SlideShare a Scribd company logo
 Is possible to program in a correct way?
(7500 / 6) / 5 =
250 lines/man/year
Windows has about 50
mills lines of code
 Is possible to program in a correct way?
 Security by correctness
 Security by isolation
 Security by obscurity
 Security by randomization
 Why choosing?
 According to the SDL
 Designed to stop the attacker
 If the countermeasure does not stop the
attacker, it is a vulnerable
countermeasure.
 Designed to slow the attacker
 Effective
 Low - effort
 Can be located at…
 … the compiler
 … the operating system
 … the hardware
LLVM / CLANG
 -FORTIFY_SOURCE (buffer overflow detection).
 works by computing the number of bytes that are going
to be copied
 provides buffer overflow checks for the following
functions (and wide character variants):
 memcpy, mempcpy, memmove, memset, strcpy,
stpcpy, strncpy, strcat, strncat, sprintf, vsprintf,
snprintf, vsnprintf, gets.
 argument consistency is checked
 -D_FORTIFY_SOURCE=1  checks that shouldn't change the
behavior of conforming programs are performed. Checks at
compile-time only.
 -D_FORTIFY_SOURCE=2  some more checking is added,
but some conforming programs might fail. Checks at
compile-time and runtime.
 Enable warnings:
 -Warray-bounds: Compile time out of bounds checks
 -Wformat=2 -Wformat-security: Format string warnings
 /WE4789
 Warns about buffer overrun when specific C run-time
(CRT) functions are used, parameters are passed, and
assignments are performed, such that the data sizes are
known at compile time. This warning is for situations
that might elude typical data-size mismatch detection.
 strcpy, memset, memcpy, wmemcpy
 Replace with secure version of the functions
#define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES 1
#define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES_COUNT 1
 The compiler place a value before the return address when
a function is called and check that the value has not
changed when the function finalize
 Terminator Canaries
 Random Canaries
 Random XOR Canaries
 Deprecated:
 StackGuard
 ProPolice (reorders variables)
 -fstack-protector: Buffer size > 8B && functions that call alloc
 -fstack-protector-explicit: stack_protect attrb.
 -fstack-protector-all: All 
 -fstack-protector-strong: paranoid conditions
 AddressSanitizer (en gcc desde 4.8)
 -fsanitize=address
 UndefinedBehaviorSanitizer (UBSan)
 -fsanitize=undefined All kind of undefined behaviours
 -fsanitize=integer undefined or suspicious integer behavior
 -fsanitize=nullability While violating nullability does not have
undefined behavior, it is often unintentional
 -fsanitize=bounds Detects out-of-bounds access of arrays.
 -fsanitize=bounds-strict Enables strict checking
 ThreadSanitizer
 -fsanitize=thread Detects data races
 Microsoft Visual C++ 2003
 /GS Stack-Based Buffer Overrun Detection
 Microsoft Visual C++ 2005
 Buffers reordering
 Parameter Shadowing
 Microsoft Visual C++ 2005 SP1
 #pragma strict_gs_check(on)
 More aggressive heuristics
 Microsoft Visual C++ 2010
 wider scope of protected functions
 optimize away the unneeded security cookies
 disable for specific functions with __declspec(safebuffers)
 choose different level of GS protections through /GS:n:
 /GS:1 VC++ 2005 and 2008
 /GS:2 widened scope (default)
 Microsoft Visual C++ 2011
 Detects range violation
 /SAFESEH
 /GS does not protect exception handler records
 Instead of protection the stack (by putting a cookie before
the return address), modules compiled with this flag will
include a list of all known addresses that can be used as
exception handler functions.
 If an exception occurs, the application will check if the
address in the SEH chain records belongs to the list with
"known" functions, if the address belongs to a module
that was compiled with SafeSEH. If that is not the case,
the application will be terminated without jumping to the
corrupted handler.
 /RTC Runtime error checks
 /RTCs: stack-frame runtime error checking
 /RTCu: variable used before initialization
 /RTCc: value assigned to a smaller data type
 /RTC1 === /RTCsu
 Code is code and data is
data
 Hardware mechanism
widely deployed (every
computer since 2001)
 Enabled by default in all modern compilers
-z,noexecstack, -z,noexecheap /NXCompat
 Address Space Layout Randomization
 The code is loaded in different memory regions each time
 Implemented by the operating system
