It looks like you're having connection troubles. Reconnect now.
12/29/2019 23:15:30
36c3-talk-10519 Latest text of pad 36c3-talk-10519 Saved Dec 29, 2019 |
Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!
Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles.
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!
========================================================================
He was bored some 24 years ago as a freak of net BSD and we're currently running open BSD 66 and the operating systems whole are meeting installation, quick installation rich set of documentation and very, very good security features. What about security mitigations? Our next speaker, Steen is going to have a very close and systematic look at them. Steen. Good morning, everyone. STEIN And today, we're going to talk about evaluating open business mitigations. So I'm going to explain you why I'm here on stage. And then together we're going to go to an arbitrary subset of open business mitigations. And at the end, as usual, we talks there is a conclusion. So why am I even here? Because like every good computer related stories, it starts on IAC. We were discussing this a couple of friends, the exploitation of a particular vulnerability. At some point someone said, whenever I read Rob Jane, I reminded wire and open beers. I didn't know much about one because this was like, why? Because I've been busy taking security seriously. Well, that's a short statement. So I did what everybody else would have done. I spent dozens of hours reading open source code, mailing lists, design documents, PDA and everything. And then I rented back an AC and another friend said, hey, you should do a talk at the CCC about this. That's a good idea. Never going to be accepted anyway. So why not? So Harry M.. Yeah, it's open because it's an operating system. For example, like Windows or Linux kind of things. Except it's based on that. The was fought by to the Red in October 1995. The goals taken from the goals of this team and Web page of swept site is to pay attention to security problems, fix them before anybody else does. And to be the number one most secure operating system is really cool. Also, be politics free as possible. Solutions would be decided on the basis of technical merits. I like this. That's nice. People had low expectations for my talk. Things like misinformation, low quality,
told false assumption, international embarrassment, apparently. So we'll try to disappoint these people more seriously. When the talk was obstructed at all, told was published on the C thirty sixty three Web site. There were a lot of heated responses like just look at the innovation web pages. Look at the Evans Web page. A lot of mitigations. How dare you say that? Open business secure. That's the point of my talk. Actually, open has a lot of mitigations, but I want to know if they are working or not. Having a list is not enough. Also, there are almost no exploits for plan B. Well, there are no exploit for Temple Lewis or haiku or manual. But I'm not sure they're super secure. Also, openness, age and openness seem to be really great. I know I'm using them. This is this talk is not about open baby software. It's about dependability, security, mitigations. Someone else said that all the mitigation are complementary. Why? You nit picking on small mitigations. They're just handwaving statement like everything is complimentary. Don't you dare criticizing open beers. Someone else had just read that Lee dot org, which is a website dedicated to news about the baby as the button and daily dot org. Every time there is a new mitigation, everybody is cheering at it. But I haven't seen anyone criticizing the mitigation saying there is a weakness here. Or maybe it is, and maybe that. And also when I was discussing with friends that are writing exploits, they are complaining about people fussing upon me as the nuts about you mitigations. Also, someone said that the title is Click Bait. Apparently it's not click bait enough because the room is in full. So security mitigation. How do we measure security? It's really hard. Alvar flayed, designed to mitigate our creature, which is analogous to or always working to make exploitation art. Like yes, I killed his ability, but it's not really helping. So what? How do you measure a good mitigations? How do we design good mitigations? Haha.
