SlideShare a Scribd company logo

secure lazy binding, and the 64bit time_t development process by Philip Guenther

eurobsdcon
eurobsdcon

Abstract A common security measure is now to reduce or eliminate the presence of process memory that is both writable and executable. However, the dynamic linker needs to make changes to executable pages when binding lazy references. In multi-threaded programs this creates a window of vulnerability. Depending on the system architecture, it may also result in extra cache or TLB flushes to maintain coherency on multi-processor systems. I'll describe the implementation and use of kbind(), a machine-independent system call for secure and efficient binding of lazy references. Speaker bio Philip was initiated in UNIX system administration in 1992 as a student at Saint Olaf College, where he got involved in Open Source software including procmail and amd. In December 2000 he joined Sendmail Inc and worked on threaded IMAP/POP3/LMTP servers. He started using OpenBSD actively several years later but didn't join the project until July 2008 after the status of the threads implementation started to annoy him. Philip is currently a Director of Engineering at Proofpoint, Inc.

Technology
1 of 60
Download to read offline
Table of Contents 1. Secure (and hopefully efficient) Lazy Binding 2. Plan 3. Lazy Binding 4. Goal 5. Dynamic Linking 6. Relocations 7. Position Independent Code 8. amd64 Details 9. amd64 Example 10. Lazy binding 11. Lazy binding, revised 12. Lazy binding, revised again 13. Lazy binding (threaded) 14. Lazy binding (trace) 15. mprotect() costs 16. Solution: kbind 17. ld.so: before and after 18. kbind implementation: amd64 19. Again, With More Feeling: sparc64 20. sparc64 Initial PLT 21. sparc64 PLT Update Example 24. sparc64: kbind again 25. kbind implementation: sparc64 26. How Good Is It 27. Security 28. Locking it down: ideas 29. Locking it down: locked down PC 30. Locking it down: per-process cookie 31. Locking it down: per-thread cookie 32. Locking it down: pass old data too 33. Locking it down: marked mappings 34. Locking it down: permanent mappings 35. Status 36. What else should we do? 37. Questions? Thank you!
Prev Next Secure Lazy Binding Slide #1 Secure (and hopefully efficient) Lazy Binding EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #1 Secure (and hopefully efficient) Lazy Binding EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #2 Plan What's the problem we're trying to solve? What can we do? How good is the solution? Does the solution create new problems? What else should we do? Where are we? EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #3 Lazy Binding Lazy binding is the method by which the dynamic linker defers symbol lookups for function calls until the first time the function is called pro: save effort of symbol lookups that aren't used cons: inconsistent call latency violates W^X on some architectures: code or function pointers need to be changed on the fly while being executable! EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #3 Lazy Binding Lazy binding is the method by which the dynamic linker defers symbol lookups for function calls until the first time the function is called pro: save effort of symbol lookups that aren't used cons: inconsistent call latency continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #4 Goal Make it possible for the dynamic linker to perform lazy binding without creating a window of vulnerability while being efficient EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #5 Dynamic Linking Executables don't contain the library code but just reference it Executables are smaller Library can be updated without relinking executables References are by name, e.g., "printf" Dynamic linker handles mapping names to final addresses EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #6 Relocations tables created by the assembler and linker recording how the code or data depends on load location or symbol value R_X86_64_RELATIVE rewrite with load location plus some addend R_X86_64_64 rewrite with symbol value plus some addend relocations used by dynamic linker can be split into two groups: immediate: affect data items, pointers to functions lazy: function calls to or from shared objects function call is initially directed to the dynamic linker instead EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #6 Relocations tables created by the assembler and linker recording how the code or data depends on load location or symbol value R_X86_64_RELATIVE rewrite with load location plus some addend R_X86_64_64 rewrite with symbol value plus some addend continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #6 Relocations tables created by the assembler and linker recording how the code or data depends on load location or symbol value R_X86_64_RELATIVE rewrite with load location plus some addend R_X86_64_64 rewrite with symbol value plus some addend relocations used by dynamic linker can be split into two groups: immediate: affect data items, pointers to functions lazy: function calls to or from shared objects continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #7 Position Independent Code We want to maximize sharing of memory between processes text (code) and read-only memory shouldn't change ...even when the library or executable is loaded at a random location (ASLR) generated code accesses variables and functions using relative addresses or by indirecting through a table the mappings needed by a program or library are packed into indirection tables GOT: global offset table stores final addresses of variables and functions PLT: procedure linkage table directly callable stub routines many architecture specific details EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #8 amd64 Details PLT is never changed linker knows offset between GOT and PLT PLT code uses "load from %rip-relative address" instructions to get values from GOT initial call to a PLT entry gets another address in the PLT, which calls dynamic linker dynamic linker just updates the GOT entry used by the function's PLT entry i386 is similar, but no %eip-relative addressing caller of PLT has to set %ebx to point to GOT EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #8 amd64 Details PLT is never changed linker knows offset between GOT and PLT PLT code uses "load from %rip-relative address" instructions to get values from GOT initial call to a PLT entry gets another address in the PLT, which calls dynamic linker dynamic linker just updates the GOT entry used by the function's PLT entry continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #9 amd64 Example extern int foo; extern int bar(int); int call_bar(void) { return bar(foo); } movq foo@GOTPCREL(%rip), %rax # load foo's address from GOT movl (%rax), %edi # read foo's value call bar@PLT # call bar's PLT stub .PLT0: pushq GOT+8(%rip) # push argument for lazy bind code jmp *GOT+16(%rip) # jump to lazy binding entry .... .PLTn: jmp *bar@GOTPCREL(%rip) # load address from JUMP_SLOT in GOT pushq $index1 # load index of JUMP_SLOT relocation jmp .PLT0 # jump to above EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #9 amd64 Example extern int foo; extern int bar(int); int call_bar(void) { return bar(foo); } continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #9 amd64 Example extern int foo; extern int bar(int); int call_bar(void) { return bar(foo); } movq foo@GOTPCREL(%rip), %rax # load foo's address from GOT movl (%rax), %edi # read foo's value call bar@PLT # call bar's PLT stub continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #10 Lazy binding Lazy binding code: resolve symbol to correct address update GOT entry GOT and PLT don't need to be written to by application code! OpenBSD: after loading, both GOT and PLT are mprotect()ed to read-only EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #10 Lazy binding Lazy binding code: resolve symbol to correct address update GOT entry continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #11 Lazy binding, revised Lazy binding code: resolve symbol to correct address mprotect() the GOT to read-write update GOT entry mprotect() the GOT read-only again but what if a signal is delivered during this and it calls the target function? EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #11 Lazy binding, revised Lazy binding code: resolve symbol to correct address mprotect() the GOT to read-write update GOT entry mprotect() the GOT read-only again continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #12 Lazy binding, revised again Lazy binding code: resolve symbol to correct address block all signals with sigprocmask() mprotect() the GOT to read-write update GOT entry mprotect() the GOT read-only again restore signal mask with sigprocmask() but what if another thread calls the target function? EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #12 Lazy binding, revised again Lazy binding code: resolve symbol to correct address block all signals with sigprocmask() mprotect() the GOT to read-write update GOT entry mprotect() the GOT read-only again restore signal mask with sigprocmask() continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #13 Lazy binding (threaded) Lazy binding code: resolve symbol to correct address block all signals with sigprocmask() grab bind spinlock mprotect() the GOT to read-write update GOT or PLT entry mprotect() the GOT read-only again release bind spinlock restore signal mask with sigprocmask() EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #14 Lazy binding (trace) CALL sigprocmask(SIG_BLOCK,~0<>) RET sigprocmask 0<> CALL mprotect(0x16bc657ac000,0x3000,0x3<PROT_READ|PROT_WRITE>) RET mprotect 0 CALL mprotect(0x16bc657ac000,0x3000,0x1<PROT_READ>) RET mprotect 0 CALL sigprocmask(SIG_SETMASK,0<>) RET sigprocmask ~0x10100<SIGKILL|SIGSTOP> CALL ioctl(0,TIOCGETA,0x7f7ffffcbbb0) RET ioctl 0 EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #15 mprotect() costs When you add a permission to a page, the update can be lazy kernel notes the change but doesn't update the hardware mapping when the process tries to use that permission, it faults and the fault handler fixes it up to work When you remove a permission from a page, the update must be immediate update the page tables and flush the involved TLB entries if process has threads running on other CPUs, need to force them to do that too not cheap... ...and we don't even want other threads to be able to see the change! EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #15 mprotect() costs When you add a permission to a page, the update can be lazy kernel notes the change but doesn't update the hardware mapping when the process tries to use that permission, it faults and the fault handler fixes it up to work When you remove a permission from a page, the update must be immediate update the page tables and flush the involved TLB entries if process has threads running on other CPUs, need to force them to do that too not cheap... continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #16 Solution: kbind syscall to do PLT/GOT update kbind(void *addr, size_t len, void *data) address and length of memory to update buffer of copy there performs same permission checks and copy-on-write handling as mprotect and page fault uninterruptible: no signal issues VM and pmap have to provide whatever locking is necessary in kernel EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #17 ld.so: before and after before: /* set the GOT to RW */ sigprocmask(SIG_BLOCK, &allsigs, &savedmask); spinlock_lock(&bind_lock); /* libpthread cb */ mprotect(object->got_start, object->got_size, PROT_READ|PROT_WRITE); *(Elf_Addr *)addr = newval; /* put the GOT back to RO */ mprotect(object->got_start, object->got_size, PROT_READ); spinlock_unlock(&bind_lock); /* libpthread cb */ sigprocmask(SIG_SETMASK, &curset, NULL); after: kbind(addr, sizeof(Elf_Addr), &newval); kbind(0x171d762ebd8,0x8,0x7f7ffffde1f8) kbind 0 ioctl(0,TIOCGETA,0x7f7ffffde2f0) ioctl 0 EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #17 ld.so: before and after