 To be of any use, you must also have DEP enabled
 But code needs to be “position independant”
 Compiled with
 -fPIE -pie for binaries
 -fPIC for shared libraries.
 By default, Windows® will only juggle system components
around. If you want your image to be moved around by the
operating system (highly recommended), then you should link
with:
 /DYNAMICBASE (since VS 2005 SP1)
 /HIGHENTROPYVA (since VS 2012) uses ASLR with 64 bits
addresses
 It also randomizes the stack
 Restricts the control-flow of an application
to valid execution traces. CFI enforces this property by
monitoring the program at runtime and comparing its
state to a set of precomputed valid states. If an invalid
state is detected, an alert is raised, usually terminating the
application.
 CFI detects control-flow hijacking attacks by limiting the
targets of control-flow transfers. In a control-flow hijack
attack an attacker redirects the control-flow of the
application to locations that would not be reached in a
benign execution, e.g., to injected code or to code that is
reused in an alternate context.
 -fsanitize=cfi
 Optimized for performance
 To allow the checks to be implemented efficiently, the
program must be structured such that certain object files are
compiled with CFI enabled, and are statically linked into the
program. This may preclude the use of shared libraries in
some cases.
 -fvisibility=hidden otherwise would disable CFI checks for
classes without visibility attributes
 Control Flow Guard: operates by creating a per-process
bitmap, where a set bit indicates that the address is a valid
destination. Before performing each indirect function call, the
application checks if the destination address is in the bitmap.
If the destination address is not in the bitmap, the program
terminates.
 /guard:cf linker flag (VS2015)
 Requires OS support: Windows 10 or 8.1 U3
 C++ polymorphism  vtables
 An attacker could exploit an use-after-free error to hijack
the vtable using heap spraying (80% attacks)
 Detects modifications in the vtable
 Extra entry added to vtable
 ASLR makes this entry’s value unknown to the
attacker
 Check added:
 if vtable[vtguard_vte] != vtguard then
terminate the process
Celement::`vftable´
VirtualMethod1
VirtualMethod2
…
vtguard
 gcc > 4.9
 -fvtable-verify=std
 -fvtable-verify=preinit
 Much more complex implementation by Google team
 Not dependent on ASLR
 https://gcc.gnu.org/wiki/cauldron2012?action=AttachFile
&do=get&target=cmtice.pdf
 RELRO -Wl,-z,relro:
 the ELF sections are reordered so that the ELF internal
data sections (.got, .dtors, etc.) precede the program's
data sections (.data and .bss)
 non-PLT GOT is read-only
 -z,now: tell the dynamic linker to resolve all symbols when
the program is started, or when the shared library is linked
to using dlopen. Improves the effectiveness of RELRO
 the entire GOT is also (re)mapped as read-only
 -ftrapv: Generates traps for signed overflow (may interfere
with UBSAN)
 -mmitigate-rop: Attempt to compile code without
unintended return addresses, making ROP just a little
harder.
 -z,nodlopen and -z,nodump: Might help in reducing an
attacker's ability to load and manipulate a shared object.
 -fomit-frame-pointer: difficults reversing and debugging
 -fstack-check: Prevents the stack-pointer from moving into
another memory region without accessing the stack guard-
page.
 -Wall -Wextra: enables many warnings
 --analyze: performs various analysis of LLVM assembly
code or bytecode and prints the results on standard
output
 /INTEGRITYCHECK places a flag in the binary that instructs
the loader to verify the module's signature at load time.
 /HOTPATCH Enables binary hot patching
 /SDL enables a superset of the baseline security checks
 enables some warnings as errors:
 enables the strict mode of /GS run-time buffer overrun detection,
 performs runtime limited pointer sanitization
 automatically initializes all class members to zero on object
instantiation
 /ANALYZE Enterprise static code analysis (freely available
with Windows SDK for Windows Server 2008 and .NET
Framework 3.5).
See https://randomascii.wordpress.com/2011/10/15/try-analyze-for-free/
 Beware of optimization unstable code!
 Beware of optimization unstable code!
jtsec: Beyond IT Security
c/ Abeto s/n Edificio CEG Oficina 2B
CP 18230 Granada – Atarfe – Spain
hello@jtsec.es
@jtsecES
www.jtsec.es