Also wrote on twitter because apparently dislike writing blog posts for some reasons. Say that to have a good mitigation you should avoid handwaving. Statements like it makes it harder for an attacker to do that. You should have stuff like what? But class of bugs doesn't kill or what CV like this is killing CV 1 3 3 4 for example. Or by how many hours does it delay the publication of a working exploit, for example, because it makes harder for an attacker is not something that would be acceptable, for example, within designing cryptographic protocol or a security protocol. Like yes, I did a full loop here because it makes harder for an attacker to get the clear text doesn't work as well. Also, for a good mitigation, you should ask your friendly neighborhood expert writers about this. Like hey, I've wrote this mitigations it killing this class of bugs ya old exploit. Can you bypass it please? Can you try it? And also code with you. Where is the mitigation coming from? Did you read some papers or did you come up with the idea yourself? Other people are using it. Maybe what is the code complexity? So that's it doesn't guarantee good mitigation, but at least I think that good mitigation stemmed from these good practices. Also, threat modeling, I think is really important. Someone called Rain Melon said the threat modeling rules of thumb doesn't explain exactly what you in securing against the hole you're secure against. The answer can be assumed to be bears and that very well. So, for example, there was a mitigation that need to happen as the and come. It said, I quote, thereby forcing the attacker to deal with the hopefully more complex efforts of something something. This is not something you want to read in a changeling for aiding and mitigation. So we go and distort. As I said, I'm going to go with you through a subset, an arbitrary one of open beers mitigations where they're coming from, where they invented by open beers the or improved by open beers. Maybe. What ar
e they defending against? Are they effective at killing exploits? And how is the outside world doing compared to open beers? For example, Linux has been naturally improving, but Windows been investing a lot of money and effort in time to making it more secure. Why an arbitrary subset? Because I've only got 45 minutes and a bunch of questions, so that's not enough time to go through every single one of them. There are not a lot of sources in my slides because I don't have much space. Well, it's a big screen, but still. But there will be a web site at the end with all my research material. There I also put small prefer fishes in the bottom of the slides. The notation we can use to express my opinions about the mitigations. So. Here we go. I took the first reduction, Ivan Frantic, which is someone working for Mubarak 0, said in 2019. That empirical evidence suggests that a tax refund reduction is one of the most impactful things that could be done for product security. So this is a class of mitigations that should be really effective. Privilege, depression and privilege drop in 1997, long time ago. Daniel Bernstein wrote Kumail and Kumail was composed of several processes with only one running as root. So as an another, Gary managed to compromise. For example, a process talking to the internet may be running with low privileges so you wouldn't yield you automatically a rude shell. That's pretty good. Pacifica did the same the same year and five years later. Openness, insatiable privilege, separation. So if you ever remote code execution, the benefits age maybe doesn't give you or would show automatically. That's pretty cool. Almost all open. And the written programs. No, they are using privilege, separation and privilege drop period. Separation is to have different processes running with different privileges and privileges. Drop the idea of dropping your privileges as soon as you don't need them anymore. For example, when you are a string of PIN command on Linux, maybe
on the business to you know. Yeah. Ping is situated because needs to have high privileges to open a specific socket and then immediately drops privileges to send a payload. So that's the idea. Privileged drop open BSD these using. It's almost everywhere I sit there. That's why I put five perfect fishers. There's really good unit, I think. For example, they've got rootless swords since 2014. That's really amazing. But they kept it situated. So it is resulted in a trivial look at what happened yesterday. Okay. That's that's just me being mean pledge. I read like this one in the links word. There is something called sitcom that was creating 22 and merged and 25. The idea is that the process could enter a mode of sexual computation in which only the exit cigaret turn Siskel are allowed as well as read and write on already open file descriptor. That's not really convenient for real world programs. So the second BPA was created in 2012 and with this you can restrict what Siskel your program can need. For example, Open B is the creative team, which was renamed as Pledge in 2015. It's a really amazing mitigation. I like it. It's really simple to use because contrary to sitcom, it's not based on C. schools where you have to dig through your bathing systems discussing what is this Siskel doing? Do I really needed for his Java program? Maybe not. I don't know. Here is capability based. So, for example, you can say, hey, this program is only allowed to use send our inputs and outputs or this program is allowed to generate resolution at that set. For example, I think the A.P. client of the is the is running different processes with different pledged policies like one is allowed to result the domain. The other one more privileges load to change the time of the system, for example. That's really neat. Also, it's more use that same. Second is mostly used like in Docker for example, or Tor IPT at some point as well. A couple of other programs Chrome may be, but in open B as did the