before: /* set the GOT to RW */ sigprocmask(SIG_BLOCK, &allsigs, &savedmask); spinlock_lock(&bind_lock); /* libpthread cb */ mprotect(object->got_start, object->got_size, PROT_READ|PROT_WRITE); *(Elf_Addr *)addr = newval; /* put the GOT back to RO */ mprotect(object->got_start, object->got_size, PROT_READ); spinlock_unlock(&bind_lock); /* libpthread cb */ sigprocmask(SIG_SETMASK, &curset, NULL); continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #17 ld.so: before and after before: /* set the GOT to RW */ sigprocmask(SIG_BLOCK, &allsigs, &savedmask); spinlock_lock(&bind_lock); /* libpthread cb */ mprotect(object->got_start, object->got_size, PROT_READ|PROT_WRITE); *(Elf_Addr *)addr = newval; /* put the GOT back to RO */ mprotect(object->got_start, object->got_size, PROT_READ); spinlock_unlock(&bind_lock); /* libpthread cb */ sigprocmask(SIG_SETMASK, &curset, NULL); after: kbind(addr, sizeof(Elf_Addr), &newval); continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #18 kbind implementation: amd64 OpenBSD/amd64 has "direct pmap": direct map in VA always maps all PA Copy new data into buffer in kernel uvm_fault(map, baseva, VM_FAULT_WIRE, VM_PROT_NONE) force copy-on-write resolution force page to be physically in memory and unpageable physical page has "maximal" permissions for mapping pmap_extract(map->pmap, baseva, &paddr) kva = PMAP_DIRECT_MAP(paddr) get kernel's direct mapped address of the underlying physical page bcopy(buffer, kva + offset, len) update the wired-in physical page uvm_fault_unwire(map, last_baseva, last_baseva + PAGE_SIZE) permit page to be paged again EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #19 Again, With More Feeling: sparc64 GOT is never changed after the library is loaded initial PLT stubs load index and jump to common stub, which does call to dynamic linker dynamic linker updates the PLT code sequence to jump to the final address many possible sequences depending on the relative and absolute address within 2^21 of the PLT entry? within 2^31 of address zero? hard to exercise, ergo buggy: incorrect offset calculations, wrong ASM PLT could be called by another thread while changing it instruction sequence must always be safely executable change it in two steps EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #19 Again, With More Feeling: sparc64 GOT is never changed after the library is loaded initial PLT stubs load index and jump to common stub, which does call to dynamic linker dynamic linker updates the PLT code sequence to jump to the final address many possible sequences depending on the relative and absolute address within 2^21 of the PLT entry? within 2^31 of address zero? continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #19 Again, With More Feeling: sparc64 GOT is never changed after the library is loaded initial PLT stubs load index and jump to common stub, which does call to dynamic linker dynamic linker updates the PLT code sequence to jump to the final address many possible sequences depending on the relative and absolute address within 2^21 of the PLT entry? within 2^31 of address zero? hard to exercise, ergo buggy: incorrect offset calculations, wrong ASM continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #20 sparc64 Initial PLT .PLT1: save %sp, -176, %sp # create stack frame ... # calculate lazy bind addr and jump ... .PLTn: sethi (. - .PLT0), %g1 # load offset of entry ba,a %xcc, .PLT1 # jump to above nop; nop nop; nop nop; nop EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #21 sparc64 PLT Update Example target address within 2^31 of PLT slot .PLTn: sethi (. - .PLT0), %g1 # load offset of entry mov %o7, %g1 # save return address in %g1 call (addr - .) # relative call mov %g1, %o7 # restore return address nop; nop nop; nop .PLTn: sethi (. - .PLT0), %g1 # load offset of entry mov %o7, %g1 # save return address in %g1 nop; nop nop; nop nop; nop EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #21 sparc64 PLT Update Example target address within 2^31 of PLT slot .PLTn: sethi (. - .PLT0), %g1 # load offset of entry mov %o7, %g1 # save return address in %g1 call (addr - .) # relative call mov %g1, %o7 # restore return address nop; nop nop; nop continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #22 sparc64 PLT Update Example .PLTn: sethi (. - .PLT0), %g1 # load offset of entry ba,a %xcc, .PLT1 # jump to above call (addr - .) # relative call mov %g1, %o7 # restore return address nop; nop nop; nop EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #23 sparc64 PLT Update Example .PLTn: sethi (. - .PLT0), %g1 # load offset of entry mov %o7, %g1 # save return address in %g1 call (addr - .) # relative call mov %g1, %o7 # restore return address nop; nop nop; nop so we need to pass the kernel two blocks to copy into place EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #24 sparc64: kbind again kbind(void *param, size_t plen) address length new data new data address length new data EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #25 kbind implementation: sparc64 Copy new data into buffer in kernel for each block: uvm_map_extract(map, baseva, PAGE_SIZE, &kva, UVM_EXTRACT_FIXPROT) force copy-on-write resolution map that userspace VA into the kernel map, with max permitted permissions bcopy(buffer, kva + offset, len) update the page via the kernel mapping actually use word-sized writes uvm_unmap_remove(kernel_map, kva, kva+PAGE_SIZE, &dead_entries, FALSE, TRUE) remove the page from the kernel map uvm_unmap_detach(&dead_entries, AMAP_REFALL) clean up/release references to backing objects EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #26 How Good Is It 4% That's the savings in real time for a make build, both amd64 and sparc64 much of that is in the make install step: lots of short-lived processes current version is not always faster kbind() only touches the specific page involved, no read-ahead? EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #26 How Good Is It 4% continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #26 How Good Is It 4% That's the savings in real time for a make build, both amd64 and sparc64 much of that is in the make install step: lots of short-lived processes continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #27 Security Sweet, a syscall that can change read-only memory! Hmmm, this is a power that can only be used for Good Or Evil Can we make it only capable of resolving lazy bindings to their correct values? Only want dynamic linker to be able to call this Don't want this to be useful as a target of Return-Oriented-Programming Don't want it to be able to change arbitrary memory EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #28 Locking it down: ideas if any check fails, kill the process, uncatchable: sigexit() only permit kbind() syscall from one address pass a per-process cookie pass a per-thread cookie that the kernel updates on each call pass the kernel both the expected old data and the new data mark the mappings which kbind() is allowed to alter with a new mprotect() bit mark the GOT and PLT as not permitting further mprotect() changes mark dynamic linker code and data as not permitting munmap() or further mprotect() changes EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #29 Locking it down: locked down PC only permit kbind() syscall from one address struct process has caddr_t ps_kbind_addr copied on fork(), zeroed on execve() kbind() extracts the return address from the syscall trap frame if ps_kbind_addr is zero, this is first call, so set it otherwise, if they don't match then sigexit(SIGILL) if called with NULL parameters ("change nothing"), then set ps_kbind_addr to impossible address C startup code for static executables can use that to disable kbind() for them dynamic linker has syscall as inline ASM and is built with -fstack-protector if you jump into the middle of _dl_bind() to get to the syscall, on return the stack protector will catch you EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #30 Locking it down: per-process cookie pass a per-process cookie kernel saves value from first call in struct process, ps_kbind_cookie mismatch in later call? sigexit(SIGILL) variable placed in PT_OPENBSD_RANDOMIZE segment, filled with random bytes by kernel _dl_bind() loads the cookie before calculating the GOT/PLT changes to pass to the kernel attacker can't use ld.so's "load the cookie" code with its own changes ...but the variable's address is static offset within ld.so memory EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #31 Locking it down: per-thread cookie pass a per-thread cookie and its address kernel saves value from first call in each thread in struct proc, p_kbind_cookie mismatch in later call? sigexit(SIGILL) generate new value and copy it out to supplied address reserve space for the cookie in TCB problems: have to (finally...) push TCB management code into ld.so cookie is easy to find; lots of code in libpthread has to access it, probably plenty of ROP gadgets probably will remove EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #31 Locking it down: per-thread cookie pass a per-thread cookie and its address kernel saves value from first call in each thread in struct proc, p_kbind_cookie mismatch in later call? sigexit(SIGILL) generate new value and copy it out to supplied address reserve space for the cookie in TCB continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #32 Locking it down: pass old data too pass the kernel both the expected old data and the new data compare each word against both old and new already new? do nothing matches old? update to new match neither? sigexit(SIGILL) sounds nice, but the kernel isn't really checking the data for validity there's a corner case where an entry can legitimately change the value it should resolve to will remove EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #32 Locking it down: pass old data too pass the kernel both the expected old data and the new data compare each word against both old and new already new? do nothing matches old? update to new match neither? sigexit(SIGILL) sounds nice, but the kernel isn't really checking the data for validity continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #33 Locking it down: marked mappings mark the mappings which kbind() is allowed to alter with a new mprotect() bit mprotect(got_addr, got_len, PROT_READ | __PROT_KBIND) kbind() verifies that that bit is set, else sigexit(SIGILL) mark the GOT and PLT as not permitting further mprotect() changes mprotect(got_addr, got_len, PROT_READ | __PROT_KBIND | __PROT_LOCKPROT) kbind() can only change those pages; those pages can only be changed by kbind() EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #33 Locking it down: marked mappings mark the mappings which kbind() is allowed to alter with a new mprotect() bit mprotect(got_addr, got_len, PROT_READ | __PROT_KBIND) kbind() verifies that that bit is set, else sigexit(SIGILL) continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #34 Locking it down: permanent mappings mmap() and munmap() can effectively override mprotect() by remapping over protected page doesn't make sense to unmap dynamic linker or libc, for that matter test for DT_FLAGS_1 NODELETE new mmap() or madvise() flag to mark a mapping as permanent and only removable via execve()? EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #35 Status Not committed yet Have working code on amd64, sparc64, and i386 powerpc will require converting to "secure PLT" ABI haven't dug into the others (alpha, m88k, mips64, sh, hppa) yet Need to update the security measures implemented Performance should be consistently better EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #36 What else should we do? better shared library symbol management ELF hidden visibility: libraries can bind directly to their own symbols OpenBSD/amd64 libc.so has 771 PLT entries, but only a few are necessary EuroBSDCon 2014 Copyright © 2014 Philip Guenther
Prev Next Secure Lazy Binding Slide #37 Questions? Thank you! EuroBSDCon 2014 Copyright © 2014 Philip Guenther

