Protections Againest Exploitation

ASLR:

DEP: Data Execution Protection

Stack Canaries:

CFI: Control flow integrity

ROP: Return-oriented programming

Closed Source Memory Errors:

  1. Resort to blackbox fuzzing: resulting in shallow coverage close to the provided test cases
  2. Rely on dynamic binary translation: instrument the binary at prohibitively high runtime cost (e.g., 10x to 100x for AFL fuzzing in QEMU mode on LAVA-M)
  3. Use unsound static rewriting based on heuristics

Question: The fundamental difficulty for static rewriting techniques is disambiguating reference and scalar constants

There are three fundamental techniques to rewrite binaries:

  1. recompilation [14], which attempts to lift the code to an intermediate representation; Lifting code to IR for recompilation requires correctly recovering type information from binaries, which remains an open problem.

  2. trampolines [15], [16], which relies on indirection to insert new code segments without changing the size of basic blocks; Trampolines may significantly increase code size, and the extra level of indirection increases performance overhead.

  3. reassembleable assembly [12], [13], which creates an assembly file equivalent to what a compiler would emit, i.e., with relocation symbols for the linker to resolve. Consequently, we believe that resymbolizing binaries for reassembleable assembly is one the most promising technique for static binary rewriting.

Protections Againest Exploitation

ASLR:

DEP: Data Execution Protection

Stack Canaries:

CFI: Control flow integrity

ROP: Return-oriented programming

Read more »

asan.module_ctor

works the same as __attribute__((constructor)), insert into section .init_array

asan.module_dtor

works the same as __attribute__ ((destructor)), insert into section .fini_array

1
2
3
4
5
6
7
8
9
10
11
.section	.init_array.1,"aw",@init_array
.p2align 3
.quad asan.module_ctor

.section .init_array,"aw",@init_array
.p2align 3
.quad test

.section .fini_array.1,"aw",@fini_array
.p2align 3
.quad asan.module_dtor

But openark compiler doesn't support constructor and destructor.

原文链接 https://luomuxiaoxiao.com/?p=516

本文介绍main函数如何被执行,并理解如何通过debug了解main函数启动前发生的事情

Read more »

I read this paper before (in about 5 mins or less). And like I mentioned to you, although I don't remember the technical details, but I remember 1) key idea is to ensemble multiple fuzzers together and boost the performance, that's new and should be appreciated, although, well, I wonder if we shall trust their reported results (we should believe unless we have concrete evidence), 2) it's very important to remember who published this paper, although it might be difficult to remember the "name", you at least need to remember the institute.

Read more »

KLEE

不同版本的KLEE需要不同版本的LLVM,首先安装LLVM,对于新版KLEE,可以使用LLVM高版本,对于KLEE 1.3版本,需要搭配LLVM 3.4 https://github.com/tum-i4/klee-install/blob/master/README.md

Read more »

Side channel

Steal Secret through side channels

side channels: timing; power; em emissions; sound; heat; cache

Infer secrets via secret-dependent physical information

Read more »

Side channel Attacks

Steal Secret through side channels

side channels: timing; power; em emissions; sound; heat; cache

Infer secrets via secret-dependent physical information

Read more »
0%