More Related Content

What's hot

Transactional Memory
Transactional MemoryTransactional Memory
Transactional Memory
Smruti Sarangi
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Japneet Singh
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
Rob Gillen
 
不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)
Douglas Chen
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
Dr. Ramchandra Mangrulkar
 
Cgc2
Cgc2Cgc2
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugs
Dmitry Vyukov
 
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Jonathan Salwan
 
Specification-Based Test Program Generation for ARM VMSAv8-64 MMUs
Specification-Based Test Program Generation for ARM VMSAv8-64 MMUsSpecification-Based Test Program Generation for ARM VMSAv8-64 MMUs
Specification-Based Test Program Generation for ARM VMSAv8-64 MMUs
Alexander Kamkin
 
Developer support/process automation tools
Developer support/process automation toolsDeveloper support/process automation tools
Developer support/process automation tools
Dmitry Vyukov
 
Report on hacking blind
Report on hacking blindReport on hacking blind
Report on hacking blind
NikitaAndhale
 
Systemtap
SystemtapSystemtap
SystemtapFeng Yu
 
Breaking paravirtualized devices
Breaking paravirtualized devicesBreaking paravirtualized devices
Breaking paravirtualized devices
Priyanka Aash
 
Transactional Memory
Transactional MemoryTransactional Memory
Transactional Memory
Yuuki Takano
 
Return oriented programming
Return oriented programmingReturn oriented programming
Return oriented programming
hybr1s
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
Chong-Kuan Chen
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CanSecWest
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
Jonathan Salwan
 

What's hot (20)

Transactional Memory
Transactional MemoryTransactional Memory
Transactional Memory
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
 
不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
 
Cgc2
Cgc2Cgc2
Cgc2
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugs
 
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
 
Specification-Based Test Program Generation for ARM VMSAv8-64 MMUs
Specification-Based Test Program Generation for ARM VMSAv8-64 MMUsSpecification-Based Test Program Generation for ARM VMSAv8-64 MMUs
Specification-Based Test Program Generation for ARM VMSAv8-64 MMUs
 
Developer support/process automation tools
Developer support/process automation toolsDeveloper support/process automation tools
Developer support/process automation tools
 
Report on hacking blind
Report on hacking blindReport on hacking blind
Report on hacking blind
 
Systemtap
SystemtapSystemtap
Systemtap
 
Breaking paravirtualized devices
Breaking paravirtualized devicesBreaking paravirtualized devices
Breaking paravirtualized devices
 
Transactional Memory
Transactional MemoryTransactional Memory
Transactional Memory
 
Return oriented programming
Return oriented programmingReturn oriented programming
Return oriented programming
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
 

Similar to Mitigating overflows using defense in-depth. What can your compiler do for you?

Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
Trowalts
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
Nutan Kumar Panda
 
Metasploit - Basic and Android Demo
Metasploit  - Basic and Android DemoMetasploit  - Basic and Android Demo
Metasploit - Basic and Android Demo
Arpit Agarwal
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion Techniques
Festival Software Livre
 
Fuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdfFuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdf
distortdistort
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
Tamas K Lengyel
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/Linux
Martin Holovský
 
systemverilog-interview-questions.docx
systemverilog-interview-questions.docxsystemverilog-interview-questions.docx
systemverilog-interview-questions.docx
ssuser1c8ca21
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
Security Session
 
Squash Those IoT Security Bugs with a Hardened System Profile
Squash Those IoT Security Bugs with a Hardened System ProfileSquash Those IoT Security Bugs with a Hardened System Profile
Squash Those IoT Security Bugs with a Hardened System Profile
Steve Arnold
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Tamas K Lengyel
 
Secure programming - Computer and Network Security
Secure programming - Computer and Network SecuritySecure programming - Computer and Network Security
Secure programming - Computer and Network Security
ssuser30902e
 
Rust Hack
Rust HackRust Hack
Rust Hack
Viral Parmar
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
Amr Ali
 
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT TalksMykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Vadym Muliavka
 
1Buttercup On Network-based Detection of Polymorphic B.docx
 1Buttercup On Network-based Detection of Polymorphic B.docx 1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx
aryan532920
 
Debugging Python with gdb
Debugging Python with gdbDebugging Python with gdb
Debugging Python with gdb
Roman Podoliaka
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and Docker
Bob Killen
 

Similar to Mitigating overflows using defense in-depth. What can your compiler do for you? (20)

Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
 
Metasploit - Basic and Android Demo
Metasploit  - Basic and Android DemoMetasploit  - Basic and Android Demo
Metasploit - Basic and Android Demo
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion Techniques
 
Fuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdfFuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdf
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
Metasploit Basics
Metasploit BasicsMetasploit Basics
Metasploit Basics
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/Linux
 
systemverilog-interview-questions.docx
systemverilog-interview-questions.docxsystemverilog-interview-questions.docx
systemverilog-interview-questions.docx
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
 
Squash Those IoT Security Bugs with a Hardened System Profile
Squash Those IoT Security Bugs with a Hardened System ProfileSquash Those IoT Security Bugs with a Hardened System Profile
Squash Those IoT Security Bugs with a Hardened System Profile
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
 
Secure programming - Computer and Network Security
Secure programming - Computer and Network SecuritySecure programming - Computer and Network Security
Secure programming - Computer and Network Security
 
Rust Hack
Rust HackRust Hack
Rust Hack
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT TalksMykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
 
1Buttercup On Network-based Detection of Polymorphic B.docx
 1Buttercup On Network-based Detection of Polymorphic B.docx 1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx
 
Debugging Python with gdb
Debugging Python with gdbDebugging Python with gdb
Debugging Python with gdb
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and Docker
 

More from Javier Tallón

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
Javier Tallón
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Javier Tallón
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
Javier Tallón
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
Javier Tallón
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
Javier Tallón
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
Javier Tallón
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
Javier Tallón
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
Javier Tallón
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
Javier Tallón
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
Javier Tallón
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
Javier Tallón
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
Javier Tallón
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
Javier Tallón
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
Javier Tallón
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
Javier Tallón
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
Javier Tallón
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
Javier Tallón
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
Javier Tallón
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
Javier Tallón
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
Javier Tallón
 

More from Javier Tallón (20)

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
 

Recently uploaded

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 

Recently uploaded (20)

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 

Mitigating overflows using defense in-depth. What can your compiler do for you?