y are 850 calls to pledge in open video services. So it's used a lot in open B as the good days. I think it's due to impressive engineering. Work is working very well, so very effective. They've got unveil which is kind of pledge but for files. Not really. JD That pledge allows you to restrict the view of your file system to a specific program. For example, if you've got a web browser, your bowser needs to be aware only of, for example, a folder for the cache and the cookies. And another one for downloads. And that's a web browser. I shouldn't have access to us keys, for example. It doesn't abort on violation. So if your program is behaving weirdly like trying to accentuate this ASCII, maybe you will get the message, but the program won't be aborted automatically. It's used by 77 users and program and BSD. That's kind of a decent number because I've been busy by default and still doesn't come with a lot of programs. I think that this one is also really good. It's like Apple more or the Linux running on DB and went to Android for example. But I think it's much better because the policy is residing inside of the program. So let's say you're using w get to upload some file on the internet. You can make the whole filesystem read only because W gets. Needs to read some file on your desk and then upload it to the Internet. Or if you're downloading a picture. The only thing that needs to be write the bill on your desk is the destination faithfully picture you downloading. You cannot have that with up on more, which is more like, yeah. But you get on the access this and that's it. So being able to reduce the attacks you face, depending on what the program is doing, I think is really cool. Hardware vulnerability. We've got a lot of them in the last two years. Apparently you cannot trust you anymore. That's a shame here. I think the most interesting thing that I'm going to talk about is your reaction time, because it's usually faster to update your baiting system that it is t
o update to see you. And for some vulnerabilities, when there were published research, I managed to write proof of concept in the matter of hours. So I'm quite sure that serious players are able to have production. Great exploits in a couple of weeks, maybe months. Hyper. Hyper, hyper what? Hyper threading so open to disable hyper threading sport by default, which is a bold move and a lot of people will call their names because of this like open. He doesn't care about performance, blah, blah, blah. But they did some benchmark and the performance impact is pretty low except from some specific workload. And this allowed them to dodge a couple of narrow ability. For example, lift in user land or MVS variants like zombie load or radio, for example, was always user land. So this maybe should have been in the text effects reduction path instead of here. I think it's really cool. So really bold move and I think is a good indicator that open. There are some people that open busy that care about security. Specter Every 1, 2, 3. The idea of Specter is that the branch predictions speculative execution of JCP view as observable side effect like you see if you try to be smart and infer some things and then a taker can watch the observers to see you doing this and extract some data from this. So specter of you one which is the first variant of the Specter attack, the mitigations on Windows is compiler based on Linux. It's manually removing some gadgets, using a magic grip and open. Be easy. There is nothing. So you need to obey JCB if you're worried about this. Specter v2 also compiler based on red balloons. Days zero for everyone is very impressive. Three months for MDA 64 and Appendix D. That's not a long time. So right. Keep why. Also inspect every three Canada page stabilised relations. They zero for everyone. One one's for the sixty four. That's pretty fast. Interestingly, and because I'm a mean person. Open B is D good. Keep it away after dragonfly. B is the net busy and Ph
oebe is just me being mean. There are other ones. Leave them. Yes. Swap args. Everybody was using the same mitigations except that open Beazley was able to dodge a couple of them for use the lands because they disable hyper threading. That's really cool. So everybody pretty much the first week day 0 8 3 9 3 good and 4 lift. Interestingly, 9 days after the embargo was lift till the rads said that there won't be any mitigations for open B d6 2 and 6 3 despite them still being supported at the time, which is an interesting statement. You said this on the mailing list. I'm not sure if people know about it. Randomization open the as a really strong focus on random hazing everything to make the life that I care harder SLR. So the idea of a salat is to map area of jazz or space at random location. For example, your stack is the random location every time your program starts. So as you heaps your libraries and everything was invented by the PAX project due to the patch for Linux in twenty one and the same Europe and the random offset for his stack. This refers. We need to when you three open because the random offset as well for libraries and map and it takes two more years to Linux to join the bandwagon. Technically it is R and not a SLR for open busy because the delta between the different maps is constant between the launch. For example, when you're running a binary the first time you've got the delta between your eye and or your library in your stack, for example. And when you relaunch it, there are map a different offset, but the delta is still the same. It doesn't matter that much, at least is better than poor. But randomization like Android, US and Windows are doing also open as you claim to be the first widely used operating system to have a SLR. But there was Gentoo higher than before and that meant ICS. I don't know if Gen Warren was more popular than NBC because in published numbers pursing. I'm not sure the statement is true for NBC position independent code. So
