1 files changed, 228 insertions, 0 deletions
diff --git a/security/advanced/frm_exploit_mitigation.tex b/security/advanced/frm_exploit_mitigation.tex
new file mode 100644
index 0000000..559b60e
--- /dev/null
+++ b/security/advanced/frm_exploit_mitigation.tex
@@ -0,0 +1,228 @@
+% ----------------------------
+\subsubsection{Exploits}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Exploit Types}
+\begin{itemize}
+\item Application Level Exploits
+ \begin{itemize}
+ \item SQL Injection
+ \item Cross-side scripting
+ \item Backdoors
+ \item Protocol Implementation
+ \item \dots
+ \end{itemize}
+\item Low-Level Exploits
+ \begin{itemize}
+ \item Stack
+ \item Heap
+ \item Syscall
+ \item Race conditions
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Stack: Code Example I}
+\begin{beamerboxesrounded}[shadow=true]{Bad copy to stack local buffer}
+\begin{tiny}
+\begin{verbatim}
+#include <string.h>
+
+void foo (char *p) {
+        char  buf[16];
+        strcpy(buf, p);
+}
+
+int main (int argc, char **argv) {
+        foo(argv[1]);
+}
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Stack: Code Example II}
+\begin{beamerboxesrounded}[shadow=true]{Manipulation of return address}
+\begin{tiny}
+\begin{verbatim}
+#include <stdio.h>
+#include <string.h>
+
+void function(int a, int b, int c)
+{
+        char buffer1[8];
+        char buffer2[16];
+        char *ret;
+
+        ret = (char *)(buffer1 + 0x18);
+        (*ret) += 0x7;
+}
+
+void main(void)
+{
+        int x;
+
+        x = 0;
+        function(1,2,3);
+        x = 1;
+        printf("%d\n",x);
+}
+
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Stack: Layout I}
+\begin{figure}[h]
+\centering
+\includegraphics[width=8cm]{images/em_stack_layout1.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Stack}
+\begin{itemize}
+\item Overwrite return address
+\item change stack-local variables
+\item inject malicious code
+ \begin{itemize}
+ \item shell code
+ \item backdoors
+ \item thread hijacking
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Mitigation}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Address Space Layout}
+\begin{itemize}
+\item Fixed layout of segment start addresses
+\item Easy to exploit
+\item Address Space Layout Randomization
+ \begin{itemize}
+ \item basic implementation (Linux v2.6.12)
+ \item full implementation (Linux v3.19)
+ \end{itemize}
+\item Configuration: /proc/sys/kernel/randomize\_va\_space
+ \begin{itemize}
+ \item 0: Disabled
+ \item 1: randomize stack, data, dynamic libraries
+ \item 2: randomize stack, data, dynamic libraries, heap
+ \end{itemize}
+\item Process maps: /proc/<pid>/maps
+\end{itemize}
+\end{frame}
+
+\begin{frame}[fragile]
+\frametitle{Process Memory Map}
+\begin{beamerboxesrounded}[shadow=true]{/proc/<pid>/maps}
+\begin{tiny}
+\begin{verbatim}
+$ cat /proc/self/maps
+00400000-0040c000 r-xp 00000000 fe:00 23360017                           /bin/cat
+0060b000-0060c000 r--p 0000b000 fe:00 23360017                           /bin/cat
+0060c000-0060d000 rw-p 0000c000 fe:00 23360017                           /bin/cat
+0060d000-0062e000 rw-p 00000000 00:00 0                                  [heap]
+7ffff7a31000-7ffff7bd3000 r-xp 00000000 fe:00 2359536                    /lib/x86_64-linux-gnu/libc-2.19.so
+7ffff7bd3000-7ffff7dd2000 ---p 001a2000 fe:00 2359536                    /lib/x86_64-linux-gnu/libc-2.19.so
+7ffff7dd2000-7ffff7dd6000 r--p 001a1000 fe:00 2359536                    /lib/x86_64-linux-gnu/libc-2.19.so
+7ffff7dd6000-7ffff7dd8000 rw-p 001a5000 fe:00 2359536                    /lib/x86_64-linux-gnu/libc-2.19.so
+7ffff7dd8000-7ffff7ddc000 rw-p 00000000 00:00 0
+7ffff7ddc000-7ffff7dfc000 r-xp 00000000 fe:00 2359533                    /lib/x86_64-linux-gnu/ld-2.19.so
+7ffff7e09000-7ffff7fce000 r--p 00000000 fe:00 3932237                    /usr/lib/locale/locale-archive
+7ffff7fce000-7ffff7fd1000 rw-p 00000000 00:00 0
+7ffff7fd4000-7ffff7ff8000 rw-p 00000000 00:00 0
+7ffff7ff8000-7ffff7ffa000 r-xp 00000000 00:00 0                          [vdso]
+7ffff7ffa000-7ffff7ffc000 r--p 00000000 00:00 0                          [vvar]
+7ffff7ffc000-7ffff7ffd000 r--p 00020000 fe:00 2359533                    /lib/x86_64-linux-gnu/ld-2.19.so
+7ffff7ffd000-7ffff7ffe000 rw-p 00021000 fe:00 2359533                    /lib/x86_64-linux-gnu/ld-2.19.so
+7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
+7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
+ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Stack Protect}
+\begin{itemize}
+\item Canaries
+ \begin{itemize}
+ \item Compiler Support (gcc)
+  \begin{itemize}
+  \item -fno-stack-protector
+  \item -fstack-protector
+  \item -fstack-protector-all
+  \item -fstack-protector-strong (since gcc v4.9)
+  \end{itemize}
+ \end{itemize}
+ \begin{itemize}
+ \item Kernel Configuration
+  \begin{itemize}
+  \item CONFIG\_CC\_STACKPROTECTOR\_NONE
+  \item CONFIG\_CC\_STACKPROTECTOR\_REGULAR \\
+        (coverage: 2.81 \%, code size: +0.33 \% )
+  \item CONFIG\_CC\_STACKPROTECTOR\_STRONG \\
+        (coverage: 20.5 \%, code size: +2.4 \% )
+  \end{itemize}
+ \end{itemize}
+\item Stack order randomization
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Stack Canaries: Stack layout}
+\begin{figure}[h]
+\centering
+\includegraphics[width=6cm]{images/em_stack_layout2.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Hardware-based}
+\begin{itemize}
+\item NX (no execute flag for pages)
+ \begin{itemize}
+ \item No Execute Flag for pages (PTE)
+ \item Architectures: x86, PPC, S390, ARM (some)
+ \end{itemize}
+\item MPX (Boundary Protection)
+ \begin{itemize}
+ \item Architecture: x86
+ \item high performance impact
+ \item test only
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% % ----------------------------
+\begin{frame}[fragile]
+\frametitle{grsecurity}
+\begin{itemize}
+\item Security enhancement
+\item Kernel patches (PAX)
+\item Role-based access control
+\item Thread isolation
+\item Container isolation
+\item BPF JIT enhancements
+\item Return Address Protection (GCC)
+\end{itemize}
+
+\end{frame}