SlideShare a Scribd company logo

Stack Frame Protection

Conferencias FIST
Conferencias FIST
Technology
1 of 12
Download to read offline
Stack Frame Protection with LD_PRELOAD @auth: pancake @place: FIST @date: 20040507
Outlook ● Buffer overflows and stack basics; ● Protection methods; ● Target on preload; ● LibSFP {aka my testing lib}; ● Internal work; ● Few code examples; ● Links and EOF;
Buffer overflows basics ● The first cause of insecurity; ● Every function is closed into an stack frame. ● The stack frame saves information about local variables and return pointer. ● Programmers must focus in secure code, not just external security.
Protection methods ● Development stage. – Patches to Gcc that uses canary-based methods to ensure the SF integrity. – Use lint to clean insecure function calls. ● Runtime – Ptrace-based security. 3x slower, but the most secure. – Library-based security. Faster and protects almost basic bugs.
Preload method ● Dynamically load of a library with LD_PRELOAD or ld.so.conf by ld.so; ● Replacement for the most buggy function symbols by secure ones (strcpy, memcpy, strlen, ...); ● Exists some libraries that do that: – Libsafe – secure libc functions. – Libformat - secure format strings. ● Main problem: non-portable.
LibSFP ● I decide to write a libformat/libsafe replacement. ● Target on: – UNIX-OSes portability (GNU,*BSD,...) – Architecture portability (endian, stack) – Open, active development. It's GPLd. ● Actually its development is stopped. But i'll be happy to receive contributions and follow the project.
Internal work ● Basically it's a library that rewrites every symbol. ● Cross all stack frames layers until find the current one. ● Measures the current SF size and limits calls to this size. ● Library can be configured at runtime – Offset: Change overflow margins. – Action: alert, ignore, force CoreDump...
Internal work ● There are 3 kind of variables: – Local – stored in the stack frame. (easy to protect). – Global – stored in Heap. (difficult to know the limits). – Malloc – stored in Heap space with chunk header information. (the assigned space limits could be read from chunk headers). ● Malloc techniques: – LibSFP stores a magic value into the chunk header to separate global variables from chunked ones. – Chunks are memory-aligned, it means that size isn't exact.
Internal work ● There are 3 kind of variables: – Local – stored in the stack frame. (easy to protect). – Global – stored in Heap. (difficult to know the limits). – Malloc – stored in Heap space with chunk header information. (the assigned space limits could be read from chunk headers). ● Malloc techniques: – LibSFP stores a magic value into the chunk header to separate global variables from chunked ones. – Chunks are memory-aligned, it means that size isn't exact.
Few examples Now it's the moment for going to the terminal and show some examples...
Links and EOF ● Libsafe – http://www.research.avayalabs.com/project/libsafe/ ● Immunix Gcc StackGuard – http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ ● Libsfp isn't released yet, but if I receive interest I would probably upload into: – http://www.nopcode.org/ – http://pancake.host.sk/altres/src/
EOF [questions,tips,apologise..]

Recommended

Threads - Why Can't You Just Play Nicely With Your Memory?
Threads - Why Can't You Just Play Nicely With Your Memory?Threads - Why Can't You Just Play Nicely With Your Memory?
Threads - Why Can't You Just Play Nicely With Your Memory?Robert Burrell Donkin
 
Concurrent/ parallel programming
Concurrent/ parallel programmingConcurrent/ parallel programming
Concurrent/ parallel programmingTausun Akhtary
 
Threads - Why Can't You Just Play Nicely With Your Memory_
Threads - Why Can't You Just Play Nicely With Your Memory_Threads - Why Can't You Just Play Nicely With Your Memory_
Threads - Why Can't You Just Play Nicely With Your Memory_Robert Burrell Donkin
 
LLJVM: LLVM bitcode to JVM bytecode
LLJVM: LLVM bitcode to JVM bytecodeLLJVM: LLVM bitcode to JVM bytecode
LLJVM: LLVM bitcode to JVM bytecodeTakeshi Yamamuro
 
Java variables and classes
Java variables and classesJava variables and classes
Java variables and classesKadarkaraiSelvam
 
