Hey all,

As part of a paper some people from my research group are working on,
we have developed a patch against OpenBSD that you might be
interested in. It is intended to prevent malicious writes to the PLT
and GOT (i.e., PLT hijacking) by verifying that the source of the
write is from the runtime loader, and otherwise terminates the
process. The basic idea is to mark the PLT and the runtime loader as
they are loaded into memory, and during execution to intercept writes
to the PLT in the page fault handler, since the PLT has been marked
read-only. Then, the instruction pointer is checked to have
originated from within the runtime loader.

It's a work in progress, because it only prevents basic PLT hijacks,
not more sophisticated attacks where the attacker would prepare the
environment and then jump into the code in the runtime loader that
would perform the overwrite on the attacker's behalf. The next
version of the patch will attempt to prevent this as well, and should
be done in the near future.

In any case, the current patch against OpenBSD 3.7-STABLE on i386 as
well as some more information on it is located at:

http://www.cs.ucsb.edu/~wkr/projects/pltsec/

I'd appreciate any feedback you guys might have.

--
William Robertson
Reliable Software Group, UC Santa Barbara
http://www.cs.ucsb.edu/~wkr/