  • 1.
  • 2.
  • 3.
  • 4.  Is possible to program in a correct way? (7500 / 6) / 5 = 250 lines/man/year Windows has about 50 mills lines of code
  • 5.  Is possible to program in a correct way?
  • 6.  Security by correctness  Security by isolation  Security by obscurity  Security by randomization
  • 8.  According to the SDL  Designed to stop the attacker  If the countermeasure does not stop the attacker, it is a vulnerable countermeasure.  Designed to slow the attacker
  • 9.  Effective  Low - effort  Can be located at…  … the compiler  … the operating system  … the hardware
  • 11.  -FORTIFY_SOURCE (buffer overflow detection).  works by computing the number of bytes that are going to be copied  provides buffer overflow checks for the following functions (and wide character variants):  memcpy, mempcpy, memmove, memset, strcpy, stpcpy, strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, gets.  argument consistency is checked
  • 12.  -D_FORTIFY_SOURCE=1  checks that shouldn't change the behavior of conforming programs are performed. Checks at compile-time only.  -D_FORTIFY_SOURCE=2  some more checking is added, but some conforming programs might fail. Checks at compile-time and runtime.
  • 13.  Enable warnings:  -Warray-bounds: Compile time out of bounds checks  -Wformat=2 -Wformat-security: Format string warnings
  • 14.  /WE4789  Warns about buffer overrun when specific C run-time (CRT) functions are used, parameters are passed, and assignments are performed, such that the data sizes are known at compile time. This warning is for situations that might elude typical data-size mismatch detection.  strcpy, memset, memcpy, wmemcpy
  • 15.  Replace with secure version of the functions #define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES 1 #define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES_COUNT 1
  • 16.  The compiler place a value before the return address when a function is called and check that the value has not changed when the function finalize  Terminator Canaries  Random Canaries  Random XOR Canaries
  • 17.  Deprecated:  StackGuard  ProPolice (reorders variables)  -fstack-protector: Buffer size > 8B && functions that call alloc  -fstack-protector-explicit: stack_protect attrb.  -fstack-protector-all: All   -fstack-protector-strong: paranoid conditions
  • 18.  AddressSanitizer (en gcc desde 4.8)  -fsanitize=address  UndefinedBehaviorSanitizer (UBSan)  -fsanitize=undefined All kind of undefined behaviours  -fsanitize=integer undefined or suspicious integer behavior  -fsanitize=nullability While violating nullability does not have undefined behavior, it is often unintentional  -fsanitize=bounds Detects out-of-bounds access of arrays.  -fsanitize=bounds-strict Enables strict checking  ThreadSanitizer  -fsanitize=thread Detects data races
  • 19.  Microsoft Visual C++ 2003  /GS Stack-Based Buffer Overrun Detection  Microsoft Visual C++ 2005  Buffers reordering  Parameter Shadowing  Microsoft Visual C++ 2005 SP1  #pragma strict_gs_check(on)  More aggressive heuristics
  • 20.  Microsoft Visual C++ 2010  wider scope of protected functions  optimize away the unneeded security cookies  disable for specific functions with __declspec(safebuffers)  choose different level of GS protections through /GS:n:  /GS:1 VC++ 2005 and 2008  /GS:2 widened scope (default)  Microsoft Visual C++ 2011  Detects range violation
  • 21.  /SAFESEH  /GS does not protect exception handler records  Instead of protection the stack (by putting a cookie before the return address), modules compiled with this flag will include a list of all known addresses that can be used as exception handler functions.  If an exception occurs, the application will check if the address in the SEH chain records belongs to the list with "known" functions, if the address belongs to a module that was compiled with SafeSEH. If that is not the case, the application will be terminated without jumping to the corrupted handler.
  • 22.  /RTC Runtime error checks  /RTCs: stack-frame runtime error checking  /RTCu: variable used before initialization  /RTCc: value assigned to a smaller data type  /RTC1 === /RTCsu
  • 23.  Code is code and data is data  Hardware mechanism widely deployed (every computer since 2001)
  • 24.  Enabled by default in all modern compilers -z,noexecstack, -z,noexecheap /NXCompat
  • 25.  Address Space Layout Randomization  The code is loaded in different memory regions each time  Implemented by the operating system  To be of any use, you must also have DEP enabled  But code needs to be “position independant”
