOS. For a small organization like Mozilla that needs to punch above its weight, that's critical.

Having said that, in the rush to get FFOS ready for market we've gone out on a limb a bit and created a number of features that only work in FFOS currently. A big theme for our development in 2013 is to get those features working on all the other platforms. This will benefit the Firefox product on those platforms and also make our developers' lives easier.