SlideShare uma empresa Scribd logo

Davide Berardi - Linux hardening and security measures against Memory corruption

L
linuxlab_conf

The exploding popularity of Embedded/IoT computing facilitate this security problems using low or non-existent security policies and exploits countermeasures. So why not explore some security measures that are widely available in the Linux world? We will focus on memory corruption techniques. The Linux kernel was always focused on security features and giving bad times to the exploiters. This talk will introduce some common exploits and techniques, showing the mitigations employed by the kernel. By focusing on the major threats that affects modern Linux boxes, we will see which are the main features that can give problems to the system administator and how a preliminary penetration test can be done, ensuring that the system is in a sane state. The talk will also focus on problematics of embedded/IoT Unix systems, showing how some recent attacks gained control over a big network of devices and how a simple embedded system can be analyzed, hunting for bugs. Talk outline: Penetration testing, Linux, netfilter/bpf, memory corruption, ASLR, Spectre/Meltdown.

Software
1 de 58
Baixar para ler offline
Linux hardening and mitigations against memory corruption Davide Berardi 3 december 2018
Who am I? Davide Berardi ▶ davide.berardi6@unibo.it ▶ PhD @ University of Bologna since november 2018. ▶ Firmware Engineer @ T3Lab since december 2016.
Memory Corruption Why I’m talking about this old vulnerability class CVE-2018-5188 Memory safety bugs present in Firefox 60 [...] Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. [...] CVE-2018-6069 Stack buffer overflow in Skia in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVE-2018-16842 Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.
Spooky stories!
Buffer Overflow Introduction C Code uint32_t a; unsigned char b[4]; ASM sub esp,0x8 a b
Buffer Overflow Introduction C Code int foo(int _) { } foo(a); ASM call foo Local parameters Return address Saved state Local variables
Buffer Overflow Introduction C Code int foo(int _) { uint32_t a; char b[4]; return 0; } Local parameters Return address Saved State a b
Buffer Overflow Introduction C Code int foo(int _) { uint32_t a; char b[4]; ==> gets(b); return 0; } Local parameters Return address Saved State a b
Buffer Overflow Introduction C Code int foo(int _) { uint32_t a; char b[4]; ==> gets(b); return 0; } Local parameters Return address Saved State a A A A A
Buffer Overflow Introduction C Code int foo(int _) { uint32_t a; char b[4]; ==> gets(b); return 0; } Local parameters Return address Saved State aA A A A A A A A
Buffer Overflow Introduction C Code int foo(int _) { uint32_t a; char b[4]; ==> gets(b); return 0; } Local parameters Return address A A A A A A A A A A A A
Buffer Overflow Introduction C Code int foo(int _) { uint32_t a; char b[4]; ==> gets(b); return 0; } Local parameters A A A A A A A A A A A A A A A A
Buffer Overflow Introduction C Code int foo(int _) { uint32_t a; char b[4]; gets(b); ==> return 0; } Local parameters A A A A A A A A A A A A A A A A
Buffer Overflow Introduction
Buffer Overflow Shellcode ▶ Inject code in the application. xor %eax,%eax push %eax push $0x68732f2f push $0x6e69622f mov %esp,%ebx push %eax push %ebx mov %esp,%ecx mov $0xb,%al int $0x80 syscall(11, "/bin/sh"); or, in equal words exec("/bin/sh");
Buffer Overflow Shellcode C Code int foo(int _) { uint32_t a; char b[4]; gets(b); ==> return 0; } Local parameters 0x...... Shellcode
Buffer Overflow Shellcode
Mitigation Non executable stack ▶ What if the stack was not executable? ▶ PaX patch suite. ~ % checksec --output csv -f $(which ping) | awk -F , '{print␣$3}' NX enabled
Buffer Overflow Introduction
Buffer Overflow Return 2 libc C Code int foo(int _) { uint32_t a; char b[4]; gets(b); ==> return 0; } Local parameters Address of system Padding