Recommended

Hacking for fun and for profit
Hacking for fun and for profitHacking for fun and for profit
Hacking for fun and for profitdavtbaum
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)ReCrypt
 
On deobfuscation in practice
On deobfuscation in practiceOn deobfuscation in practice
On deobfuscation in practiceDmitry Schelkunov
 
Sockets
SocketsSockets
SocketsRajesh Kumar
 
First session quiz
First session quizFirst session quiz
First session quizKeroles karam khalil
 
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例National Cheng Kung University
 
Overview of CryptDB
Overview of CryptDBOverview of CryptDB
Overview of CryptDBMateus S. H. Cruz
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 

Recommended

Hacking for fun and for profit
Hacking for fun and for profitHacking for fun and for profit
Hacking for fun and for profitdavtbaum
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)ReCrypt
 
On deobfuscation in practice
On deobfuscation in practiceOn deobfuscation in practice
On deobfuscation in practiceDmitry Schelkunov
 
Sockets
SocketsSockets
SocketsRajesh Kumar
 
First session quiz
First session quizFirst session quiz
First session quizKeroles karam khalil
 
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例National Cheng Kung University
 
Overview of CryptDB
Overview of CryptDBOverview of CryptDB
Overview of CryptDBMateus S. H. Cruz
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
Arduino C maXbox web of things slide show
Arduino C maXbox web of things slide showArduino C maXbox web of things slide show
Arduino C maXbox web of things slide showMax Kleiner
 
Metrics ekon 14_2_kleiner
Metrics ekon 14_2_kleinerMetrics ekon 14_2_kleiner
Metrics ekon 14_2_kleinerMax Kleiner
 
Java - Sockets
Java - SocketsJava - Sockets
Java - SocketsRiccardo Cardin
 
An effective RC4 Stream Cipher
An effective RC4 Stream CipherAn effective RC4 Stream Cipher
An effective RC4 Stream CipherTharindu Weerasinghe
 
29회 이더리움 밋업 - Ethereum 2.0 and Deposit Contract
29회 이더리움 밋업 - Ethereum 2.0 and Deposit Contract29회 이더리움 밋업 - Ethereum 2.0 and Deposit Contract
29회 이더리움 밋업 - Ethereum 2.0 and Deposit ContractBenjamin Oh
 
Win pcap filtering expression syntax
Win pcap filtering expression syntaxWin pcap filtering expression syntax
Win pcap filtering expression syntaxVota Ppt
 
Aosd2009 adams
Aosd2009 adamsAosd2009 adams
Aosd2009 adamsSAIL_QU
 
GCC
GCCGCC
GCCKir Chou
 
Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud
Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the CloudPrivacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud
Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the CloudMateus S. H. Cruz
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Vbrownbag container networking for real workloads
Vbrownbag container networking for real workloadsVbrownbag container networking for real workloads
Vbrownbag container networking for real workloadsCisco DevNet
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
Rsockets ofa12
Rsockets ofa12Rsockets ofa12
Rsockets ofa12trustitrusti
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
Возможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OSВозможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OSCisco Russia
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
ECET 330 Massive Success--snaptutorial.com
ECET 330 Massive Success--snaptutorial.comECET 330 Massive Success--snaptutorial.com
ECET 330 Massive Success--snaptutorial.comsantricksapiens71
 
