Abstract
A common security measure is now to reduce or eliminate the presence of process memory that is both writable and executable. However, the dynamic linker needs to make changes to executable pages when binding lazy references. In multi-threaded programs this creates a window of vulnerability. Depending on the system architecture, it may also result in extra cache or TLB flushes to maintain coherency on multi-processor systems. I'll describe the implementation and use of kbind(), a machine-independent system call for secure and efficient binding of lazy references.
Speaker bio
Philip was initiated in UNIX system administration in 1992 as a student at Saint Olaf College, where he got involved in Open Source software including procmail and amd. In December 2000 he joined Sendmail Inc and worked on threaded IMAP/POP3/LMTP servers. He started using OpenBSD actively several years later but didn't join the project until July 2008 after the status of the threads implementation started to annoy him. Philip is currently a Director of Engineering at Proofpoint, Inc.
TeamStation AI System Report LATAM IT Salaries 2024
secure lazy binding, and the 64bit time_t development process by Philip Guenther
1. Table of Contents
1. Secure (and hopefully efficient) Lazy Binding
2. Plan
3. Lazy Binding
4. Goal
5. Dynamic Linking
6. Relocations
7. Position Independent Code
8. amd64 Details
9. amd64 Example
10. Lazy binding
11. Lazy binding, revised
12. Lazy binding, revised again
13. Lazy binding (threaded)
14. Lazy binding (trace)
15. mprotect() costs
16. Solution: kbind
17. ld.so: before and after
18. kbind implementation: amd64
19. Again, With More Feeling: sparc64
20. sparc64 Initial PLT
21. sparc64 PLT Update Example
24. sparc64: kbind again
25. kbind implementation: sparc64
26. How Good Is It
27. Security
28. Locking it down: ideas
29. Locking it down: locked down PC
30. Locking it down: per-process cookie
31. Locking it down: per-thread cookie
32. Locking it down: pass old data too
33. Locking it down: marked mappings
34. Locking it down: permanent mappings
35. Status
36. What else should we do?
37. Questions? Thank you!