Buffer Overflow Return 2 libc C Code int foo(int _) { uint32_t a; char b[4]; gets(b); ==> return 0; } Previous AR Fake return Address of system Padding
Buffer Overflow Return 2 libc C Code int foo(int _) { uint32_t a; char b[4]; gets(b); ==> return 0; } Address of ”/bin/sh” Fake return Address of system Padding
Buffer Overflow Return Oriented Programming ▶ What the attacker can do if the programs doesn’t have any useful target function? ▶ e.g. no libc or no useful (for the exploitation) functions at all. ▶ Weird machines! Weird MachineInput Output Malicious Input Exploit
Buffer Overflow ROP¹ ASM gadget1: mov eax, 11; ret ASM gadget2: mov ebx,&"/bin/sh"; ret ASM gadget3: mov ecx,&&"/bin/sh"; ret ASM gadget4: mov edx,0; ret ASM gadget5: int 0x80; ret Fake Return Address of gadget5 Address of gadget4 Address of gadget3 Address of gadget2 Address of gadget1 Padding ¹simplified
Mitigation ASLR ▶ Attackers need the address of functions and gadgets. ▶ Address Source Layout Randomization. ▶ cat /proc/sys/vm/mmap_rnd_bits $ ldd $(which whoami) | awk '/libc/{print␣$NF}' (0x00007f6586ee8000) $ ldd $(which whoami) | awk '/libc/{print␣$NF}' (0x00007f7bba165000)
Information Leak printf format parameter leak C Code: #include <stdio.h> #include <stdint.h> int main(int argc, char **argv) { uintptr_t token = 0x1234; return printf(argv[1]); } Exploit: $ ./foo hello hello $ ./foo %p 0x7ffedf09fb10 $ ./foo %9$p 0x1234
Information Leak Fork ASLR ▶ Fork won’t change process mappings. #include <stdio.h> #include <unistd.h> #include <sys/wait.h> int main() { if (fork()) { printf("C:␣%pn", printf); return 0; } printf("P:␣%pn", printf); wait(NULL); return 0; } $ /tmp/test C: 0x7f99c155b3a0 P: 0x7f99c155b3a0 $ /tmp/test C: 0x7f8bc12253a0 P: 0x7f8bc12253a0
Side channels Spectre CVE-2017-5753 ▶ Spectre is a CPU bug tied to the BPU and the Cache. ▶ On a wrong guess of the BPU the cache isn’t invalidated. ▶ This can lead us to Information Leak.
Side channels Spectre CVE-2017-5753 Cache ... if (a < b) array2[array1[a]] ”warning” return
Side channels Spectre CVE-2017-5753 Cache array2[array1[a]] if (a < b) array2[array1[a]] ”warning” return
Side channels Spectre CVE-2017-5753 Cache array2[array1[a]] if (a < b) array2[array1[a]] ”warning” return
Side channels Spectre CVE-2017-5753 Cache ... if (a < b) array2[array1[a]] ”warning” return
Side channels Spectre CVE-2017-5753 Cache ... if (a < b) array2[array1[a]] ”warning” return
Side channels Spectre CVE-2017-5753 Cache array2[array1[a]] if (a < b) array2[array1[a]] ”warning” return
Side channels Spectre CVE-2017-5753 Cache array2[array1[a]] ▶ Now we can leak the memory! ▶ array1[a] == 2 array2[0] ∆time ∼= x array2[1] ∆time ∼= x array2[2] ∆time ≪ x
Mitigation Stack canaries gcc -fstack-protector{,-all,-strong,-explicit} mov %fs:0x28,%rax mov %rax,-0x8(%rbp) ... mov -0x8(%rbp),%rcx xor %fs:0x28,%rcx je foo+131 callq stack_chk_fail ... Local parameters Return address Stack Canary Saved State a b
Mitigation Stack canaries ▶ Terminator Canary 0x000d0aff ▶ Random Canary 0xXXXXXXXX ▶ Xor Canary 0xXXXXXXXX ⊕ Data ▶ Pointer Encryption QARMAE(Ret.Addr)
Memory Corruptions -fsanitize Vulnerable program: #include <stdio.h> #include <stdlib.h> int main(int argc, char **argv) { void *s[64] = {}; printf("%pn", s[63 - atoi(argv[1])); return 0; } $ clang test.c $ ./a.out 1 (nil) $ ./a.out 2 (nil) $ ./a.out -1 0x7ffe3187bf10
Memory Corruptions -fsanitize
Fuzzer AFL ▶ American Fuzzy Lop.
Advanced attacks ▶ Heap Overflow; ▶ Integer overflow; ▶ Race conditions (TOCTTOU, Dirty cow, ...); ▶ Type confusion; ▶ Data only attacks; ▶ Side channels (Spectre, Meltdown, RowHammer, ...); ▶ sROP.
Advanced mitigations ▶ RelRO. ▶ PIE. ▶ Memory Tagging. ▶ Pointer Authentication. ▶ OpenBSD-style malloc. ▶ BPF_HARDEN. ▶ Shadow stacks. ▶ Alloca Checks. ▶ Guard Pages. ▶ PAX and GRSEC patches (PAX_REFCOUNT, PAX_SIZE_OVERFLOW, PAX_USERCOPY, PAX_MEMORY_STACKLEAK, PAX_MEMORY_STRUCTLEAK, PAX_MEMORY_SANITIZE, GRSEC_HIDESYM, PAX_CONSTIFY_PLUGIN, PAX_MEMORY_UNDERREF, ...). ▶ CFI / GRSEC RAP.