Ecet 330 Success Begins / snaptutorial.com
Ecet 330 Success Begins / snaptutorial.comEcet 330 Success Begins / snaptutorial.com
Ecet 330 Success Begins / snaptutorial.comWilliamsTaylorzm
 
Ecet 330 Enthusiastic Study / snaptutorial.com
Ecet 330 Enthusiastic Study / snaptutorial.comEcet 330 Enthusiastic Study / snaptutorial.com
Ecet 330 Enthusiastic Study / snaptutorial.comStephenson033
 
ECET 330 Technology levels--snaptutorial.com
ECET 330 Technology levels--snaptutorial.comECET 330 Technology levels--snaptutorial.com
ECET 330 Technology levels--snaptutorial.comsholingarjosh102
 

More Related Content

What's hot

Arduino C maXbox web of things slide show
Arduino C maXbox web of things slide showArduino C maXbox web of things slide show
Arduino C maXbox web of things slide showMax Kleiner
 
Metrics ekon 14_2_kleiner
Metrics ekon 14_2_kleinerMetrics ekon 14_2_kleiner
Metrics ekon 14_2_kleinerMax Kleiner
 
29회 이더리움 밋업 - Ethereum 2.0 and Deposit Contract
29회 이더리움 밋업 - Ethereum 2.0 and Deposit Contract29회 이더리움 밋업 - Ethereum 2.0 and Deposit Contract
29회 이더리움 밋업 - Ethereum 2.0 and Deposit ContractBenjamin Oh
 
Win pcap filtering expression syntax
Win pcap filtering expression syntaxWin pcap filtering expression syntax
Win pcap filtering expression syntaxVota Ppt
 
Aosd2009 adams
Aosd2009 adamsAosd2009 adams
Aosd2009 adamsSAIL_QU
 
Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud
Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the CloudPrivacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud
Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the CloudMateus S. H. Cruz
 

What's hot (9)

Arduino C maXbox web of things slide show
Arduino C maXbox web of things slide showArduino C maXbox web of things slide show
Arduino C maXbox web of things slide show
 
Metrics ekon 14_2_kleiner
Metrics ekon 14_2_kleinerMetrics ekon 14_2_kleiner
Metrics ekon 14_2_kleiner
 
Java - Sockets
Java - SocketsJava - Sockets
Java - Sockets
 
An effective RC4 Stream Cipher
An effective RC4 Stream CipherAn effective RC4 Stream Cipher
An effective RC4 Stream Cipher
 
29회 이더리움 밋업 - Ethereum 2.0 and Deposit Contract
29회 이더리움 밋업 - Ethereum 2.0 and Deposit Contract29회 이더리움 밋업 - Ethereum 2.0 and Deposit Contract
29회 이더리움 밋업 - Ethereum 2.0 and Deposit Contract
 
Win pcap filtering expression syntax
Win pcap filtering expression syntaxWin pcap filtering expression syntax
Win pcap filtering expression syntax
 
Aosd2009 adams
Aosd2009 adamsAosd2009 adams
Aosd2009 adams
 
GCC
GCCGCC
GCC
 
Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud
Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the CloudPrivacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud
Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud
 

Similar to secure lazy binding, and the 64bit time_t development process by Philip Guenther

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Vbrownbag container networking for real workloads
Vbrownbag container networking for real workloadsVbrownbag container networking for real workloads
Vbrownbag container networking for real workloadsCisco DevNet
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
Возможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OSВозможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OSCisco Russia
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
ECET 330 Massive Success--snaptutorial.com
ECET 330 Massive Success--snaptutorial.comECET 330 Massive Success--snaptutorial.com
ECET 330 Massive Success--snaptutorial.comsantricksapiens71
 
Ecet 330 Success Begins / snaptutorial.com
Ecet 330 Success Begins / snaptutorial.comEcet 330 Success Begins / snaptutorial.com
Ecet 330 Success Begins / snaptutorial.comWilliamsTaylorzm
 
Ecet 330 Enthusiastic Study / snaptutorial.com
Ecet 330 Enthusiastic Study / snaptutorial.comEcet 330 Enthusiastic Study / snaptutorial.com
Ecet 330 Enthusiastic Study / snaptutorial.comStephenson033
 
ECET 330 Technology levels--snaptutorial.com
ECET 330 Technology levels--snaptutorial.comECET 330 Technology levels--snaptutorial.com
ECET 330 Technology levels--snaptutorial.comsholingarjosh102
 
Towards JVM Dynamic Languages Toolchain
Towards JVM Dynamic Languages ToolchainTowards JVM Dynamic Languages Toolchain
Towards JVM Dynamic Languages ToolchainAttila Szegedi
 
Maxbox starter18
Maxbox starter18Maxbox starter18
Maxbox starter18Max Kleiner
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeDataWorks Summit
 
The 1990s Called. They Want Their Code Back.
The 1990s Called. They Want Their Code Back.The 1990s Called. They Want Their Code Back.
The 1990s Called. They Want Their Code Back.Jonathan Oliver
 
The Hitchhiker's Guide to Faster Builds. Viktor Kirilov. CoreHard Spring 2019
The Hitchhiker's Guide to Faster Builds. Viktor Kirilov. CoreHard Spring 2019The Hitchhiker's Guide to Faster Builds. Viktor Kirilov. CoreHard Spring 2019
The Hitchhiker's Guide to Faster Builds. Viktor Kirilov. CoreHard Spring 2019corehard_by
 
Kernel load-balancing for Docker containers using IPVS
Kernel load-balancing for Docker containers using IPVSKernel load-balancing for Docker containers using IPVS
Kernel load-balancing for Docker containers using IPVSDocker, Inc.
 
Eyeball MS-SIP Library V10.0 Developer Reference Guide
Eyeball MS-SIP Library V10.0 Developer Reference GuideEyeball MS-SIP Library V10.0 Developer Reference Guide
Eyeball MS-SIP Library V10.0 Developer Reference GuideEyeball Networks
 

Similar to secure lazy binding, and the 64bit time_t development process by Philip Guenther (20)

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
Vbrownbag container networking for real workloads
Vbrownbag container networking for real workloadsVbrownbag container networking for real workloads
Vbrownbag container networking for real workloads
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
 
Rsockets ofa12
Rsockets ofa12Rsockets ofa12
Rsockets ofa12
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
Возможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OSВозможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OS
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
ECET 330 Massive Success--snaptutorial.com
ECET 330 Massive Success--snaptutorial.comECET 330 Massive Success--snaptutorial.com
ECET 330 Massive Success--snaptutorial.com
 
Ecet 330 Success Begins / snaptutorial.com
Ecet 330 Success Begins / snaptutorial.comEcet 330 Success Begins / snaptutorial.com
Ecet 330 Success Begins / snaptutorial.com
 
Ecet 330 Enthusiastic Study / snaptutorial.com
Ecet 330 Enthusiastic Study / snaptutorial.comEcet 330 Enthusiastic Study / snaptutorial.com
Ecet 330 Enthusiastic Study / snaptutorial.com
 
ECET 330 Technology levels--snaptutorial.com
ECET 330 Technology levels--snaptutorial.comECET 330 Technology levels--snaptutorial.com
ECET 330 Technology levels--snaptutorial.com
 
Towards JVM Dynamic Languages Toolchain
Towards JVM Dynamic Languages ToolchainTowards JVM Dynamic Languages Toolchain
Towards JVM Dynamic Languages Toolchain
 
Maxbox starter18
Maxbox starter18Maxbox starter18
Maxbox starter18
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-time
 
The 1990s Called. They Want Their Code Back.
The 1990s Called. They Want Their Code Back.The 1990s Called. They Want Their Code Back.
The 1990s Called. They Want Their Code Back.
 