RPC in Smalltalk
RPC in Smalltalk RPC in Smalltalk
RPC in SmalltalkESUG
 
Metasploit Module Development
Metasploit Module DevelopmentMetasploit Module Development
Metasploit Module Developmentkyaw thiha
 
Parallel programming
Parallel programmingParallel programming
Parallel programmingSwain Loda
 

Recommended

Threads - Why Can't You Just Play Nicely With Your Memory?
Threads - Why Can't You Just Play Nicely With Your Memory?Threads - Why Can't You Just Play Nicely With Your Memory?
Threads - Why Can't You Just Play Nicely With Your Memory?Robert Burrell Donkin
 
Concurrent/ parallel programming
Concurrent/ parallel programmingConcurrent/ parallel programming
Concurrent/ parallel programmingTausun Akhtary
 
Threads - Why Can't You Just Play Nicely With Your Memory_
Threads - Why Can't You Just Play Nicely With Your Memory_Threads - Why Can't You Just Play Nicely With Your Memory_
Threads - Why Can't You Just Play Nicely With Your Memory_Robert Burrell Donkin
 
LLJVM: LLVM bitcode to JVM bytecode
LLJVM: LLVM bitcode to JVM bytecodeLLJVM: LLVM bitcode to JVM bytecode
LLJVM: LLVM bitcode to JVM bytecodeTakeshi Yamamuro
 
Java variables and classes
Java variables and classesJava variables and classes
Java variables and classesKadarkaraiSelvam
 
RPC in Smalltalk
RPC in Smalltalk RPC in Smalltalk
RPC in SmalltalkESUG
 
Metasploit Module Development
Metasploit Module DevelopmentMetasploit Module Development
Metasploit Module Developmentkyaw thiha
 
Parallel programming
Parallel programmingParallel programming
Parallel programmingSwain Loda
 
Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....
Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....
Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....AboutYouGmbH
 
Embedded Recipes 2018 - Shared memory / telemetry - Yves-Marie Morgan
Embedded Recipes 2018 - Shared memory / telemetry - Yves-Marie MorganEmbedded Recipes 2018 - Shared memory / telemetry - Yves-Marie Morgan
Embedded Recipes 2018 - Shared memory / telemetry - Yves-Marie MorganAnne Nicolas
 
IPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onIPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onAPNIC
 
what every web and app developer should know about multithreading
what every web and app developer should know about multithreadingwhat every web and app developer should know about multithreading
what every web and app developer should know about multithreadingIlya Haykinson
 
Caffe + H2O - By Cyprien noel
Caffe + H2O - By Cyprien noelCaffe + H2O - By Cyprien noel
Caffe + H2O - By Cyprien noelSri Ambati
 
NUMA and Java Databases
NUMA and Java DatabasesNUMA and Java Databases
NUMA and Java DatabasesRaghavendra Prabhu
 
Lecture2
Lecture2Lecture2
Lecture2tt_aljobory
 
Stefan Richter - Writing simple, readable and robust code: Examples in Java, ...
Stefan Richter - Writing simple, readable and robust code: Examples in Java, ...Stefan Richter - Writing simple, readable and robust code: Examples in Java, ...
Stefan Richter - Writing simple, readable and robust code: Examples in Java, ...AboutYouGmbH
 
An End to Order (many cores with java, session two)
An End to Order (many cores with java, session two)An End to Order (many cores with java, session two)
An End to Order (many cores with java, session two)Robert Burrell Donkin
 
Bloc: a Modern Core for Highly Dynamic Graphics
Bloc: a Modern Core for Highly Dynamic Graphics Bloc: a Modern Core for Highly Dynamic Graphics
Bloc: a Modern Core for Highly Dynamic Graphics ESUG
 
Pthread
PthreadPthread
PthreadGopi Saiteja
 
Java one2015 - Work With Hundreds of Hot Terabytes in JVMs
Java one2015 - Work With Hundreds of Hot Terabytes in JVMsJava one2015 - Work With Hundreds of Hot Terabytes in JVMs
Java one2015 - Work With Hundreds of Hot Terabytes in JVMsSpeedment, Inc.
 