here it's not only to stack the heap in the library that I met that random offset. But every time you're running the program, the binary will be mapped, the random offset removing fixed point for the attacker to see where it is or what to override the with where to jump. Kind of things. Also invented by PAX 24 1. More than enable this for the whole user land into a new three and feather. And read that enterprise next. Use this for a century. It's network facing binary because there were some performance concerns to enable this mitigation open debate put four pi five years afterwards. Twenty eleven pi by default on U.S. and 06 by Apple. There are a lot of Texans dislike because I think that here the timeline matters. Also, 2012 Android is pretty cool. And 2012 pay enabled by default on the visa. That's very nice. Except that on the open business website is written that open busy phase 3 was the first widely used operating system to enable it globally by default on 7 hardware platform Android was first for six different architectures. Further, I was first for a different architectures and also there was Gentoo Artisan Adam antics. Maybe they got less user that opened busy at the time, but also Apple enabled it for OSX and us, and I'm quite sure this is more mainstream operating system than open because he is still an amazing mitigation call. I read like this one as well. So July 2017 open because the railings kernel object at the random after after every boot like the kernel is linked. Like if you kernel was a giant puzzle, the pieces would be shuffled and thus some different order for every boot. So when you reboot, you kernel looks entirely the same. And for example, on Ubuntu, every time you're rebooting the kernel, it's the same. So as an attacker, I only have to have the same version of Ubuntu as yours. Right. Makes play for the kernel. It works. It will work usually on your machine. So let's be nice. It kills single point for leaks and we let you overwrite beca
use if I can leak pointed to you, Colonel, I know where the pointer is. But since the kernel changes upon every boots doesn't give him much information and also relative overwrite. If I'm able to write whatever I want. But in a relative manner, I don't know what I'm going to override. Now it's really useful against attackers that doesn't have an obvious read or as you say, channels. So yeah. Also, the debug ability of these is really horrible because everybody has a different kernel. So if my open visa crashes and I want to send you the stack trace, I will have a different one that you do, for example. Or maybe I'm not a power user. I don't know much about this, so I'm just sending you a screenshot and there is no way for you to know what my kernel layout is looking like. Also, it doesn't work very well with stress to boot because you've got a different kernel after every reboot and you would have to sign it every time. It would kind of defeat the purpose of stress and boot. But Open B is the I think doesn't really care about trust boots. So it's all right. Swensen is dressing as well. They are and amazing like they do for the kernel except for the lip see lip creep to add boot time. It is pretty nice. 2016. It also kills single point league can relax. You all right? If an attack does not betray read, these mitigation is moot. And also it is. One is vulnerable to blind drop, but open is the has some measure in place to make blind or up a bit more difficult. It's useful against remote attacker, but since it's per boot, it's entirely usually use less seconds. Look at attackers library or they're in the accusation. So here is not random randomization inside of libraries, but the library are mapping in different order every time. Twenty three. This was also done by Android at some point by default. The smallish improvement of a SLR. But when you've got a single leak to a library large enough for example, the Leap C or Billy Crypto, I don't know that usually enough gadge
ts there that you don't need to look for other libraries. Also, the entropy is pretty terrible because in the. I don't care about figuring the particular order of all the libraries only in my lips to be the first one for example. So if I've got libraries mapped, I've got one chance out of. And to exactly hit this library the first try. So it doesn't hurt to have this but is not very effective. W X to say the situation data is to have the memory section either rateable or executable, but never at the same time. It's pretty old mitigation. It was I think first made public by Casper D for Solaris in 1990. Something something. So design of roads, patch for Linux kernel for this as well. It prevents the introduction of new codes because an attacker cannot like is going to have rateable section directly. Jump on to it. This used to be the case in the 90s, but nobody is doing this anymore because of this mitigations. We've been busy, was pretty late to the party to them a couple of years when you're two for use land 2015 for can land amazing mitigations. Except that it's lacking things like parks and protect from parks and not be easy. No, they either think or ACG on windows or the kinda hardware equivalent in the Apple world, which is Katy are the hardware. The idea of this is that the operating system will keep track of the memory allocation. For example, if you are locating a page's rateable, it can ever, ever be mapped as executable. Even if you map it is known for example, and then map it as executable. And this really prevents the introduction of new arbitrary code because otherwise an attacker. If I've got I know some rough gadgets and I've got good execution, what I can do is that I can allocate a section of memory as rateable, put my payload. There might be desperate known and that map is executable and jump on it. So this this is basically guiding new code inside of the binary. And when you've got and protect parks and protect the kind of things you know to load