Thank you for your attention.
Mitigration Shadow stacks ▶ A shadow stack is a stack which is not editable by the attacker. ▶ Upon a return from a procedure the application will compare the call-stack values and its shadow values, if they differs an exception is raised. Shadow Stack Exec ReturnInput Output compare
Mitigation Guard Pages ▶ A guard page memory page is placed between the stack and the heap. Stack Heap Stack Heap Guard
Other problems Alloca and VLA ▶ alloca will allocate memory on the stack, this facilitates stack smashing and stack overflow! ▶ There are alloca checkers, so you can trace and hunt bugs based on this feature. int *x = alloca(3 * sizeof(int)); ▶ VLA (variable length arrays), allocated using alloca. ▶ Security Nightmare (and bad practice)! int foo(int a) { int x[a]; }
Mitigation RelRO ▶ A position indipendent executable can be placed in every part of the memory. ▶ The linker need to use two tables to load the dependencies: GOT and PLT; <main> callq 1030 <printf@plt > ... <printf@plt >: jmpq *0x2fe2(%rip) # printf@GLIBC_2.2.5 pushq $0x0 jmpq 1020 <.plt> ▶ These tables are still writable and can hijack functions! ▶ RelRO places this tables in read only memory, so you need to known only an offset at loading time.
Buffer Overflow SROP ▶ Using rop we can allocate on the stack a gadget which contains sigreturn systemcall. ▶ Before that we can place a sigcontext_t fake structure. ▶ The program will return to the allocated context, effectively running our shellcode. gadgetsigreturn sigcontext_t ▶ Mitigations are similar to the one described for stack smashing: Signal cookies (stack canaries), ASLR, ... ▶ Disabled vsyscall support.
Mitigations Intel MPX ▶ From Intel generation 6 (Sky lake). ▶ Registers and instructions to check if pointer bounds are valid. BNDCU BND2
Buffer Overflow Heap Overflow ▶ We can hijack malloc control fields (malloc-maleficarium, House of Einherjar). #include <cstdio > #include <cstring > class O { private: char buf[256]; public: void getusr(char *b) { strcpy(buf, b); } virtual void print() { printf("%sn", buf); } }; int main(int argc, char **argv) { O *o[2]={new O(), new O()}; o[0]->getusr(argv[1]); o[1]->getusr(argv[2]); o[0]->print(); o[1]->print(); }
Buffer Overflow Heap overflow o[0]->buf o[0]->vtable o[1]->vtable o[1]->buf o[0]->vtable AAAA AAAA BBBB
Side channels Row hammer ▶ Data handling in DRAM is supscetible to massaging. ▶ Resolved in LPDDR4. ▶ Can bypass ECC! Write Manipulated
Control Flow Integrity clang −fsanitize= c f i −f v i s i b i l i t y =hidden −f l t o ▶ You can view your program as a graph. ▶ Forward-edge-control-flow-integrity ▶ Backward-edge-contol-flow-integrity typedef void *(*foo_t)(void *); void *foo(void *_) { ... } void *bar(void *_) { ... } foo_t foos[2]; int main(int argc, char **argv) { return foo[atoi(argv[1][0])](NULL); }
Side channels MeltDown ▶ For performance memory mapping is not changed upon a context switch (but is protected using a guard value). raise_exception(); // the line below is never reached access(probe_array[data * 4096]); ▶ With KAISER the kernel get swapped out from the user space.
Side channels SpectreV2 ▶ Indirect branch predictions. C: class Base { public: virtual void Foo() = 0; }; class Derived : public Base { public: void Foo() override { … } }; Base* obj = new Derived; obj->Foo(); ASM: ... jmp [r15] ...
Side channels Spectre Mitigations ▶ LFENCE - serialization instruction; ▶ Retpoline - hack to avoid processor speculation on indirect branch prediction. jmp [r15] Retpoline will rewrite this indirect call to: call set_up_target loop: pause jmp loop set_up_target: mov r15, [rsp] ret lfence ; All instructions ; are serialized.
Fuzzer Syzkallerz
Kernel Self Protection Project ▶ Not protecting user space applications. ▶ Not protecting versus specific attacks. ▶ But protecting the kernel itself from attack classes. ▶ https: //kernsec.org/wiki/index.php/ Kernel_Self_Protection_Project