Multithreading
MultithreadingMultithreading
MultithreadingA B Shinde
 
Os
OsOs
OsDeepaR42
 
Thread
ThreadThread
ThreadSajid Hussain
 
Userspace RCU library : what linear multiprocessor scalability means for your...
Userspace RCU library : what linear multiprocessor scalability means for your...Userspace RCU library : what linear multiprocessor scalability means for your...
Userspace RCU library : what linear multiprocessor scalability means for your...Alexey Ivanov
 
Memcached And MySQL
Memcached And MySQLMemcached And MySQL
Memcached And MySQLChris Barber
 
Unba.se – San Diego Rust – march 2017 (abridged)
Unba.se – San Diego Rust – march 2017 (abridged)Unba.se – San Diego Rust – march 2017 (abridged)
Unba.se – San Diego Rust – march 2017 (abridged)Daniel Norman
 
Building Topology in NS3
Building Topology in NS3Building Topology in NS3
Building Topology in NS3Rahul Hada
 
Type safe, versioned, and rewindable stream processing with Apache {Avro, K...
Type safe, versioned, and rewindable stream processing with Apache {Avro, K...Type safe, versioned, and rewindable stream processing with Apache {Avro, K...
Type safe, versioned, and rewindable stream processing with Apache {Avro, K...Hisham Mardam-Bey
 
The Stack Frame
The Stack FrameThe Stack Frame
The Stack FrameIvo Marinkov
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 

More Related Content

What's hot

Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....
Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....
Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....AboutYouGmbH
 
Embedded Recipes 2018 - Shared memory / telemetry - Yves-Marie Morgan
Embedded Recipes 2018 - Shared memory / telemetry - Yves-Marie MorganEmbedded Recipes 2018 - Shared memory / telemetry - Yves-Marie Morgan
Embedded Recipes 2018 - Shared memory / telemetry - Yves-Marie MorganAnne Nicolas
 
IPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onIPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onAPNIC
 
what every web and app developer should know about multithreading
what every web and app developer should know about multithreadingwhat every web and app developer should know about multithreading
what every web and app developer should know about multithreadingIlya Haykinson
 
Caffe + H2O - By Cyprien noel
Caffe + H2O - By Cyprien noelCaffe + H2O - By Cyprien noel
Caffe + H2O - By Cyprien noelSri Ambati
 
Stefan Richter - Writing simple, readable and robust code: Examples in Java, ...
Stefan Richter - Writing simple, readable and robust code: Examples in Java, ...Stefan Richter - Writing simple, readable and robust code: Examples in Java, ...
Stefan Richter - Writing simple, readable and robust code: Examples in Java, ...AboutYouGmbH
 
An End to Order (many cores with java, session two)
An End to Order (many cores with java, session two)An End to Order (many cores with java, session two)
An End to Order (many cores with java, session two)Robert Burrell Donkin
 
Bloc: a Modern Core for Highly Dynamic Graphics
Bloc: a Modern Core for Highly Dynamic Graphics Bloc: a Modern Core for Highly Dynamic Graphics
Bloc: a Modern Core for Highly Dynamic Graphics ESUG
 
Java one2015 - Work With Hundreds of Hot Terabytes in JVMs
Java one2015 - Work With Hundreds of Hot Terabytes in JVMsJava one2015 - Work With Hundreds of Hot Terabytes in JVMs
Java one2015 - Work With Hundreds of Hot Terabytes in JVMsSpeedment, Inc.
 