to do that. So you have to write your whole payload and rub or use that on the attacks. But you cannot bring your own Chilcote anymore. Yeah. W X refinements in 2019. So you said that you wanted to block direct C schools from the area, forcing the attacker to deal with the hopefully more complex effort of using git or probably even harder discovering the fiscal stuff directly inside randomly rolling keep see what is the point of this that stats and subset of packs and protect that mentioned previously blocking Siskel from executable memory. So if an attacker is an executable, memory can at issue see schools from here. And the further refinement was to block school from memory that doesn't have the empty scope flags or the operating system will map the particular section of your address space when you've been there is running and you can law only issue see schools from dispersion of the binary. Couple of days ago similarly goes to talk about a message exploitation and these exploits with have entirely bypasses mitigation than. It's not even present on Android because when as not occurred, you've got enough control to not an area as viable. Put your code there, map it as executable and then jump on it and then do a Cisco. Usually you've got enough control to just rub your way to see scores that wherever they are because you usually have an arbitrary read anyway. The mitigation is really useless. I think the juicy parts of the talk. It's about other memory corruption, mitigations, using land management. July 20 or 8 02 Malak by two more beak. I think sorry for butchering your name and Damien Miller is an amazing piece of software out of Ben metadata. So when your locator is allocating some stuff, the metadata about the data that was allocated are kept separately. So as an attacker, if you've got an overflow, for example, you're not able to mess with the data that are here. Also read on structures. So as an attacker, if I've got an arbitrary reading, let me tell you. Ri
ght. For example, there are some structure that I cannot mess with quarantine delayed free. The idea is that once your program doesn't need the memory anymore, then you want to free it. But the free doesn't happen immediately. The section will be put into quarantine at some points, will be freed up to mitigate Youssef to free because as an attacker it's a bit harder to know when the memory will be freed junking like some when some memory is allocated the junk that I put there. So as an like, if I tried to immediately look into this memory, I'm not able to leak some things. Canneries to detect now overflows or on the flows. There is a secret value that's put behind or before the buffer. And when they take care, when they overflow it, the program we notice at some point that they cannot revalue has changed what pages or page alignment. The idea is to align your allocation for pages so as an attacker when they've got an overflow. Odds are that they will fall into a page that is not mapped. What pages like canaries. But instead of putting secret values, you are putting entire pages before and after. Madam, I known for example. So when the attacker touches them, everything will explode as usual. Rise up and be as the everything is randomized everywhere. It's really a really cool piece of software. Unfortunately, it's a bit slow compared to for example, kiddo, which is the. Hayden locator that the plan to use for androids, some benchmark shows that's automatic is 12 times slower, but apparently the open B that people care more about security and care about performance. And that's entirely fine. I read on your location, so it is a more tricky to explain, but basically the idea is that when your program needs alone, I know a function from another library, like let's say you want to display some text, you just print F and your binary doesn't implement print. Let we'll ask you A Hey, where is the function print f again. And there is small stuff that would say, let me look. He
re it is. There you go. And the program will take the function, putting the small cache the next time he needs to call print. If you can just look in the cache and call prints off, the idea of reading your location was created by red. That is that to make this cache as read only because an attacker. For example, if the caches that Madrid only, what they can do is that they can swap the points. Is there, for example, next time you're going to print off. Since I messed with the cache, you're going to call system and give me a shell. So the idea is to have this as recently. But the caveat is that you need that just when you're starting your program to resolve everything because you cannot dynamically change the cache. But there is a plot twist open because this still has the basic bindings, which means that they're resolving things at runtime. But still having a read on the zone is a bit weird. But. So the way that doing this is by adding a new school code combined and the idea of combines that it allows the program to have a name not be played right inside every memory that is mapped in the address space. So even if it's read, only the program can still right there. It's to prevent an attacker from using it. There is a code side verification like the first time it's called the operating system will remember where the function was called and also use a magical cookie to make sure that the caller knows the magical value to be able to use it. Unfortunately, you can just wrap your way to bypass the code side verification and also the cookie value when you've got numbers varied. It's really moot. So I think is a dangerous school. And the good the right way would have been to have immediate bindings instead of still supporting Lizzie, bending things from the past traps led so hilarious so it wouldn't hurt to send a patch to replace the padding between the function that used to be nubs by traps and JD to remove nubs sleds from program libraries and mix makes it harder for an