Recomendados

Andrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitAndrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profit
linuxlab_conf
 
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...
linuxlab_conf
 
Angelo Compagnucci - Upgrading buildroot based devices with swupdate
Angelo Compagnucci - Upgrading buildroot based devices with swupdateAngelo Compagnucci - Upgrading buildroot based devices with swupdate
Angelo Compagnucci - Upgrading buildroot based devices with swupdate
linuxlab_conf
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Jian-Hong Pan
 
There is more to C
There is more to CThere is more to C
There is more to C
Juraj Michálek
 
eBPF Workshop
eBPF WorkshopeBPF Workshop
eBPF Workshop
Michael Kehoe
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Anne Nicolas
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
Positive Hack Days
 

Recomendados

Andrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitAndrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profit
linuxlab_conf
 
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...
linuxlab_conf
 
Angelo Compagnucci - Upgrading buildroot based devices with swupdate
Angelo Compagnucci - Upgrading buildroot based devices with swupdateAngelo Compagnucci - Upgrading buildroot based devices with swupdate
Angelo Compagnucci - Upgrading buildroot based devices with swupdate
linuxlab_conf
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Jian-Hong Pan
 
There is more to C
There is more to CThere is more to C
There is more to C
Juraj Michálek
 
eBPF Workshop
eBPF WorkshopeBPF Workshop
eBPF Workshop
Michael Kehoe
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Anne Nicolas
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
Positive Hack Days
 
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Shinya Takamaeda-Y
 
Building
BuildingBuilding
Building
Satpal Parmar
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Anne Nicolas
 
MOVED: RDK/WPE Port on DB410C - SFO17-206
MOVED: RDK/WPE Port on DB410C - SFO17-206MOVED: RDK/WPE Port on DB410C - SFO17-206
MOVED: RDK/WPE Port on DB410C - SFO17-206
Linaro
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
Kernel TLV
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to Bottom
Kernel TLV
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel Crashdump
Marian Marinov
 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Kernel TLV
 
Embedding Linux On The Encore Simputer
Embedding Linux On The Encore SimputerEmbedding Linux On The Encore Simputer
Embedding Linux On The Encore Simputer
Satpal Parmar
 
Tegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxTegra 186のu-boot & Linux
Tegra 186のu-boot & Linux
Mr. Vengineer
 
A Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry PiA Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry Pi
Jian-Hong Pan
 
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Anne Nicolas
 
Kernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at FacebookKernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at Facebook
Anne Nicolas
 
Lcu14 101- coresight overview
Lcu14 101- coresight overviewLcu14 101- coresight overview
Lcu14 101- coresight overview
Linaro
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Valeriy Kravchuk
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0
GlobalLogic Ukraine
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
Kernel TLV
 
Docker deploy
Docker deployDocker deploy
Docker deploy
Eric Ahn
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
Anne Nicolas
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
Michael Kehoe
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 

Mais conteúdo relacionado

Mais procurados

Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Anne Nicolas
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
Kernel TLV
 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Kernel TLV
 
A Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry PiA Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry Pi
Jian-Hong Pan
 
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Anne Nicolas
 
Lcu14 101- coresight overview
Lcu14 101- coresight overviewLcu14 101- coresight overview
Lcu14 101- coresight overview
Linaro
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
Kernel TLV
 

Mais procurados (20)

Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
 
Building
BuildingBuilding
Building
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 
MOVED: RDK/WPE Port on DB410C - SFO17-206
MOVED: RDK/WPE Port on DB410C - SFO17-206MOVED: RDK/WPE Port on DB410C - SFO17-206
MOVED: RDK/WPE Port on DB410C - SFO17-206
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to Bottom
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel Crashdump
 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
 
Embedding Linux On The Encore Simputer
Embedding Linux On The Encore SimputerEmbedding Linux On The Encore Simputer
Embedding Linux On The Encore Simputer
 
Tegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxTegra 186のu-boot & Linux
Tegra 186のu-boot & Linux
 
A Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry PiA Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry Pi
 
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
 
Kernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at FacebookKernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at Facebook
 
Lcu14 101- coresight overview
Lcu14 101- coresight overviewLcu14 101- coresight overview
Lcu14 101- coresight overview
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
 
Docker deploy
Docker deployDocker deploy
Docker deploy
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
 

Semelhante a Davide Berardi - Linux hardening and security measures against Memory corruption

Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsan
DefconRussia
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
Lex Yu
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Jagadisha Maiya
 
Bytes in the Machine: Inside the CPython interpreter
Bytes in the Machine: Inside the CPython interpreterBytes in the Machine: Inside the CPython interpreter
Bytes in the Machine: Inside the CPython interpreter
akaptur
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
tutorialsruby
 

Semelhante a Davide Berardi - Linux hardening and security measures against Memory corruption (20)

04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Valgrind
ValgrindValgrind
Valgrind
 
Meltdown & Spectre
Meltdown & Spectre Meltdown & Spectre
Meltdown & Spectre
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsan
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
 
Meltdown & spectre
Meltdown & spectreMeltdown & spectre
Meltdown & spectre
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기
 
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
 
Bytes in the Machine: Inside the CPython interpreter
Bytes in the Machine: Inside the CPython interpreterBytes in the Machine: Inside the CPython interpreter
Bytes in the Machine: Inside the CPython interpreter
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
 

Mais de linuxlab_conf

Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...
Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...
Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...
linuxlab_conf
 
Bruno Verachten - The Android device farm that fits in a (cloudy) pocket
Bruno Verachten - The Android device farm that fits in a (cloudy) pocketBruno Verachten - The Android device farm that fits in a (cloudy) pocket
Bruno Verachten - The Android device farm that fits in a (cloudy) pocket
linuxlab_conf
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratch
linuxlab_conf
 