  • 26.  Compiled with  -fPIE -pie for binaries  -fPIC for shared libraries.
  • 27.  By default, Windows® will only juggle system components around. If you want your image to be moved around by the operating system (highly recommended), then you should link with:  /DYNAMICBASE (since VS 2005 SP1)  /HIGHENTROPYVA (since VS 2012) uses ASLR with 64 bits addresses  It also randomizes the stack
  • 28.  Restricts the control-flow of an application to valid execution traces. CFI enforces this property by monitoring the program at runtime and comparing its state to a set of precomputed valid states. If an invalid state is detected, an alert is raised, usually terminating the application.  CFI detects control-flow hijacking attacks by limiting the targets of control-flow transfers. In a control-flow hijack attack an attacker redirects the control-flow of the application to locations that would not be reached in a benign execution, e.g., to injected code or to code that is reused in an alternate context.
  • 29.  -fsanitize=cfi  Optimized for performance  To allow the checks to be implemented efficiently, the program must be structured such that certain object files are compiled with CFI enabled, and are statically linked into the program. This may preclude the use of shared libraries in some cases.  -fvisibility=hidden otherwise would disable CFI checks for classes without visibility attributes
  • 30.  Control Flow Guard: operates by creating a per-process bitmap, where a set bit indicates that the address is a valid destination. Before performing each indirect function call, the application checks if the destination address is in the bitmap. If the destination address is not in the bitmap, the program terminates.  /guard:cf linker flag (VS2015)  Requires OS support: Windows 10 or 8.1 U3
  • 31.  C++ polymorphism  vtables  An attacker could exploit an use-after-free error to hijack the vtable using heap spraying (80% attacks)  Detects modifications in the vtable
  • 32.  Extra entry added to vtable  ASLR makes this entry’s value unknown to the attacker  Check added:  if vtable[vtguard_vte] != vtguard then terminate the process Celement::`vftable´ VirtualMethod1 VirtualMethod2 … vtguard
  • 33.  gcc > 4.9  -fvtable-verify=std  -fvtable-verify=preinit  Much more complex implementation by Google team  Not dependent on ASLR  https://gcc.gnu.org/wiki/cauldron2012?action=AttachFile &do=get&target=cmtice.pdf
  • 34.  RELRO -Wl,-z,relro:  the ELF sections are reordered so that the ELF internal data sections (.got, .dtors, etc.) precede the program's data sections (.data and .bss)  non-PLT GOT is read-only  -z,now: tell the dynamic linker to resolve all symbols when the program is started, or when the shared library is linked to using dlopen. Improves the effectiveness of RELRO  the entire GOT is also (re)mapped as read-only  -ftrapv: Generates traps for signed overflow (may interfere with UBSAN)
  • 35.  -mmitigate-rop: Attempt to compile code without unintended return addresses, making ROP just a little harder.  -z,nodlopen and -z,nodump: Might help in reducing an attacker's ability to load and manipulate a shared object.  -fomit-frame-pointer: difficults reversing and debugging  -fstack-check: Prevents the stack-pointer from moving into another memory region without accessing the stack guard- page.  -Wall -Wextra: enables many warnings
  • 36.  --analyze: performs various analysis of LLVM assembly code or bytecode and prints the results on standard output
  • 37.  /INTEGRITYCHECK places a flag in the binary that instructs the loader to verify the module's signature at load time.  /HOTPATCH Enables binary hot patching  /SDL enables a superset of the baseline security checks  enables some warnings as errors:  enables the strict mode of /GS run-time buffer overrun detection,  performs runtime limited pointer sanitization  automatically initializes all class members to zero on object instantiation  /ANALYZE Enterprise static code analysis (freely available with Windows SDK for Windows Server 2008 and .NET Framework 3.5). See https://randomascii.wordpress.com/2011/10/15/try-analyze-for-free/
  • 38.  Beware of optimization unstable code!
  • 39.  Beware of optimization unstable code!
  • 40. jtsec: Beyond IT Security c/ Abeto s/n Edificio CEG Oficina 2B CP 18230 Granada – Atarfe – Spain hello@jtsec.es @jtsecES www.jtsec.es