other kid to eat and you rub gadgets or other interactions after another sled. Nobody's using up sled with the rope up sled where used back in the day. Even the stack was executable. People are jumping precisely to the gadgets nowadays. You can look at every exploit out in the wild. Nobody is using the sleds. Also Microsoft visuals to do had these features since the 2010 editions and they've rebranded it to the security features. Also open the has an obsession about removing up gadgets. They're doing this by changing the register selection algorithm. Like instead of using eggs, for example. There were favor e.g. X instead. Why not? They're also replacing instructions. So instead of moving a 2 alpha, now it's changing A and B and then moving and then changing again. They are forcing alignment with the traps led. There is a whole jump above the traps led to the right instruction to prevent an attacker from jumping in the middle of instruction hitting the right afterwards. Also, they've got SWAT guards to protect against the line threats use age, but I'm going to discuss with guards a bit more after Rob got his removal. Why? Why would you do this? Because they are using a script called Rob Gadget, the UI, which was written by Jonathan, someone who has written the proof of concept for fun. Nobody is using it except maybe during CTF as a try and usually doesn't work because the euro's tickets using are pretty simple. And the way they are measuring the success is that they are running rob gadgets on a kernel binary to generate a user land. Except the Europe chain and the prob gadgets, the pure script managed to generate the full chain before their mitigations and when they applied the mitigations, Rob Gadget doesn't manage to generate the complete chain anymore. That's a weird metric. Also, apparently all their dance to remove gadgets are reducing the number to 11 persons on them to 64. That's not a lot when you're writing a rap chain. Usually need like a dozen gadgets, m
aybe 20, but not not that much. And 11 person this. This doesn't make any difference. Like dust in dozens of hundreds of gadgets lying around. They claim that there are no more gadgets on them. Sixty four. That's amazing. So I've run the rub. Gadgets that UI on the kernel binary and remove all the red based gadgets and there are still twelve hundred twelve thousand eight hundred ninety one job or co-op or pickup gadgets everywhere. Also, it doesn't kill, as I mentioned, the rub co-op pick up and order a return to return CSU return to leave return to anything. And you've said that once they address the red problems, everything else would be easy to address. And also any case, substantial reduction of gadgets. Powerful. Except it's not. There was a paper publish in 2019 by Michael Brown and Santosh Paddy called is less really more that is explaining why removing Rob Gadget doesn't really improve security and sometimes even worse than its. Amusingly, GTC used to have an option called Dash Dash and mitigate drop rates new removed because I quote This option is fairly ineffective. Nobody seems interested to improve it. Deprecate the option so you won't lose developers to lend the full security. Red Guards. So Crispin Cohen and his friends wrote Stuck Guards 1987. The ideas mentioned previously with cookies is to have a secret value somewhere. And when the attacker tries to override things, the memory, the attacker will also override the cookie value following the program to detect that something is wrong here. It's usually on the stack, like when you're calling a function the return address because you're executing your program. Some point you might want to call a function, for example, but you need to know where to come back to the idea that when you're calling a function usually at least 64, you're putting the return address on the stack. The function is within things and then it's taking the address back and coming to the call site. So it's not like I if I can overrid
e the address, I can make the controls for the program point whenever I want open because I did that cookies and user learning can land in twenty three or six years after the invention. And amusingly, they were using segments filled with random data for for this and the market. It started costs on. The compiler was smart enough to say, honey, this is a static segment so it must be zero. So simplify the comparison for cookies. So the cookies and I've been busy were ineffective between 2016 and 2017. So when guards. 2017 edition. The idea was to ignore the do an exclusive or on the return address at top of the stack with the stock point of value itself. That's an interesting move, except it doesn't protect again partial right? Like you can partially overwrite the pointer or you don't care about this. Also, if you've got the read primitive on the heap because in the heat the stack points are usually you defeat the cookies and they sell or Candyland. If you can lead some part of the canon stack and the canon text segment, you get the cookie for free. So this was not the smartest move ever. That's why they improve it. With regard 2018 edition. So here are some assemblies. Assembly. Singular. JD To move like read your thing. This is from the random segment with random data here ignoring with RSP at the beginning of the function. At the end of the function, there is a verification that the value is still the same. And then the big jump above as traps led and the return. Nice. That's nice. Eleven is Bill on the stack. When you're calling different functions, so if you've got nothing to read, you can just leave the cookie values from all the functions above you. There is one cookie per function with a small improvement. Also cookies stored in a dedicated segment so you cannot overwrite them, which you can do in their operating system. And I think it is really interesting. The integrity is on the return address itself. It's not just a cookie anymore. That is like shielding th
e return value below, but the integrity is on the return address itself. So even if you've got an arbitrary right, you cannot really mess with this. But it's still a small improvement over SLR because what small improvements are you over real estate cookies? Because when you've got the number three rights and the meta way read oh, I'm tired. Sorry, when you've got the know. I read this game over because you can leak everything. Near the ref can land. So the idea is that when you've got the new 2.0, the reference like a pointer pointing to zero in can land like you forgot to initialize a function pointer. Let's say since the zero the 0 0 is in user land or the kernel will do that, you will jump to use the land. So as an attacker you would just have to map your shell. Go there. Trigger new points of the reference. The kernel would jump there and you've got code execution. The PAC's projects kill this and when you're 4 we scan exact and apparently twice in 24 and you there f in 