Claudio Scordino - Handling mixed criticality on embedded multi-core systems
Claudio Scordino - Handling mixed criticality on embedded multi-core systemsClaudio Scordino - Handling mixed criticality on embedded multi-core systems
Claudio Scordino - Handling mixed criticality on embedded multi-core systems
linuxlab_conf
 
Jacopo Mondi - Complex cameras are complex
Jacopo Mondi - Complex cameras are complexJacopo Mondi - Complex cameras are complex
Jacopo Mondi - Complex cameras are complex
linuxlab_conf
 
Emanuele Faranda - Creating network overlays with IoT devices using N2N
Emanuele Faranda - Creating network overlays with IoT devices using N2NEmanuele Faranda - Creating network overlays with IoT devices using N2N
Emanuele Faranda - Creating network overlays with IoT devices using N2N
linuxlab_conf
 
Dario Faggioli - Virtualization in the age of speculative execution HW bugs
Dario Faggioli - Virtualization in the age of speculative execution HW bugsDario Faggioli - Virtualization in the age of speculative execution HW bugs
Dario Faggioli - Virtualization in the age of speculative execution HW bugs
linuxlab_conf
 
Valerio Di Giampietro - Introduction To IoT Reverse Engineering with an examp...
Valerio Di Giampietro - Introduction To IoT Reverse Engineering with an examp...Valerio Di Giampietro - Introduction To IoT Reverse Engineering with an examp...
Valerio Di Giampietro - Introduction To IoT Reverse Engineering with an examp...
linuxlab_conf
 
Tommaso Cucinotta - Low-latency and power-efficient audio applications on Linux
Tommaso Cucinotta - Low-latency and power-efficient audio applications on LinuxTommaso Cucinotta - Low-latency and power-efficient audio applications on Linux
Tommaso Cucinotta - Low-latency and power-efficient audio applications on Linux
linuxlab_conf
 
Stefano Cordibella - An introduction to Yocto Project
Stefano Cordibella - An introduction to Yocto ProjectStefano Cordibella - An introduction to Yocto Project
Stefano Cordibella - An introduction to Yocto Project
linuxlab_conf
 
Luca Abeni - Real-Time Virtual Machines with Linux and kvm
Luca Abeni - Real-Time Virtual Machines with Linux and kvmLuca Abeni - Real-Time Virtual Machines with Linux and kvm
Luca Abeni - Real-Time Virtual Machines with Linux and kvm
linuxlab_conf
 

Mais de linuxlab_conf (16)

Jonathan Corbet - Keynote: The Kernel Report
Jonathan Corbet - Keynote: The Kernel ReportJonathan Corbet - Keynote: The Kernel Report
Jonathan Corbet - Keynote: The Kernel Report
 
Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...
Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...
Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...
 
Bruno Verachten - The Android device farm that fits in a (cloudy) pocket
Bruno Verachten - The Android device farm that fits in a (cloudy) pocketBruno Verachten - The Android device farm that fits in a (cloudy) pocket
Bruno Verachten - The Android device farm that fits in a (cloudy) pocket
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratch
 
Claudio Scordino - Handling mixed criticality on embedded multi-core systems
Claudio Scordino - Handling mixed criticality on embedded multi-core systemsClaudio Scordino - Handling mixed criticality on embedded multi-core systems
Claudio Scordino - Handling mixed criticality on embedded multi-core systems
 
Jacopo Mondi - Complex cameras are complex
Jacopo Mondi - Complex cameras are complexJacopo Mondi - Complex cameras are complex
Jacopo Mondi - Complex cameras are complex
 
Alessio Lama - Development and testing of a safety network protocol
Alessio Lama - Development and testing of a safety network protocolAlessio Lama - Development and testing of a safety network protocol
Alessio Lama - Development and testing of a safety network protocol
 
Emanuele Faranda - Creating network overlays with IoT devices using N2N
Emanuele Faranda - Creating network overlays with IoT devices using N2NEmanuele Faranda - Creating network overlays with IoT devices using N2N
Emanuele Faranda - Creating network overlays with IoT devices using N2N
 
Dario Faggioli - Virtualization in the age of speculative execution HW bugs
Dario Faggioli - Virtualization in the age of speculative execution HW bugsDario Faggioli - Virtualization in the age of speculative execution HW bugs
Dario Faggioli - Virtualization in the age of speculative execution HW bugs
 
Valerio Di Giampietro - Introduction To IoT Reverse Engineering with an examp...
Valerio Di Giampietro - Introduction To IoT Reverse Engineering with an examp...Valerio Di Giampietro - Introduction To IoT Reverse Engineering with an examp...
Valerio Di Giampietro - Introduction To IoT Reverse Engineering with an examp...
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Go
 
