[nycbug-talk] BSD Chapter in HLE

Ray Lai nycbug at cyth.net
Fri Sep 15 18:21:27 EDT 2006 

On Fri, Sep 15, 2006 at 02:16:49PM -0400, michael wrote:
> On Fri, 15 Sep 2006 14:09:57 -0400 (EDT)
> Dru <dlavigne6 at sympatico.ca> wrote:
> > On Fri, 15 Sep 2006, michael wrote:
> > > strlcpy() and strlcat()

strlcpy and strlcat are safe and easy-to-use versions of strncpy and
strncat.  They are described in "strlcpy and strlcat -- consistent,
safe, string copy and concatenation." by Todd C. Miller and Theo
de Raadt.  The paper is at
http://www.openbsd.org/papers/strlcpy-paper.ps and the slides are at
http://www.openbsd.org/papers/strlcpy-slides.ps

> > > Memory protection purify
> > >    * W^X

Separates memory regions to be either writable or executable, but not
both.  This prevents exploits from writing code they want to execute
into memory, then causing the program to execute that code.

> > >    * .rodata segment

Segments of memory where data is known not to be writable, such as
constants or executable code.  Writing to this area causes the program
to abort.

> > >    * Guard pages

Places no-access  pages of memory at buffer boundaries, so if programs
try to read or write outside the buffer the program aborts.  Prevents
programs that miscalculate the number of elements in an array or do
poor pointer arithmetic from continuing unnoticed.

> > >    * Randomized mmap()

Randomizes the location of each mmap allocated memory, which reduces
predictability for exploits and leaves gaps between each mmapped
region.  Access to these gaps causes the program to abort, so overruns
and underruns are detected.

> > >    * Randomized malloc()

Uses the randomized mmap instead of the traditional brk/sbrk system
calls, which basically forced all the memory allocated to be
continguous.  Accesses to previously freed memory would not cause core
dumps.

> > >    * atexit() and stdio protection

I think there are protections added to atexit, but generally its use is
discouraged.

I'm not sure what the stdio protection is.

> > Are you aware of any good (preferably "for dummies") URLs explaining
> > these and their benefits? http://www.openbsd.org/security.html isn't
> > a good reference for this book's target audience... 
> 
> you caught me.. that is where I plucked it.  We have an OpenBSD
> developer on the list.. Ray?  little help?

For a general overview look at Theo's Exploit Mitigation Techniques
slides: http://www.openbsd.org/papers/ven05-deraadt/

> > Hmmm, reminds me I should mention IPSec...

Yes, and in 4.0 IPsec configuring has been greatly simplified.  Check
out http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec.conf for example
uses.

-Ray-

More information about the talk mailing list