26 detail here. Does that really matter? Evens Evans poodle gave a talk at the twenty three C three that's pretty old when you're six called the unusual dog where you demonstrated some needlepoint that the reference exploits. This was mitigated by Linux the year after with impunity. They are preventing user land from mapping things at the very beginning of the airspace to prevent an attacker from putting the circle here 24 7 to 27. Everybody, it was copy pasting exploits for open BSD. It was a really fun time to be alive when you open open as the prevented to map the first page as well to use the RAD which is the person leading the projects. I used to be a problem. The solution, it seems best phase was to be the intellectual exercise. It seems that everyone else is slowly coming around the same solution. Took them two years to implement it. I think it's the other way around. They were slowly coming to a solution. Maps map all the friends. The idea of this is that you can enforce at the CPI level
that poor things running on supervisor mode cannot access user land. For example, your kernel. Maybe you don't want to kernel to accept things that are residing in user land to prevent people from writing the payload and user land, triggering a bug somewhere in the kernel and then jumping to use the land, forcing an attacker to put the payload directly into the camera. Cumberland instead packs to the ref was an email kind of a simulation of this implemented software. The Intel and the name. The released report First Map and SNAP maps stand for execution so they can and cannot execute stuff coming from New Zealand. And SNAP is access so the code can access things coming from New Zealand. It was added in 2012. Everybody added support for it. Amazing. And then someone burned a cool open beer. This map bypass because they forgot to clear a magical flag on interrupting kernel entry. They were honorable for 5 years. It was a really fun bug map stack. Its present from Linux. Almost no practical use. Besides, when you're cutting flesh proc, you will see this memory part. Here is the stack. Windows used to have anti exclamation. My peers validate. Use the stack because it's windows. They removed it in 2012 because it was useless. The idea was to check that the stack pointer was pointing on something. It was map of the stack upon every single Cisco. There were generic bypasses from this, mostly by privilege, by having frantic data. No one was to write the stub that called a map with the map stack flag. But you paid there. Jump on it. Or before we see scroll, you can just make the stack pointer point to the stack. Do your school and then make it points something else open because the improvement is they didn't cite Windows mitigation or any paper and start checking the stack pointer upon the re school. But also painful pressing is a really cool improvement, except that there are some open views, specific bypasses that are left as an exercise to the crowd. Other mitigation tha
t didn't fit into the previous categories, but I think they are worth mentioning seeing cookies. Daniel Burstein Again, 1996 was a chink. JD To have a stately storage of the scene handshakes. For example, when you're establishing a CCP connection, you're doing scene and then the server you play arc and then you reply scene arc and then you can exchange data. It's amazing. But if the clients and syncing since instances since it's in the server needs to keep track of everything, at some point it will just blow away. So the idea of seeing cookies was to be able to store all the scenes in storing the stateless status anyway. It landed in Linux the same year enabled by default. Everything is super great and open because the implemented it last year. No way. They just kind of use less because everybody on the internet can trivially. Industrial was terabytes of data for just a couple of bots bucks by renting a botnet. Maybe it's useful on your LAN, but if someone is dusting you on your LAN, you usually got bigger problems. Map conceal freebie is the the idea is to be able to mark some section of the. Murray, in your binary as please never touch the disc. So, for example, when you've got a crash course dump, maybe you want to give the coded them to the developer, but you don't feel comfortable leaking your secret. This is key, for example. So you might be does no core or don't up or conceal and there will never be put on the disc so you can safely give the core them away. 2012 fully next to you for plan B, as did the bragged about it to nine, which a core open developer said the name concealed was chosen to allow some flexibility, like prohibiting Peter Pace J.D. to keep secret from escaping to other programs. It seems that there is a threat model issue here, because if you've got Pietrus control of our program, you get as we write the code of the program to access the things that you store in that conceal or mount some data on the attack and and practice. I think this is i
mportant. They don't have any bug tracker. Everything is done by email. So you don't know if somebody is assigned to your bug or is going to thing. You have to go through the mailing lists. There are no public code review when they are pushing good. They say, oh, to say okay or Bob said okay or Ted said it's okay. It's literally okay. At the end of the comments. There is no justification, contact or threat model for mitigations like hey, I did mitigations make life and that harder. There is no paper, there is no threat model. There's just handwaving statements. Also a security issue and security through a patch. There is in there at the web page which is here is the patches. Here is a signature so you can verify trustworthy. Do patch. But there is nothing about the remote vulnerability or their exploits on the wild. Can they have a write up? What is the context here? Do I need to reboot it in Kenya land? Is it in New Zealand? Just to play the patch and reboot? It doesn't scale very well. When you've got hundreds or thousands of machine running open bills, you can attribute all of them instantly. They've got no assurance digression, they've got stable release and they've got current clearances broken from time to time. My VM stop booting like at some point every month or two, something like this. Apparently it's accepted there. Also, they're using CBS for a version control system instead of other things. So they have no branches. Almost 50 percent of the commit message. Less than 10 characters long. Hello world is eleven character longs. Three quarter of the message are less than twenty characters. So if you write Hello World. Hello World. As a comic message, it would be longer than three quarter of the comic message of Hope and BSD. Conclusion right in time, open video is really some invented some really cool stuff. I like to Matlock. I really like what they mean. Miller is doing with hardly anything open stage, for example, and a lot of things. They've also gotten