Multithreading
MultithreadingMultithreading
MultithreadingA B Shinde
 
Userspace RCU library : what linear multiprocessor scalability means for your...
Userspace RCU library : what linear multiprocessor scalability means for your...Userspace RCU library : what linear multiprocessor scalability means for your...
Userspace RCU library : what linear multiprocessor scalability means for your...Alexey Ivanov
 
Memcached And MySQL
Memcached And MySQLMemcached And MySQL
Memcached And MySQLChris Barber
 
Unba.se – San Diego Rust – march 2017 (abridged)
Unba.se – San Diego Rust – march 2017 (abridged)Unba.se – San Diego Rust – march 2017 (abridged)
Unba.se – San Diego Rust – march 2017 (abridged)Daniel Norman
 
Building Topology in NS3
Building Topology in NS3Building Topology in NS3
Building Topology in NS3Rahul Hada
 
Type safe, versioned, and rewindable stream processing with Apache {Avro, K...
Type safe, versioned, and rewindable stream processing with Apache {Avro, K...Type safe, versioned, and rewindable stream processing with Apache {Avro, K...
Type safe, versioned, and rewindable stream processing with Apache {Avro, K...Hisham Mardam-Bey
 

What's hot (20)

Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....
Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....
Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....
 
Embedded Recipes 2018 - Shared memory / telemetry - Yves-Marie Morgan
Embedded Recipes 2018 - Shared memory / telemetry - Yves-Marie MorganEmbedded Recipes 2018 - Shared memory / telemetry - Yves-Marie Morgan
Embedded Recipes 2018 - Shared memory / telemetry - Yves-Marie Morgan
 
IPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onIPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-on
 
what every web and app developer should know about multithreading
what every web and app developer should know about multithreadingwhat every web and app developer should know about multithreading
what every web and app developer should know about multithreading
 
Caffe + H2O - By Cyprien noel
Caffe + H2O - By Cyprien noelCaffe + H2O - By Cyprien noel
Caffe + H2O - By Cyprien noel
 
NUMA and Java Databases
NUMA and Java DatabasesNUMA and Java Databases
NUMA and Java Databases
 
Lecture2
Lecture2Lecture2
Lecture2
 
Stefan Richter - Writing simple, readable and robust code: Examples in Java, ...
Stefan Richter - Writing simple, readable and robust code: Examples in Java, ...Stefan Richter - Writing simple, readable and robust code: Examples in Java, ...
Stefan Richter - Writing simple, readable and robust code: Examples in Java, ...
 
An End to Order (many cores with java, session two)
An End to Order (many cores with java, session two)An End to Order (many cores with java, session two)
An End to Order (many cores with java, session two)
 
Bloc: a Modern Core for Highly Dynamic Graphics
Bloc: a Modern Core for Highly Dynamic Graphics Bloc: a Modern Core for Highly Dynamic Graphics
Bloc: a Modern Core for Highly Dynamic Graphics
 
Pthread
PthreadPthread
Pthread
 
Java one2015 - Work With Hundreds of Hot Terabytes in JVMs
Java one2015 - Work With Hundreds of Hot Terabytes in JVMsJava one2015 - Work With Hundreds of Hot Terabytes in JVMs
Java one2015 - Work With Hundreds of Hot Terabytes in JVMs
 
Multithreading
MultithreadingMultithreading
Multithreading
 
Os
OsOs
Os
 
Thread
ThreadThread
Thread
 
Userspace RCU library : what linear multiprocessor scalability means for your...
Userspace RCU library : what linear multiprocessor scalability means for your...Userspace RCU library : what linear multiprocessor scalability means for your...
Userspace RCU library : what linear multiprocessor scalability means for your...
 
Memcached And MySQL
Memcached And MySQLMemcached And MySQL
Memcached And MySQL
 
Unba.se – San Diego Rust – march 2017 (abridged)
Unba.se – San Diego Rust – march 2017 (abridged)Unba.se – San Diego Rust – march 2017 (abridged)
Unba.se – San Diego Rust – march 2017 (abridged)
 
Building Topology in NS3
Building Topology in NS3Building Topology in NS3
Building Topology in NS3
 
Type safe, versioned, and rewindable stream processing with Apache {Avro, K...
Type safe, versioned, and rewindable stream processing with Apache {Avro, K...Type safe, versioned, and rewindable stream processing with Apache {Avro, K...
Type safe, versioned, and rewindable stream processing with Apache {Avro, K...
 