The Hitchhiker's Guide to Faster Builds. Viktor Kirilov. CoreHard Spring 2019
The Hitchhiker's Guide to Faster Builds. Viktor Kirilov. CoreHard Spring 2019The Hitchhiker's Guide to Faster Builds. Viktor Kirilov. CoreHard Spring 2019
The Hitchhiker's Guide to Faster Builds. Viktor Kirilov. CoreHard Spring 2019
 
Kernel load-balancing for Docker containers using IPVS
Kernel load-balancing for Docker containers using IPVSKernel load-balancing for Docker containers using IPVS
Kernel load-balancing for Docker containers using IPVS
 
Eyeball MS-SIP Library V10.0 Developer Reference Guide
Eyeball MS-SIP Library V10.0 Developer Reference GuideEyeball MS-SIP Library V10.0 Developer Reference Guide
Eyeball MS-SIP Library V10.0 Developer Reference Guide
 

More from eurobsdcon

EuroBSDCon 2014 Program Front
EuroBSDCon 2014 Program FrontEuroBSDCon 2014 Program Front
EuroBSDCon 2014 Program Fronteurobsdcon
 
EuroBSDCon 2014 tutorials program Thursday & Friday
EuroBSDCon 2014 tutorials program Thursday & FridayEuroBSDCon 2014 tutorials program Thursday & Friday
EuroBSDCon 2014 tutorials program Thursday & Fridayeurobsdcon
 
EuroBSDCon 2014 Sofia Welcome
EuroBSDCon 2014 Sofia WelcomeEuroBSDCon 2014 Sofia Welcome
EuroBSDCon 2014 Sofia Welcomeeurobsdcon
 
EuroBSDCon 2014 Sofia Closing talk
EuroBSDCon 2014 Sofia Closing talkEuroBSDCon 2014 Sofia Closing talk
EuroBSDCon 2014 Sofia Closing talkeurobsdcon
 
Submitting documents anonymously by Atanas Chobanov
Submitting documents anonymously by Atanas ChobanovSubmitting documents anonymously by Atanas Chobanov
Submitting documents anonymously by Atanas Chobanoveurobsdcon
 
Porting the drm/kms graphic drivers to DragonFlyBSD by Francois Tigeot
Porting the drm/kms graphic drivers to DragonFlyBSD by Francois TigeotPorting the drm/kms graphic drivers to DragonFlyBSD by Francois Tigeot
Porting the drm/kms graphic drivers to DragonFlyBSD by Francois Tigeoteurobsdcon
 
University of Oslo's TSD service - storing sensitive & restricted data by D...
University of Oslo's TSD service - storing sensitive & restricted data by D... University of Oslo's TSD service - storing sensitive & restricted data by D...
University of Oslo's TSD service - storing sensitive & restricted data by D...eurobsdcon
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbelleurobsdcon
 
The LLDB Debugger in FreeBSD by Ed Maste
The LLDB Debugger in FreeBSD by Ed MasteThe LLDB Debugger in FreeBSD by Ed Maste
The LLDB Debugger in FreeBSD by Ed Masteeurobsdcon
 
Porting Valgrind to NetBSD and OpenBSD by Masao Uebayashi
Porting Valgrind to NetBSD and OpenBSD by Masao UebayashiPorting Valgrind to NetBSD and OpenBSD by Masao Uebayashi
Porting Valgrind to NetBSD and OpenBSD by Masao Uebayashieurobsdcon
 
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander NasonovMultiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonoveurobsdcon
 
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
OpenStack and OpenContrail for FreeBSD platform by Michał DubielOpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
OpenStack and OpenContrail for FreeBSD platform by Michał Dubieleurobsdcon
 
Porting NetBSD to the LatticeMico32 open source CPU by Yann Sionneau
Porting NetBSD to the LatticeMico32 open source CPU by Yann SionneauPorting NetBSD to the LatticeMico32 open source CPU by Yann Sionneau
Porting NetBSD to the LatticeMico32 open source CPU by Yann Sionneaueurobsdcon
 
Smartcom's control plane software, a customized version of FreeBSD by Boris A...
Smartcom's control plane software, a customized version of FreeBSD by Boris A...Smartcom's control plane software, a customized version of FreeBSD by Boris A...
Smartcom's control plane software, a customized version of FreeBSD by Boris A...eurobsdcon
 
Bugs Ex Ante by Kristaps Dzonsons
Bugs Ex Ante by Kristaps DzonsonsBugs Ex Ante by Kristaps Dzonsons
Bugs Ex Ante by Kristaps Dzonsonseurobsdcon
 
Cross Building the FreeBSD ports tree by Baptiste Daroussin
Cross Building the FreeBSD ports tree by Baptiste DaroussinCross Building the FreeBSD ports tree by Baptiste Daroussin
Cross Building the FreeBSD ports tree by Baptiste Daroussineurobsdcon
 
Building packages through emulation by Sean Bruno
Building packages through emulation by Sean BrunoBuilding packages through emulation by Sean Bruno
Building packages through emulation by Sean Brunoeurobsdcon
 
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul IroftiMaking OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul Iroftieurobsdcon
 
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaumeurobsdcon
 
Using routing domains / routing tables in a production network by Peter Hessler
Using routing domains / routing tables in a production network by Peter HesslerUsing routing domains / routing tables in a production network by Peter Hessler
Using routing domains / routing tables in a production network by Peter Hesslereurobsdcon
 

More from eurobsdcon (20)

EuroBSDCon 2014 Program Front
EuroBSDCon 2014 Program FrontEuroBSDCon 2014 Program Front
EuroBSDCon 2014 Program Front
 
EuroBSDCon 2014 tutorials program Thursday & Friday
EuroBSDCon 2014 tutorials program Thursday & FridayEuroBSDCon 2014 tutorials program Thursday & Friday
EuroBSDCon 2014 tutorials program Thursday & Friday
 
EuroBSDCon 2014 Sofia Welcome
EuroBSDCon 2014 Sofia WelcomeEuroBSDCon 2014 Sofia Welcome
EuroBSDCon 2014 Sofia Welcome
 
EuroBSDCon 2014 Sofia Closing talk
EuroBSDCon 2014 Sofia Closing talkEuroBSDCon 2014 Sofia Closing talk
EuroBSDCon 2014 Sofia Closing talk
 
Submitting documents anonymously by Atanas Chobanov
Submitting documents anonymously by Atanas ChobanovSubmitting documents anonymously by Atanas Chobanov
Submitting documents anonymously by Atanas Chobanov
 
Porting the drm/kms graphic drivers to DragonFlyBSD by Francois Tigeot
Porting the drm/kms graphic drivers to DragonFlyBSD by Francois TigeotPorting the drm/kms graphic drivers to DragonFlyBSD by Francois Tigeot
Porting the drm/kms graphic drivers to DragonFlyBSD by Francois Tigeot
 
University of Oslo's TSD service - storing sensitive & restricted data by D...
University of Oslo's TSD service - storing sensitive & restricted data by D... University of Oslo's TSD service - storing sensitive & restricted data by D...
University of Oslo's TSD service - storing sensitive & restricted data by D...
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
 
The LLDB Debugger in FreeBSD by Ed Maste
The LLDB Debugger in FreeBSD by Ed MasteThe LLDB Debugger in FreeBSD by Ed Maste
The LLDB Debugger in FreeBSD by Ed Maste
 
Porting Valgrind to NetBSD and OpenBSD by Masao Uebayashi
Porting Valgrind to NetBSD and OpenBSD by Masao UebayashiPorting Valgrind to NetBSD and OpenBSD by Masao Uebayashi
Porting Valgrind to NetBSD and OpenBSD by Masao Uebayashi
 
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander NasonovMultiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
 
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
OpenStack and OpenContrail for FreeBSD platform by Michał DubielOpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
 
Porting NetBSD to the LatticeMico32 open source CPU by Yann Sionneau
Porting NetBSD to the LatticeMico32 open source CPU by Yann SionneauPorting NetBSD to the LatticeMico32 open source CPU by Yann Sionneau
Porting NetBSD to the LatticeMico32 open source CPU by Yann Sionneau
 
Smartcom's control plane software, a customized version of FreeBSD by Boris A...
Smartcom's control plane software, a customized version of FreeBSD by Boris A...Smartcom's control plane software, a customized version of FreeBSD by Boris A...
Smartcom's control plane software, a customized version of FreeBSD by Boris A...
 