entropy gathering CS calls it doesn't mention. Also, yeah, they've got some good ideas. They improved some ideas of others sometime without giving credit. For example, ever got team pledge. They've got parts for the hashing. They invented craft. That's amazing. They've got some useless mitigations that are adding either complexity or just hilarious traps set. For example, the whole W X refinement that we are, the rope gadgets, removal ideas, combine everything, everything that this could likely be improved to a systematic security engineering like doing more tests, maybe writing threat modeling and everything because the smart bypassed, for example, shouldn't have been living this long. Also, nobody would create cryptographic primitives today. The way that open borders these ring security developments just wouldn't be acceptable. Why is it acceptable to develop mitigation? Swing proper mitigations? I think can stem for proper design and thread modeling. Strong reality based statements like this guilds design ability or it is guilty. Severe delays, the prediction of an exploit by one week and also through testing by seasoned expert writers. Anything else is relying on pure luck, superstition and wishful thinking. Thank you very much. Also, since I didn't put a lot of sources there, I did a fancy website with a crazy domain name. It doesn't address the question these open business, you are not. I didn't address this matter either because I think it's important to empower and help people to answer this question by themselves. Thank you, Ms. Dane, for this definitely systematic review. So let's go to the question and answers. Do we have any questions from the Internet? I see. And no. So are there any questions here in the hole? I don't see any people at the microphone. So nobody. Oh, some more time to think about some questions. Guys. No questions. Microphone number two is our starter. Thanks. Um, when you showed the response time regarding some of the mitigations, um,
do you know if the up and bestie people had access to the information ahead of time like the others? Because Linux and Windows, I would assume they would have access to the information to be able to read the medication in time to deliver a zero day. Uh, mitigation. Whereas up obviously I'm not sure it's an interesting question. I didn't mention them bango handling on purpose because apparently it's a sensitive topic. I'm open to you say the agency that open because you never broke any embargoes, but they are known for not playing nice with embargoes. So they are usually in those days excluded from embargoes. So they weren't included in the disclosure process. There just had to delay it in a rush. There was no rush. Okay, we got a question from the Internet. Yes. Thank you very much. And this one question. Do you have a response to the statement of open peace de developer Brian Steele that MEPs tech is something very different from similar implementations in Linux and Windows? Maps, this is the mapping the maybe I can show the sliding. Oh, this is confusing. Yes. Maps, like I said on Linux is just use to for cosmetic purposes. Windows it was removed. That maps. That is the same idea verifying the stack pointer upon every Cisco loop and the improved it by doing it on page faults. It's an improvement, but it's still not a tremendous mitigation. OK. We have a person standing at the microphone, number four. So how do you compare the pledge with the capability system or Linux, because there is such a thing on Linux and how it is different on Linux? What do you mean by capabilities? Like for example, we that there is the. For market cap, cap caps network buying that. Oh, the capability for paying for a sample to create a real socket or something. I can't remember the exact name. Yeah, I see what you're talking about. They're really confusing. There are a lot of them. The documentation scars. I think that Spender from Jet Security wrote a blog post detailing all the capacit
ies and how much of a mess it is. Maybe it's efficient. I don't know. But since it's not really usable by normal human beings, I think it's not a good mitigation. What I like about pledges is you can just say input with Booth and that's it. Or network and that's it. You don't have to mess around with a lot of documentations everywhere. Do I need this particular type of exotics to get much of that program on? Thank you. All right. Another question from microphone number five, please. There used to be this developer channel, the ICB. Is this something which is still active in open as the year? Did they switch to like I ask you now? I don't know much about open is the ecosystem and everything beside the mitigations and didn't interact with our community at all. So no idea. Thanks. Any more questions? So there is one more question from the Internet. Sorry. Yes. Yes. And, um, how does open B as compared to free BSD in the context of your talk? I don't know much about open beers. Maybe I will do it all. Thanks. Here. No more seriously. There is the hard in the projects, which is a soft form of open vs the of a freebie is the trying to improve the security of freebies. But I don't know much about it. Okay. Any more questions in here? We do have time Internet. No questions anymore. Well, then gonna close this session here and think Stein again with a nice applause, please.