Viewers also liked

How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
CILK/CILK++ and Reducers
CILK/CILK++ and ReducersCILK/CILK++ and Reducers
CILK/CILK++ and ReducersYunming Zhang
 
Task based Programming with OmpSs and its Application
Task based Programming with OmpSs and its ApplicationTask based Programming with OmpSs and its Application
Task based Programming with OmpSs and its ApplicationFacultad de Informática UCM
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented ProgrammingAj MaChInE
 
Numbers and Values in Objective-C and C Programming
Numbers and Values in Objective-C and C ProgrammingNumbers and Values in Objective-C and C Programming
Numbers and Values in Objective-C and C ProgrammingPaul Solt
 
Cpu cycle
Cpu cycleCpu cycle
Cpu cyclemaciakl
 
Authoring tools worksheet
Authoring tools worksheetAuthoring tools worksheet
Authoring tools worksheetFarid Diah
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
Python Yield
Python YieldPython Yield
Python Yieldyangjuven
 
2장. Runtime Data Areas
2장. Runtime Data Areas2장. Runtime Data Areas
2장. Runtime Data Areas김 한도
 
Functions in Objective-C and C Programming
Functions in Objective-C and C ProgrammingFunctions in Objective-C and C Programming
Functions in Objective-C and C ProgrammingPaul Solt
 
Introduction to Linux Exploit Development
Introduction to Linux Exploit DevelopmentIntroduction to Linux Exploit Development
Introduction to Linux Exploit Developmentjohndegruyter
 
Exploit techniques and mitigation
Exploit techniques and mitigationExploit techniques and mitigation
Exploit techniques and mitigationYaniv Shani
 
Introduction to pointers and memory management in C
Introduction to pointers and memory management in CIntroduction to pointers and memory management in C
Introduction to pointers and memory management in CUri Dekel
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 

Viewers also liked (20)

The Stack Frame
The Stack FrameThe Stack Frame
The Stack Frame
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
 
CILK/CILK++ and Reducers
CILK/CILK++ and ReducersCILK/CILK++ and Reducers
CILK/CILK++ and Reducers
 
Task based Programming with OmpSs and its Application
Task based Programming with OmpSs and its ApplicationTask based Programming with OmpSs and its Application
Task based Programming with OmpSs and its Application
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
 
Numbers and Values in Objective-C and C Programming
Numbers and Values in Objective-C and C ProgrammingNumbers and Values in Objective-C and C Programming
Numbers and Values in Objective-C and C Programming
 
Cpu cycle
Cpu cycleCpu cycle
Cpu cycle
 
Authoring tools worksheet
Authoring tools worksheetAuthoring tools worksheet
Authoring tools worksheet
 
Wk1to4
Wk1to4Wk1to4
Wk1to4
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
Python Yield
Python YieldPython Yield
Python Yield
 
2장. Runtime Data Areas
2장. Runtime Data Areas2장. Runtime Data Areas
2장. Runtime Data Areas
 
Smashing The Stack
Smashing The StackSmashing The Stack
Smashing The Stack
 
Functions in Objective-C and C Programming
Functions in Objective-C and C ProgrammingFunctions in Objective-C and C Programming
Functions in Objective-C and C Programming
 
Introduction to Linux Exploit Development
Introduction to Linux Exploit DevelopmentIntroduction to Linux Exploit Development
Introduction to Linux Exploit Development
 
Exploit techniques and mitigation
Exploit techniques and mitigationExploit techniques and mitigation
Exploit techniques and mitigation
 
Introduction to pointers and memory management in C
Introduction to pointers and memory management in CIntroduction to pointers and memory management in C
Introduction to pointers and memory management in C
 
Addressing
Addressing Addressing
Addressing
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 

Similar to Stack Frame Protection

Pune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCDPune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCDPrashant Rane
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringScyllaDB
 
Quick introduction to Java Garbage Collector (JVM GC)
Quick introduction to Java Garbage Collector (JVM GC)Quick introduction to Java Garbage Collector (JVM GC)
Quick introduction to Java Garbage Collector (JVM GC)Marcos García
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Performance optimization techniques for Java code
Performance optimization techniques for Java codePerformance optimization techniques for Java code
Performance optimization techniques for Java codeAttila Balazs
 
