YJN/selfpatch-slr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updated README

Browse Source
This commit is contained in:
York Jasper Niebuhr 2025-10-28 22:29:47 +01:00
parent 660f82a823
commit 1da9f154ce
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -8,7 +8,7 @@ Currently, this project is a RESEARCH PROTOTYPE and only for x86\_64 (to be expa
Selfpatch SRL (SPSLR) is a 3-stage system that allows ELF binaries to patch themselves (usually when starting), achieving structure layout randomization with different layouts after each reboot. In theory, there is no run-time overhead after the randomization itself has completed, though, currently, there is a 1 clock-cycle overhead per member access (so far, I was just too busy to deal with that). To do this, all instructions that perform struct field accesses are patched to use the newly generated field offsets. Additionally, all relevant variables with static storage are reordered in-memory to match the new layouts. Selfpatch SRL (SPSLR) is a 3-stage system that allows ELF binaries to patch themselves (usually when starting), achieving structure layout randomization with different layouts after each reboot. In theory, there is no run-time overhead after the randomization itself has completed, though, currently, there is a 1 clock-cycle overhead per member access (so far, I was just too busy to deal with that). To do this, all instructions that perform struct field accesses are patched to use the newly generated field offsets. Additionally, all relevant variables with static storage are reordered in-memory to match the new layouts.
To get accurate information about what instructions and variables to patch, the spslr\_pinpoint compiler plugin follows the compilation process, labels instructions and dumps all the information it has learned. The second stage, spslr\_finalize, accumulates that data from all compilation units, matches struct types that are used in multiple units and compiles a byte-code patcher program. This patcher program is then inserted into the previously compiled target binary. The actual patcher and third stage is linked into the binary. It reads and runs the byte-code that the finalizer generated. This byte-code loads initial structure layout, randomizes them with a fance shuffle algorithm (respects alignment and struct size) and performs the patching. To get accurate information about what instructions and variables to patch, the spslr\_pinpoint compiler plugin follows the compilation process, labels instructions and dumps all the information it has learned. The second stage, spslr\_finalize, accumulates that data from all compilation units, matches struct types that are used in multiple units and compiles a byte-code patcher program. This patcher program is then inserted into the previously compiled target binary. The actual patcher and third stage is linked into the binary. It reads and runs the byte-code that the finalizer generated. This byte-code loads initial structure layout, randomizes them with a fancy shuffle algorithm (respects alignment and struct size) and performs the patching.
After the patcher has done its thing, the binary can do whatever it always used to do and simply not worry about layouts. Though, be aware that SLR contradicts the C standard, so there is things you can do that break using SLR (e.g. casting a struct pointer to a pointer to its first element). After the patcher has done its thing, the binary can do whatever it always used to do and simply not worry about layouts. Though, be aware that SLR contradicts the C standard, so there is things you can do that break using SLR (e.g. casting a struct pointer to a pointer to its first element).