Bugs Ex Ante by Kristaps Dzonsons
Bugs Ex Ante by Kristaps DzonsonsBugs Ex Ante by Kristaps Dzonsons
Bugs Ex Ante by Kristaps Dzonsons
 
Cross Building the FreeBSD ports tree by Baptiste Daroussin
Cross Building the FreeBSD ports tree by Baptiste DaroussinCross Building the FreeBSD ports tree by Baptiste Daroussin
Cross Building the FreeBSD ports tree by Baptiste Daroussin
 
Building packages through emulation by Sean Bruno
Building packages through emulation by Sean BrunoBuilding packages through emulation by Sean Bruno
Building packages through emulation by Sean Bruno
 
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul IroftiMaking OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
 
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
 
Using routing domains / routing tables in a production network by Peter Hessler
Using routing domains / routing tables in a production network by Peter HesslerUsing routing domains / routing tables in a production network by Peter Hessler
Using routing domains / routing tables in a production network by Peter Hessler
 

Recently uploaded

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 

Recently uploaded (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 

secure lazy binding, and the 64bit time_t development process by Philip Guenther

  • 1. Table of Contents 1. Secure (and hopefully efficient) Lazy Binding 2. Plan 3. Lazy Binding 4. Goal 5. Dynamic Linking 6. Relocations 7. Position Independent Code 8. amd64 Details 9. amd64 Example 10. Lazy binding 11. Lazy binding, revised 12. Lazy binding, revised again 13. Lazy binding (threaded) 14. Lazy binding (trace) 15. mprotect() costs 16. Solution: kbind 17. ld.so: before and after 18. kbind implementation: amd64 19. Again, With More Feeling: sparc64 20. sparc64 Initial PLT 21. sparc64 PLT Update Example 24. sparc64: kbind again 25. kbind implementation: sparc64 26. How Good Is It 27. Security 28. Locking it down: ideas 29. Locking it down: locked down PC 30. Locking it down: per-process cookie 31. Locking it down: per-thread cookie 32. Locking it down: pass old data too 33. Locking it down: marked mappings 34. Locking it down: permanent mappings 35. Status 36. What else should we do? 37. Questions? Thank you!
  • 2. Prev Next Secure Lazy Binding Slide #1 Secure (and hopefully efficient) Lazy Binding EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 3. Prev Next Secure Lazy Binding Slide #1 Secure (and hopefully efficient) Lazy Binding EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 4. Prev Next Secure Lazy Binding Slide #2 Plan What's the problem we're trying to solve? What can we do? How good is the solution? Does the solution create new problems? What else should we do? Where are we? EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 5. Prev Next Secure Lazy Binding Slide #3 Lazy Binding Lazy binding is the method by which the dynamic linker defers symbol lookups for function calls until the first time the function is called pro: save effort of symbol lookups that aren't used cons: inconsistent call latency violates W^X on some architectures: code or function pointers need to be changed on the fly while being executable! EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 6. Prev Next Secure Lazy Binding Slide #3 Lazy Binding Lazy binding is the method by which the dynamic linker defers symbol lookups for function calls until the first time the function is called pro: save effort of symbol lookups that aren't used cons: inconsistent call latency continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 7. Prev Next Secure Lazy Binding Slide #4 Goal Make it possible for the dynamic linker to perform lazy binding without creating a window of vulnerability while being efficient EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 8. Prev Next Secure Lazy Binding Slide #5 Dynamic Linking Executables don't contain the library code but just reference it Executables are smaller Library can be updated without relinking executables References are by name, e.g., "printf" Dynamic linker handles mapping names to final addresses EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 9. Prev Next Secure Lazy Binding Slide #6 Relocations tables created by the assembler and linker recording how the code or data depends on load location or symbol value R_X86_64_RELATIVE rewrite with load location plus some addend R_X86_64_64 rewrite with symbol value plus some addend relocations used by dynamic linker can be split into two groups: immediate: affect data items, pointers to functions lazy: function calls to or from shared objects function call is initially directed to the dynamic linker instead EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 10. Prev Next Secure Lazy Binding Slide #6 Relocations tables created by the assembler and linker recording how the code or data depends on load location or symbol value R_X86_64_RELATIVE rewrite with load location plus some addend R_X86_64_64 rewrite with symbol value plus some addend continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 11. Prev Next Secure Lazy Binding Slide #6 Relocations tables created by the assembler and linker recording how the code or data depends on load location or symbol value R_X86_64_RELATIVE rewrite with load location plus some addend R_X86_64_64 rewrite with symbol value plus some addend relocations used by dynamic linker can be split into two groups: immediate: affect data items, pointers to functions lazy: function calls to or from shared objects continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 12. Prev Next Secure Lazy Binding Slide #7 Position Independent Code We want to maximize sharing of memory between processes text (code) and read-only memory shouldn't change ...even when the library or executable is loaded at a random location (ASLR) generated code accesses variables and functions using relative addresses or by indirecting through a table the mappings needed by a program or library are packed into indirection tables GOT: global offset table stores final addresses of variables and functions PLT: procedure linkage table directly callable stub routines many architecture specific details EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 13. Prev Next Secure Lazy Binding Slide #8 amd64 Details PLT is never changed linker knows offset between GOT and PLT PLT code uses "load from %rip-relative address" instructions to get values from GOT initial call to a PLT entry gets another address in the PLT, which calls dynamic linker dynamic linker just updates the GOT entry used by the function's PLT entry i386 is similar, but no %eip-relative addressing caller of PLT has to set %ebx to point to GOT EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 14. Prev Next Secure Lazy Binding Slide #8 amd64 Details PLT is never changed linker knows offset between GOT and PLT PLT code uses "load from %rip-relative address" instructions to get values from GOT initial call to a PLT entry gets another address in the PLT, which calls dynamic linker dynamic linker just updates the GOT entry used by the function's PLT entry continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 15. Prev Next Secure Lazy Binding Slide #9 amd64 Example extern int foo; extern int bar(int); int call_bar(void) { return bar(foo); } movq foo@GOTPCREL(%rip), %rax # load foo's address from GOT movl (%rax), %edi # read foo's value call bar@PLT # call bar's PLT stub .PLT0: pushq GOT+8(%rip) # push argument for lazy bind code jmp *GOT+16(%rip) # jump to lazy binding entry .... .PLTn: jmp *bar@GOTPCREL(%rip) # load address from JUMP_SLOT in GOT pushq $index1 # load index of JUMP_SLOT relocation jmp .PLT0 # jump to above EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 16. Prev Next Secure Lazy Binding Slide #9 amd64 Example extern int foo; extern int bar(int); int call_bar(void) { return bar(foo); } continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 17. Prev Next Secure Lazy Binding Slide #9 amd64 Example extern int foo; extern int bar(int); int call_bar(void) { return bar(foo); } movq foo@GOTPCREL(%rip), %rax # load foo's address from GOT movl (%rax), %edi # read foo's value call bar@PLT # call bar's PLT stub continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 18. Prev Next Secure Lazy Binding Slide #10 Lazy binding Lazy binding code: resolve symbol to correct address update GOT entry GOT and PLT don't need to be written to by application code! OpenBSD: after loading, both GOT and PLT are mprotect()ed to read-only EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 19. Prev Next Secure Lazy Binding Slide #10 Lazy binding Lazy binding code: resolve symbol to correct address update GOT entry continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 20. Prev Next Secure Lazy Binding Slide #11 Lazy binding, revised Lazy