Tommaso Cucinotta - Low-latency and power-efficient audio applications on Linux
Tommaso Cucinotta - Low-latency and power-efficient audio applications on LinuxTommaso Cucinotta - Low-latency and power-efficient audio applications on Linux
Tommaso Cucinotta - Low-latency and power-efficient audio applications on Linux
 
Stefano Cordibella - An introduction to Yocto Project
Stefano Cordibella - An introduction to Yocto ProjectStefano Cordibella - An introduction to Yocto Project
Stefano Cordibella - An introduction to Yocto Project
 
Luca Cipriani - Control your Embedded Linux remotely by using MQTT and a web ...
Luca Cipriani - Control your Embedded Linux remotely by using MQTT and a web ...Luca Cipriani - Control your Embedded Linux remotely by using MQTT and a web ...
Luca Cipriani - Control your Embedded Linux remotely by using MQTT and a web ...
 
Luca Abeni - Real-Time Virtual Machines with Linux and kvm
Luca Abeni - Real-Time Virtual Machines with Linux and kvmLuca Abeni - Real-Time Virtual Machines with Linux and kvm
Luca Abeni - Real-Time Virtual Machines with Linux and kvm
 
Luca Ceresoli - Buildroot vs Yocto: Differences for Your Daily Job
Luca Ceresoli - Buildroot vs Yocto: Differences for Your Daily JobLuca Ceresoli - Buildroot vs Yocto: Differences for Your Daily Job
Luca Ceresoli - Buildroot vs Yocto: Differences for Your Daily Job
 

Último

The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 

Último (20)

Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 

Davide Berardi - Linux hardening and security measures against Memory corruption

  • 1. Linux hardening and mitigations against memory corruption Davide Berardi 3 december 2018
  • 2. Who am I? Davide Berardi ▶ davide.berardi6@unibo.it ▶ PhD @ University of Bologna since november 2018. ▶ Firmware Engineer @ T3Lab since december 2016.
  • 3. Memory Corruption Why I’m talking about this old vulnerability class CVE-2018-5188 Memory safety bugs present in Firefox 60 [...] Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. [...] CVE-2018-6069 Stack buffer overflow in Skia in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVE-2018-16842 Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.
  • 5. Buffer Overflow Introduction C Code uint32_t a; unsigned char b[4]; ASM sub esp,0x8 a b
  • 6. Buffer Overflow Introduction C Code int foo(int _) { } foo(a); ASM call foo Local parameters Return address Saved state Local variables
  • 7. Buffer Overflow Introduction C Code int foo(int _) { uint32_t a; char b[4]; return 0; } Local parameters Return address Saved State a b
  • 8. Buffer Overflow Introduction C Code int foo(int _) { uint32_t a; char b[4]; ==> gets(b); return 0; } Local parameters Return address Saved State a b
  • 9. Buffer Overflow Introduction C Code int foo(int _) { uint32_t a; char b[4]; ==> gets(b); return 0; } Local parameters Return address Saved State a A A A A
  • 10. Buffer Overflow Introduction C Code int foo(int _) { uint32_t a; char b[4]; ==> gets(b); return 0; } Local parameters Return address Saved State aA A A A A A A A
  • 11. Buffer Overflow Introduction C Code int foo(int _) { uint32_t a; char b[4]; ==> gets(b); return 0; } Local parameters Return address A A A A A A A A A A A A
  • 12. Buffer Overflow Introduction C Code int foo(int _) { uint32_t a; char b[4]; ==> gets(b); return 0; } Local parameters A A A A A A A A A A A A A A A A
  • 13. Buffer Overflow Introduction C Code int foo(int _) { uint32_t a; char b[4]; gets(b); ==> return 0; } Local parameters A A A A A A A A A A A A A A A A
  • 15. Buffer Overflow Shellcode ▶ Inject code in the application. xor %eax,%eax push %eax push $0x68732f2f push $0x6e69622f mov %esp,%ebx push %eax push %ebx mov %esp,%ecx mov $0xb,%al int $0x80 syscall(11, "/bin/sh"); or, in equal words exec("/bin/sh");
  • 16. Buffer Overflow Shellcode C Code int foo(int _) { uint32_t a; char b[4]; gets(b); ==> return 0; } Local parameters 0x...... Shellcode
  • 18. Mitigation Non executable stack ▶ What if the stack was not executable? ▶ PaX patch suite. ~ % checksec --output csv -f $(which ping) | awk -F , '{print␣$3}' NX enabled
  • 20. Buffer Overflow Return 2 libc C Code int foo(int _) { uint32_t a; char b[4]; gets(b); ==> return 0; } Local parameters Address of system Padding
  • 21. Buffer Overflow Return 2 libc C Code int foo(int _) { uint32_t a; char b[4]; gets(b); ==> return 0; } Previous AR Fake return Address of system Padding
  • 22. Buffer Overflow Return 2 libc C Code int foo(int _) { uint32_t a; char b[4]; gets(b); ==> return 0; } Address of ”/bin/sh” Fake return Address of system Padding
  • 23. Buffer Overflow Return Oriented Programming ▶ What the attacker can do if the programs doesn’t have any useful target function? ▶ e.g. no libc or no useful (for the exploitation) functions at all. ▶ Weird machines! Weird MachineInput Output Malicious Input Exploit
  • 24. Buffer Overflow ROP¹ ASM gadget1: mov eax, 11; ret ASM gadget2: mov ebx,&"/bin/sh"; ret ASM gadget3: mov ecx,&&"/bin/sh"; ret ASM gadget4: mov edx,0; ret ASM gadget5: int 0x80; ret Fake Return Address of gadget5 Address of gadget4 Address of gadget3 Address of gadget2 Address of gadget1 Padding ¹simplified
  • 25. Mitigation ASLR ▶ Attackers need the address of functions and gadgets. ▶ Address Source Layout Randomization. ▶ cat /proc/sys/vm/mmap_rnd_bits $ ldd $(which whoami) | awk '/libc/{print␣$NF}' (0x00007f6586ee8000) $ ldd $(which whoami) | awk '/libc/{print␣$NF}' (0x00007f7bba165000)
  • 26. Information Leak printf format parameter leak C Code: #include <stdio.h> #include <stdint.h> int main(int argc, char **argv) { uintptr_t token = 0x1234; return printf(argv[1]); } Exploit: $ ./foo hello hello $ ./foo %p 0x7ffedf09fb10 $ ./foo %9$p 0x1234
  • 27. Information Leak Fork ASLR ▶ Fork won’t change process mappings. #include <stdio.h> #include <unistd.h> #include <sys/wait.h> int main() { if (fork()) { printf("C:␣%pn", printf); return 0; } printf("P:␣%pn", printf); wait(NULL); return 0; } $ /tmp/test C: 0x7f99c155b3a0 P: 0x7f99c155b3a0 $ /tmp/test C: 0x7f8bc12253a0 P: 0x7f8bc12253a0
  • 28. Side channels Spectre CVE-2017-5753 ▶ Spectre is a CPU bug tied to the BPU and the Cache. ▶ On a wrong guess of the BPU the cache isn’t invalidated. ▶ This can lead us to Information Leak.
  • 29. Side channels Spectre CVE-2017-5753 Cache ... if (a < b) array2[array1[a]] ”warning” return
  • 30. Side channels Spectre CVE-2017-5753 Cache array2[array1[a]] if (a < b) array2[array1[a]] ”warning” return
  • 31. Side channels Spectre CVE-2017-5753 Cache array2[array1[a]] if (a < b) array2[array1[a]] ”warning” return
  • 32. Side channels Spectre CVE-2017-5753 Cache ... if (a < b) array2[array1[a]] ”warning” return
  • 33. Side channels Spectre CVE-2017-5753 Cache ... if (a < b) array2[array1[a]] ”warning” return
  • 34. Side channels Spectre CVE-2017-5753 Cache array2[array1[a]] if (a < b) array2[array1[a]] ”warning” return
