Feb 26, 2019
aserr
seen from Netherlands
seen from China
seen from Türkiye
seen from Finland
seen from United States
seen from India
seen from Netherlands
seen from United States
seen from T1
seen from Denmark
seen from Singapore
seen from T1
seen from T1
seen from Singapore
seen from India
seen from United States
seen from China
seen from Malaysia
seen from Australia
seen from United States
aserr
Thankful for having both strong men and women in my life. In particular today, my dad (pictured) and my gramps Regalado. My relationship with my dad continues to grow and take on new facets. I work hard trying to be a human they both can be proud of. Love you, #happyfathersdaydad . . . . #callyourdad #callyourmom #dadtalks #AlSr #corona #bayareaandbackdown #mexicali
A new, beautiful, skinny-silk wefted thing! Thank you so much @alynn_hart for letting me in on your beautiful custom and @alsr_handwoven for making something so incredible ❤️ #alsr #bonboyage #tinyknotsabound #babywearing
Coming soon // #ALSR
Oakland: Practical Control Flow Integrity & Randomization for Binary Executables
Q: I am the lead author of [indistinct], that project started off as a binary rewriter for system libraries. But in libc, there were a lot of dynamic jump instructions that had unpredictable targets, so we had to make it work better. Dynamic jumps that are function pointers, how did you solve the problem of unpredictable targets? A: Good question about dissassembly. We rewrite the target binary and direct transfer targets and function pointers and return addresses. Function pointers/dynamic transfers they are not determined at compile time. In our solution, we don't need to find out which exact jump targets of the core, because we only need to find out possible jump targets, as in, find all code entries and redirect these entries.
Q: It is possible to determine the targets during compile time. But the targets may not need entry points. In the GNU implementation of libc, there are dynamic functions in... Did you apply the solution to low-level library not written in high-level language? A: We can only find all possible code entries, not the entries of functions, but basic blocks. We find these entries through relocation tables in portable executable format
Q: It seems you've protected several DLLs and core executable. Have you tried to protect everything in a real world example? A: In modern systems such as Windows 7, we cannot alter the system kernel modules. So for applications like IE and Firefox, we only replace the related DLL. For simple applications such as [indistinct], we harden all modules of those applications. Q: But even for the browsers, you only did one DLL. Have you tried extending that? A: Because there are many DLLs that we cannot alter.
Q: Catalin. Is control flow hijacking now a solved problem? What's left? What kind of things can you not handle? A: First, when disassembling, there are lots of challenges, especially when the code and data are mixed together, such as the modules in Internet Explorer. Disassembly is prone to errors. Second, our solution uses randomization to protect the binary; in the following paper, we discuss randomization is weak, so it is still possible for the attacker to bypass randomization in some cases.
Q: About that requirement, it's a really strong requirement that you don't have information disclosure; if they have it, then they can break ASLR. So what relative benefit do you have over just ASLR? How much harder does this make your attack? If I wrote an exploit that needed to knock this out, it would only take me a day, because I can use the same techniques. A: ASLR cannot protect against use-after-free; ours can, because the attacker cannot find a valid code entry after our scheme. The randomization in our scheme is stronger than ASLR, so the protection is stronger.