1. 13
    Function interposition in Rust with upgrayedd rust security blog.yossarian.net
    yossarian avatar authored by yossarian 14 days ago |
    Archive.org Archive.today Ghostarchive
    | 6 comments

  1.  

    1. 1
      zmitchell avatar zmitchell 14 days ago | link

      Should real_read be real_rand?

      1. 1
        yossarian avatar yossarian 13 days ago | link

        Yes, thanks. Fixing it now!

    2. 1
      kbknapp avatar kbknapp 13 days ago | link

      Very interesting, and I look forward to seeing the larger project you alluded to. Was the use of libc::write in the generated code just to avoid bringing in Rust’s formatting and panic machinery, or was there another reason behind that?

      1. 1
        pmc avatar pmc 13 days ago | link

        I would assume that bit only gets called when std::mem::transmute returns null for some reason, so at that point the whole Rust runtime is not to be trusted. Not sure what would cause transmute to return null though.

        1. 1
          kornel avatar kornel 13 days ago | link

          By definition transmute can’t change the value. It’s not a conversion function, it’s a type-system cheating function.

          Also, there’s cast() on pointers that you could use to remove all transmutes and casts except the one for the fn() type.

      2. 1
        yossarian avatar yossarian 13 days ago | link

        Was the use of libc::write in the generated code just to avoid bringing in Rust’s formatting and panic machinery, or was there another reason behind that?

        Yep, exactly – if we somehow end up in a wrapper without an underlying handle to call via dlsym, then there’s a good chance either (1) the runtime is broken or (2) the user hooked something so intrinsic to the Rust runtime that their hook ran in “life before main.” In both cases we can’t rely on the panic or formatting machinery, so we have to abort directly.