Open Source Storage at Scale: Ceph @ GRNET
Open Source Storage at Scale: Ceph @ GRNETOpen Source Storage at Scale: Ceph @ GRNET
Open Source Storage at Scale: Ceph @ GRNETNikos Kormpakis
 
Linux kernel development_ch9-10_20120410
Linux kernel development_ch9-10_20120410Linux kernel development_ch9-10_20120410
Linux kernel development_ch9-10_20120410huangachou
 
Linux kernel development chapter 10
Linux kernel development chapter 10Linux kernel development chapter 10
Linux kernel development chapter 10huangachou
 
Open arkcompiler
Open arkcompilerOpen arkcompiler
Open arkcompileryiwei yang
 
Ippevent : openshift Introduction
Ippevent : openshift IntroductionIppevent : openshift Introduction
Ippevent : openshift Introductionkanedafromparis
 
Polyglot and Functional Programming (OSCON 2012)
Polyglot and Functional Programming (OSCON 2012)Polyglot and Functional Programming (OSCON 2012)
Polyglot and Functional Programming (OSCON 2012)Martijn Verburg
 
Performance Optimization of SPH Algorithms for Multi/Many-Core Architectures
Performance Optimization of SPH Algorithms for Multi/Many-Core ArchitecturesPerformance Optimization of SPH Algorithms for Multi/Many-Core Architectures
Performance Optimization of SPH Algorithms for Multi/Many-Core ArchitecturesDr. Fabio Baruffa
 
1 Introduction to JAVA.pptx
1 Introduction to JAVA.pptx1 Introduction to JAVA.pptx
1 Introduction to JAVA.pptxKabiles07
 
So you want to liberate your data?
So you want to liberate your data?So you want to liberate your data?
So you want to liberate your data?Mogens Heller Grabe
 
Let's Talk Locks!
Let's Talk Locks!Let's Talk Locks!
Let's Talk Locks!C4Media
 

Similar to Stack Frame Protection (20)

Pune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCDPune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCD
 
gcdtmp
gcdtmpgcdtmp
gcdtmp
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
 
Quick introduction to Java Garbage Collector (JVM GC)
Quick introduction to Java Garbage Collector (JVM GC)Quick introduction to Java Garbage Collector (JVM GC)
Quick introduction to Java Garbage Collector (JVM GC)
 
Memory model
Memory modelMemory model
Memory model
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
Advanced Arm Exploitation
Advanced Arm ExploitationAdvanced Arm Exploitation
Advanced Arm Exploitation
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Performance optimization techniques for Java code
Performance optimization techniques for Java codePerformance optimization techniques for Java code
Performance optimization techniques for Java code
 
Open Source Storage at Scale: Ceph @ GRNET
Open Source Storage at Scale: Ceph @ GRNETOpen Source Storage at Scale: Ceph @ GRNET
Open Source Storage at Scale: Ceph @ GRNET
 
Linux kernel development_ch9-10_20120410
Linux kernel development_ch9-10_20120410Linux kernel development_ch9-10_20120410
Linux kernel development_ch9-10_20120410
 
Linux kernel development chapter 10
Linux kernel development chapter 10Linux kernel development chapter 10
Linux kernel development chapter 10
 
Open arkcompiler
Open arkcompilerOpen arkcompiler
Open arkcompiler
 
Ippevent : openshift Introduction
Ippevent : openshift IntroductionIppevent : openshift Introduction
Ippevent : openshift Introduction
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
Polyglot and Functional Programming (OSCON 2012)
Polyglot and Functional Programming (OSCON 2012)Polyglot and Functional Programming (OSCON 2012)
Polyglot and Functional Programming (OSCON 2012)
 
Performance Optimization of SPH Algorithms for Multi/Many-Core Architectures
Performance Optimization of SPH Algorithms for Multi/Many-Core ArchitecturesPerformance Optimization of SPH Algorithms for Multi/Many-Core Architectures
Performance Optimization of SPH Algorithms for Multi/Many-Core Architectures
 
1 Introduction to JAVA.pptx
1 Introduction to JAVA.pptx1 Introduction to JAVA.pptx
1 Introduction to JAVA.pptx
 
So you want to liberate your data?
So you want to liberate your data?So you want to liberate your data?
So you want to liberate your data?
 