  • 35. Side channels Spectre CVE-2017-5753 Cache array2[array1[a]] ▶ Now we can leak the memory! ▶ array1[a] == 2 array2[0] ∆time ∼= x array2[1] ∆time ∼= x array2[2] ∆time ≪ x
  • 36. Mitigation Stack canaries gcc -fstack-protector{,-all,-strong,-explicit} mov %fs:0x28,%rax mov %rax,-0x8(%rbp) ... mov -0x8(%rbp),%rcx xor %fs:0x28,%rcx je foo+131 callq stack_chk_fail ... Local parameters Return address Stack Canary Saved State a b
  • 37. Mitigation Stack canaries ▶ Terminator Canary 0x000d0aff ▶ Random Canary 0xXXXXXXXX ▶ Xor Canary 0xXXXXXXXX ⊕ Data ▶ Pointer Encryption QARMAE(Ret.Addr)
  • 38. Memory Corruptions -fsanitize Vulnerable program: #include <stdio.h> #include <stdlib.h> int main(int argc, char **argv) { void *s[64] = {}; printf("%pn", s[63 - atoi(argv[1])); return 0; } $ clang test.c $ ./a.out 1 (nil) $ ./a.out 2 (nil) $ ./a.out -1 0x7ffe3187bf10
  • 41. Advanced attacks ▶ Heap Overflow; ▶ Integer overflow; ▶ Race conditions (TOCTTOU, Dirty cow, ...); ▶ Type confusion; ▶ Data only attacks; ▶ Side channels (Spectre, Meltdown, RowHammer, ...); ▶ sROP.
  • 42. Advanced mitigations ▶ RelRO. ▶ PIE. ▶ Memory Tagging. ▶ Pointer Authentication. ▶ OpenBSD-style malloc. ▶ BPF_HARDEN. ▶ Shadow stacks. ▶ Alloca Checks. ▶ Guard Pages. ▶ PAX and GRSEC patches (PAX_REFCOUNT, PAX_SIZE_OVERFLOW, PAX_USERCOPY, PAX_MEMORY_STACKLEAK, PAX_MEMORY_STRUCTLEAK, PAX_MEMORY_SANITIZE, GRSEC_HIDESYM, PAX_CONSTIFY_PLUGIN, PAX_MEMORY_UNDERREF, ...). ▶ CFI / GRSEC RAP.
  • 43. Thank you for your attention.
  • 44. Mitigration Shadow stacks ▶ A shadow stack is a stack which is not editable by the attacker. ▶ Upon a return from a procedure the application will compare the call-stack values and its shadow values, if they differs an exception is raised. Shadow Stack Exec ReturnInput Output compare
  • 45. Mitigation Guard Pages ▶ A guard page memory page is placed between the stack and the heap. Stack Heap Stack Heap Guard
  • 46. Other problems Alloca and VLA ▶ alloca will allocate memory on the stack, this facilitates stack smashing and stack overflow! ▶ There are alloca checkers, so you can trace and hunt bugs based on this feature. int *x = alloca(3 * sizeof(int)); ▶ VLA (variable length arrays), allocated using alloca. ▶ Security Nightmare (and bad practice)! int foo(int a) { int x[a]; }
  • 47. Mitigation RelRO ▶ A position indipendent executable can be placed in every part of the memory. ▶ The linker need to use two tables to load the dependencies: GOT and PLT; <main> callq 1030 <printf@plt > ... <printf@plt >: jmpq *0x2fe2(%rip) # printf@GLIBC_2.2.5 pushq $0x0 jmpq 1020 <.plt> ▶ These tables are still writable and can hijack functions! ▶ RelRO places this tables in read only memory, so you need to known only an offset at loading time.
  • 48. Buffer Overflow SROP ▶ Using rop we can allocate on the stack a gadget which contains sigreturn systemcall. ▶ Before that we can place a sigcontext_t fake structure. ▶ The program will return to the allocated context, effectively running our shellcode. gadgetsigreturn sigcontext_t ▶ Mitigations are similar to the one described for stack smashing: Signal cookies (stack canaries), ASLR, ... ▶ Disabled vsyscall support.
  • 49. Mitigations Intel MPX ▶ From Intel generation 6 (Sky lake). ▶ Registers and instructions to check if pointer bounds are valid. BNDCU BND2
  • 50. Buffer Overflow Heap Overflow ▶ We can hijack malloc control fields (malloc-maleficarium, House of Einherjar). #include <cstdio > #include <cstring > class O { private: char buf[256]; public: void getusr(char *b) { strcpy(buf, b); } virtual void print() { printf("%sn", buf); } }; int main(int argc, char **argv) { O *o[2]={new O(), new O()}; o[0]->getusr(argv[1]); o[1]->getusr(argv[2]); o[0]->print(); o[1]->print(); }
  • 52. Side channels Row hammer ▶ Data handling in DRAM is supscetible to massaging. ▶ Resolved in LPDDR4. ▶ Can bypass ECC! Write Manipulated
  • 53. Control Flow Integrity clang −fsanitize= c f i −f v i s i b i l i t y =hidden −f l t o ▶ You can view your program as a graph. ▶ Forward-edge-control-flow-integrity ▶ Backward-edge-contol-flow-integrity typedef void *(*foo_t)(void *); void *foo(void *_) { ... } void *bar(void *_) { ... } foo_t foos[2]; int main(int argc, char **argv) { return foo[atoi(argv[1][0])](NULL); }
  • 54. Side channels MeltDown ▶ For performance memory mapping is not changed upon a context switch (but is protected using a guard value). raise_exception(); // the line below is never reached access(probe_array[data * 4096]); ▶ With KAISER the kernel get swapped out from the user space.
  • 55. Side channels SpectreV2 ▶ Indirect branch predictions. C: class Base { public: virtual void Foo() = 0; }; class Derived : public Base { public: void Foo() override { … } }; Base* obj = new Derived; obj->Foo(); ASM: ... jmp [r15] ...
  • 56. Side channels Spectre Mitigations ▶ LFENCE - serialization instruction; ▶ Retpoline - hack to avoid processor speculation on indirect branch prediction. jmp [r15] Retpoline will rewrite this indirect call to: call set_up_target loop: pause jmp loop set_up_target: mov r15, [rsp] ret lfence ; All instructions ; are serialized.
  • 58. Kernel Self Protection Project ▶ Not protecting user space applications. ▶ Not protecting versus specific attacks. ▶ But protecting the kernel itself from attack classes. ▶ https: //kernsec.org/wiki/index.php/ Kernel_Self_Protection_Project