binding code: resolve symbol to correct address mprotect() the GOT to read-write update GOT entry mprotect() the GOT read-only again but what if a signal is delivered during this and it calls the target function? EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 21. Prev Next Secure Lazy Binding Slide #11 Lazy binding, revised Lazy binding code: resolve symbol to correct address mprotect() the GOT to read-write update GOT entry mprotect() the GOT read-only again continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 22. Prev Next Secure Lazy Binding Slide #12 Lazy binding, revised again Lazy binding code: resolve symbol to correct address block all signals with sigprocmask() mprotect() the GOT to read-write update GOT entry mprotect() the GOT read-only again restore signal mask with sigprocmask() but what if another thread calls the target function? EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 23. Prev Next Secure Lazy Binding Slide #12 Lazy binding, revised again Lazy binding code: resolve symbol to correct address block all signals with sigprocmask() mprotect() the GOT to read-write update GOT entry mprotect() the GOT read-only again restore signal mask with sigprocmask() continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 24. Prev Next Secure Lazy Binding Slide #13 Lazy binding (threaded) Lazy binding code: resolve symbol to correct address block all signals with sigprocmask() grab bind spinlock mprotect() the GOT to read-write update GOT or PLT entry mprotect() the GOT read-only again release bind spinlock restore signal mask with sigprocmask() EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 25. Prev Next Secure Lazy Binding Slide #14 Lazy binding (trace) CALL sigprocmask(SIG_BLOCK,~0<>) RET sigprocmask 0<> CALL mprotect(0x16bc657ac000,0x3000,0x3<PROT_READ|PROT_WRITE>) RET mprotect 0 CALL mprotect(0x16bc657ac000,0x3000,0x1<PROT_READ>) RET mprotect 0 CALL sigprocmask(SIG_SETMASK,0<>) RET sigprocmask ~0x10100<SIGKILL|SIGSTOP> CALL ioctl(0,TIOCGETA,0x7f7ffffcbbb0) RET ioctl 0 EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 26. Prev Next Secure Lazy Binding Slide #15 mprotect() costs When you add a permission to a page, the update can be lazy kernel notes the change but doesn't update the hardware mapping when the process tries to use that permission, it faults and the fault handler fixes it up to work When you remove a permission from a page, the update must be immediate update the page tables and flush the involved TLB entries if process has threads running on other CPUs, need to force them to do that too not cheap... ...and we don't even want other threads to be able to see the change! EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 27. Prev Next Secure Lazy Binding Slide #15 mprotect() costs When you add a permission to a page, the update can be lazy kernel notes the change but doesn't update the hardware mapping when the process tries to use that permission, it faults and the fault handler fixes it up to work When you remove a permission from a page, the update must be immediate update the page tables and flush the involved TLB entries if process has threads running on other CPUs, need to force them to do that too not cheap... continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 28. Prev Next Secure Lazy Binding Slide #16 Solution: kbind syscall to do PLT/GOT update kbind(void *addr, size_t len, void *data) address and length of memory to update buffer of copy there performs same permission checks and copy-on-write handling as mprotect and page fault uninterruptible: no signal issues VM and pmap have to provide whatever locking is necessary in kernel EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 29. Prev Next Secure Lazy Binding Slide #17 ld.so: before and after before: /* set the GOT to RW */ sigprocmask(SIG_BLOCK, &allsigs, &savedmask); spinlock_lock(&bind_lock); /* libpthread cb */ mprotect(object->got_start, object->got_size, PROT_READ|PROT_WRITE); *(Elf_Addr *)addr = newval; /* put the GOT back to RO */ mprotect(object->got_start, object->got_size, PROT_READ); spinlock_unlock(&bind_lock); /* libpthread cb */ sigprocmask(SIG_SETMASK, &curset, NULL); after: kbind(addr, sizeof(Elf_Addr), &newval); kbind(0x171d762ebd8,0x8,0x7f7ffffde1f8) kbind 0 ioctl(0,TIOCGETA,0x7f7ffffde2f0) ioctl 0 EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 30. Prev Next Secure Lazy Binding Slide #17 ld.so: before and after before: /* set the GOT to RW */ sigprocmask(SIG_BLOCK, &allsigs, &savedmask); spinlock_lock(&bind_lock); /* libpthread cb */ mprotect(object->got_start, object->got_size, PROT_READ|PROT_WRITE); *(Elf_Addr *)addr = newval; /* put the GOT back to RO */ mprotect(object->got_start, object->got_size, PROT_READ); spinlock_unlock(&bind_lock); /* libpthread cb */ sigprocmask(SIG_SETMASK, &curset, NULL); continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 31. Prev Next Secure Lazy Binding Slide #17 ld.so: before and after before: /* set the GOT to RW */ sigprocmask(SIG_BLOCK, &allsigs, &savedmask); spinlock_lock(&bind_lock); /* libpthread cb */ mprotect(object->got_start, object->got_size, PROT_READ|PROT_WRITE); *(Elf_Addr *)addr = newval; /* put the GOT back to RO */ mprotect(object->got_start, object->got_size, PROT_READ); spinlock_unlock(&bind_lock); /* libpthread cb */ sigprocmask(SIG_SETMASK, &curset, NULL); after: kbind(addr, sizeof(Elf_Addr), &newval); continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 32. Prev Next Secure Lazy Binding Slide #18 kbind implementation: amd64 OpenBSD/amd64 has "direct pmap": direct map in VA always maps all PA Copy new data into buffer in kernel uvm_fault(map, baseva, VM_FAULT_WIRE, VM_PROT_NONE) force copy-on-write resolution force page to be physically in memory and unpageable physical page has "maximal" permissions for mapping pmap_extract(map->pmap, baseva, &paddr) kva = PMAP_DIRECT_MAP(paddr) get kernel's direct mapped address of the underlying physical page bcopy(buffer, kva + offset, len) update the wired-in physical page uvm_fault_unwire(map, last_baseva, last_baseva + PAGE_SIZE) permit page to be paged again EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 33.
  • 34. Prev Next Secure Lazy Binding Slide #19 Again, With More Feeling: sparc64 GOT is never changed after the library is loaded initial PLT stubs load index and jump to common stub, which does call to dynamic linker dynamic linker updates the PLT code sequence to jump to the final address many possible sequences depending on the relative and absolute address within 2^21 of the PLT entry? within 2^31 of address zero? hard to exercise, ergo buggy: incorrect offset calculations, wrong ASM PLT could be called by another thread while changing it instruction sequence must always be safely executable change it in two steps EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 35. Prev Next Secure Lazy Binding Slide #19 Again, With More Feeling: sparc64 GOT is never changed after the library is loaded initial PLT stubs load index and jump to common stub, which does call to dynamic linker dynamic linker updates the PLT code sequence to jump to the final address many possible sequences depending on the relative and absolute address within 2^21 of the PLT entry? within 2^31 of address zero? continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 36. Prev Next Secure Lazy Binding Slide #19 Again, With More Feeling: sparc64 GOT is never changed after the library is loaded initial PLT stubs load index and jump to common stub, which does call to dynamic linker dynamic linker updates the PLT code sequence to jump to the final address many possible sequences depending on the relative and absolute address within 2^21 of the PLT entry? within 2^31 of address zero? hard to exercise, ergo buggy: incorrect offset calculations, wrong ASM continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 37. Prev Next Secure Lazy Binding Slide #20 sparc64 Initial PLT .PLT1: save %sp, -176, %sp # create stack frame ... # calculate lazy bind addr and jump ... .PLTn: sethi (. - .PLT0), %g1 # load offset of entry ba,a %xcc, .PLT1 # jump to above nop; nop nop; nop nop; nop EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 38. Prev Next Secure Lazy Binding Slide #21 sparc64 PLT Update Example target address within 2^31 of PLT slot .PLTn: sethi (. - .PLT0), %g1 # load offset of entry mov %o7, %g1 # save return address in %g1 call (addr - .) # relative call mov %g1, %o7 # restore return address nop; nop nop; nop .PLTn: sethi (. - .PLT0), %g1 # load offset of entry mov %o7, %g1 # save return address in %g1 nop; nop nop; nop nop; nop EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 39. Prev Next Secure Lazy Binding Slide #21 sparc64 PLT Update Example target address within 2^31 of PLT slot .PLTn: sethi (. - .PLT0), %g1 # load offset of entry mov %o7, %g1 # save return address in %g1 call (addr - .) # relative call mov %g1, %o7 # restore return address nop; nop nop; nop continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 40. Prev Next Secure Lazy Binding Slide #22 sparc64 PLT Update Example .PLTn: sethi (. - .PLT0), %g1 # load offset of entry ba,a %xcc, .PLT1 # jump to above call (addr - .) # relative call mov %g1, %o7 # restore return address nop; nop nop; nop EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 41. Prev Next Secure Lazy Binding Slide #23 sparc64 PLT Update Example .PLTn: sethi (. - .PLT0), %g1 # load offset of entry mov %o7, %g1 # save return address in %g1 call (addr - .) # relative call mov %g1, %o7 # restore return address nop; nop nop; nop so we need to pass the kernel two blocks to copy into place EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 42. Prev Next Secure Lazy Binding Slide #24 sparc64: kbind again kbind(void *param, size_t plen) address length new data new data address length new data EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 43. Prev Next Secure Lazy Binding Slide #25 kbind implementation: sparc64 Copy new data into buffer in kernel for each block: uvm_map_extract(map, baseva, PAGE_SIZE, &kva, UVM_EXTRACT_FIXPROT) force copy-on-write resolution map that userspace VA into the kernel map, with max permitted permissions bcopy(buffer, kva + offset, len) update the page via the kernel mapping actually use word-sized writes uvm_unmap_remove(kernel_map, kva, kva+PAGE_SIZE, &dead_entries, FALSE, TRUE) remove the page from the kernel map uvm_unmap_detach(&dead_entries, AMAP_REFALL) clean up/release references to backing objects EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 44. Prev Next Secure Lazy Binding Slide #26 How Good Is It 4% That's the savings in real time for a make build, both amd64 and sparc64 much of that is in the make install step: lots of short-lived processes current version is not always faster kbind() only touches the specific page involved, no read-ahead? EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 45. Prev Next Secure Lazy Binding Slide #26 How Good Is It 4% continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 46. Prev Next Secure Lazy Binding Slide #26 How Good Is It 4% That's the savings in real time for a make build, both amd64 and sparc64 much of that is in the make install step: lots of short-lived processes continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 47. Prev Next Secure Lazy Binding Slide #27 Security Sweet, a syscall that can change read-only memory! Hmmm, this is a power that can only be used for Good Or Evil Can we make it only capable of resolving lazy bindings to their correct values? Only want dynamic linker to be able to call this Don't want this to be useful as a target of Return-Oriented-Programming Don't want it to be able to change arbitrary memory EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 48. Prev Next Secure Lazy Binding Slide #28 Locking it down: ideas if any check fails, kill the process, uncatchable: sigexit() only permit kbind() syscall from one address pass a per-process cookie pass a per-thread cookie that the kernel updates on each call pass the kernel both the expected old data and the new data mark the mappings which kbind() is allowed to alter with a new mprotect() bit mark the GOT and PLT as not permitting further mprotect() changes mark dynamic linker code and data as not permitting munmap() or further mprotect() changes EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 49. Prev Next Secure Lazy Binding Slide #29 Locking it down: locked down PC only permit kbind() syscall from one address struct process has caddr_t ps_kbind_addr copied on fork(), zeroed on execve() kbind() extracts the return address from the syscall trap frame if ps_kbind_addr is zero, this is first call, so set it otherwise, if they don't match then sigexit(SIGILL) if called with NULL parameters ("change nothing"), then set ps_kbind_addr to impossible address C startup code for static executables can use that to disable kbind() for them dynamic linker has syscall as inline ASM and is built with -fstack-protector if you jump into the middle of _dl_bind() to get to the syscall, on return the stack protector will catch you EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 50. Prev Next Secure Lazy Binding Slide #30 Locking it down: per-process cookie pass a per-process cookie kernel saves value from first call in struct process, ps_kbind_cookie mismatch in later call? sigexit(SIGILL) variable placed in PT_OPENBSD_RANDOMIZE segment, filled with random bytes by kernel _dl_bind() loads the cookie before calculating the GOT/PLT changes to pass to the kernel attacker can't use ld.so's "load the cookie" code with its own changes ...but the variable's address is static offset within ld.so memory EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 51. Prev Next Secure Lazy Binding Slide #31 Locking it down: per-thread cookie pass a per-thread cookie and its address kernel saves value from first call in each thread in struct proc, p_kbind_cookie mismatch in later call? sigexit(SIGILL) generate new value and copy it out to supplied address reserve space for the cookie in TCB problems: have to (finally...) push TCB management code into ld.so cookie is easy to find; lots of code in libpthread has to access it, probably plenty of ROP gadgets probably will remove EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 52. Prev Next Secure Lazy Binding Slide #31 Locking it down: per-thread cookie pass a per-thread cookie and its address kernel saves value from first call in each thread in struct proc, p_kbind_cookie mismatch in later call? sigexit(SIGILL) generate new value and copy it out to supplied address reserve space for the cookie in TCB continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 53. Prev Next Secure Lazy Binding Slide #32 Locking it down: pass old data too pass the kernel both the expected old data and the new data compare each word against both old and new already new? do nothing matches old? update to new match neither? sigexit(SIGILL) sounds nice, but the kernel isn't really checking the data for validity there's a corner case where an entry can legitimately change the value it should resolve to will remove EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 54. Prev Next Secure Lazy Binding Slide #32 Locking it down: pass old data too pass the kernel both the expected old data and the new data compare each word against both old and new already new? do nothing matches old? update to new match neither? sigexit(SIGILL) sounds nice, but the kernel isn't really checking the data for validity continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 55. Prev Next Secure Lazy Binding Slide #33 Locking it down: marked mappings mark the mappings which kbind() is allowed to alter with a new mprotect() bit mprotect(got_addr, got_len, PROT_READ | __PROT_KBIND) kbind() verifies that that bit is set, else sigexit(SIGILL) mark the GOT and PLT as not permitting further mprotect() changes mprotect(got_addr, got_len, PROT_READ | __PROT_KBIND | __PROT_LOCKPROT) kbind() can only change those pages; those pages can only be changed by kbind() EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 56. Prev Next Secure Lazy Binding Slide #33 Locking it down: marked mappings mark the mappings which kbind() is allowed to alter with a new mprotect() bit mprotect(got_addr, got_len, PROT_READ | __PROT_KBIND) kbind() verifies that that bit is set, else sigexit(SIGILL) continued... EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 57. Prev Next Secure Lazy Binding Slide #34 Locking it down: permanent mappings mmap() and munmap() can effectively override mprotect() by remapping over protected page doesn't make sense to unmap dynamic linker or libc, for that matter test for DT_FLAGS_1 NODELETE new mmap() or madvise() flag to mark a mapping as permanent and only removable via execve()? EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 58. Prev Next Secure Lazy Binding Slide #35 Status Not committed yet Have working code on amd64, sparc64, and i386 powerpc will require converting to "secure PLT" ABI haven't dug into the others (alpha, m88k, mips64, sh, hppa) yet Need to update the security measures implemented Performance should be consistently better EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 59. Prev Next Secure Lazy Binding Slide #36 What else should we do? better shared library symbol management ELF hidden visibility: libraries can bind directly to their own symbols OpenBSD/amd64 libc.so has 771 PLT entries, but only a few are necessary EuroBSDCon 2014 Copyright © 2014 Philip Guenther
  • 60. Prev Next Secure Lazy Binding Slide #37 Questions? Thank you! EuroBSDCon 2014 Copyright © 2014 Philip Guenther