Let's Talk Locks!
Let's Talk Locks!Let's Talk Locks!
Let's Talk Locks!
 

More from Conferencias FIST

Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseConferencias FIST
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiConferencias FIST
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security ForumConferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes WirelessConferencias FIST
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la ConcienciaciónConferencias FIST
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloConferencias FIST
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseConferencias FIST
 

More from Conferencias FIST (20)

Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open Solaris
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
 
Spanish Honeynet Project
Spanish Honeynet ProjectSpanish Honeynet Project
Spanish Honeynet Project
 
Seguridad en Windows Mobile
Seguridad en Windows MobileSeguridad en Windows Mobile
Seguridad en Windows Mobile
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Que es Seguridad
Que es SeguridadQue es Seguridad
Que es Seguridad
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access Protection
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Criptografia Cuántica
Criptografia CuánticaCriptografia Cuántica
Criptografia Cuántica
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Wifislax 3.1
Wifislax 3.1Wifislax 3.1
Wifislax 3.1
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 

Recently uploaded

A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 

Recently uploaded (20)

A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 

Stack Frame Protection

  • 1. Stack Frame Protection with LD_PRELOAD @auth: pancake @place: FIST @date: 20040507
  • 2. Outlook ● Buffer overflows and stack basics; ● Protection methods; ● Target on preload; ● LibSFP {aka my testing lib}; ● Internal work; ● Few code examples; ● Links and EOF;
  • 3. Buffer overflows basics ● The first cause of insecurity; ● Every function is closed into an stack frame. ● The stack frame saves information about local variables and return pointer. ● Programmers must focus in secure code, not just external security.
  • 4. Protection methods ● Development stage. – Patches to Gcc that uses canary-based methods to ensure the SF integrity. – Use lint to clean insecure function calls. ● Runtime – Ptrace-based security. 3x slower, but the most secure. – Library-based security. Faster and protects almost basic bugs.
  • 5. Preload method ● Dynamically load of a library with LD_PRELOAD or ld.so.conf by ld.so; ● Replacement for the most buggy function symbols by secure ones (strcpy, memcpy, strlen, ...); ● Exists some libraries that do that: – Libsafe – secure libc functions. – Libformat - secure format strings. ● Main problem: non-portable.
  • 6. LibSFP ● I decide to write a libformat/libsafe replacement. ● Target on: – UNIX-OSes portability (GNU,*BSD,...) – Architecture portability (endian, stack) – Open, active development. It's GPLd. ● Actually its development is stopped. But i'll be happy to receive contributions and follow the project.
  • 7. Internal work ● Basically it's a library that rewrites every symbol. ● Cross all stack frames layers until find the current one. ● Measures the current SF size and limits calls to this size. ● Library can be configured at runtime – Offset: Change overflow margins. – Action: alert, ignore, force CoreDump...
  • 8. Internal work ● There are 3 kind of variables: – Local – stored in the stack frame. (easy to protect). – Global – stored in Heap. (difficult to know the limits). – Malloc – stored in Heap space with chunk header information. (the assigned space limits could be read from chunk headers). ● Malloc techniques: – LibSFP stores a magic value into the chunk header to separate global variables from chunked ones. – Chunks are memory-aligned, it means that size isn't exact.
  • 9. Internal work ● There are 3 kind of variables: – Local – stored in the stack frame. (easy to protect). – Global – stored in Heap. (difficult to know the limits). – Malloc – stored in Heap space with chunk header information. (the assigned space limits could be read from chunk headers). ● Malloc techniques: – LibSFP stores a magic value into the chunk header to separate global variables from chunked ones. – Chunks are memory-aligned, it means that size isn't exact.
  • 10. Few examples Now it's the moment for going to the terminal and show some examples...
  • 11. Links and EOF ● Libsafe – http://www.research.avayalabs.com/project/libsafe/ ● Immunix Gcc StackGuard – http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ ● Libsfp isn't released yet, but if I receive interest I would probably upload into: – http://www.nopcode.org/ – http://pancake.host.sk/altres/src/