new memory corruption attacks: why can't we have nice things? · dr. strangelove or: how i...
TRANSCRIPT
![Page 1: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/1.jpg)
New memory corruption attacks:why can't we have nice things?
Mathias Payer (@gannimo) and Nicholas Carlinihttp://hexhive.github.io
![Page 2: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/2.jpg)
DR. STRANGELOVEDR. STRANGELOVEOR: HOW I LEARNED TO STOP OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULTWORRYING AND LOVE THE SEGFAULT
(c) Castro Theatre and Spoke Art, 2013
![Page 3: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/3.jpg)
Software is unsafe and insecure
● Low-level languages (C/C++) trade type safety and memory safety for performance– Programmer responsible for all checks
● Large set of legacy and new applications written in C / C++ prone to memory bugs
● Too many bugs to find and fix manually– Protect integrity through safe runtime system
![Page 4: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/4.jpg)
(c) National Nuclear Security Administration, 1953
![Page 5: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/5.jpg)
Memory(Un-)safety
![Page 6: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/6.jpg)
Memory (un-)safety: invalid dereference
Dangling pointer:(temporal)
Out-of-bounds pointer:(spatial)
Violation iff: pointer is read, written, or freed
char foo[40];foo[42] = 23;
free(foo);*foo = 23;
![Page 7: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/7.jpg)
Two types of attack
● Control-flow hijack attack– Execute Code
● Data-only attack– Change some data used along the way
Today, we focus onexecuting code
![Page 8: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/8.jpg)
Control-flow hijack attack
1
32
4 4'
● Attacker modifies code pointer– Function return
– Indirect jump
– Indirect call
● Control-flow leaves valid graph● Reuse existing code
– Return-oriented programming
– Jump-oriented programming
![Page 9: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/9.jpg)
Control-Flow Hijack Attack
int vuln(int usr, int usr2){ void *(func_ptr)(); int *q = buf + usr; … func_ptr = &foo; … *q = usr2; … (*func_ptr)();}
Memory
buf
func_ptr
code
1
1
2
2
3
func_ptr
gadget
![Page 10: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/10.jpg)
Status of deployed defenses
● Data Execution Prevention (DEP)● Address Space Layout Randomization
(ASLR)● Stack canaries● Safe exception handlers
Memory
text
data
stack
0x4?? R-X
0x8?? RW-
0xf?? RW-
![Page 11: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/11.jpg)
Status of deployed defenses
● ASLR and DEP only effective in combination● Breaking ASLR enables code reuse
– On desktops, information leaks are common
– On servers, code reuse attacks have decreased
– For clouds: look at CAIN ASLR attack from WOOT'15
Antonio Barresi, Kaveh Razavi, Mathias Payer, and Thomas R. Gross“CAIN: Silently breaking ASLR in the cloud”, WOOT'15 / BHEU'15http://nebelwelt.net/publications/#15WOOT
![Page 12: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/12.jpg)
Stack Integrityand
Control-Flow Integrity
![Page 13: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/13.jpg)
Stack integrity
● Enforce dynamic restrictions on return instructions● Protect return instructions through shadow stack
A B
foo
void a() { foo();}
void b() { foo();}
void foo();
![Page 14: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/14.jpg)
Control-Flow Integrity (CFI)
● Statically construct Control-Flow Graph– Find set of allowed targets for each location
● Online set check
…jmpl *%eax…call *(0xb)…call *(0xc)call *4(0xc)
0xa0xb0xc0xd
0xd0xe
0x20xf
![Page 15: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/15.jpg)
Control-Flow Integrity (CFI)
CHECK(fn);(*fn)(x);
CHECK_RET();return 7;
![Page 16: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/16.jpg)
Control-Flow Integrity (CFI)
CHECK(fn);(*fn)(x);
CHECK_RET();return 7;
Attacker may write to memory,code ptrs. verified when used
![Page 17: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/17.jpg)
CFI on the stack
A B
foo
void a() { foo();}
void b() { foo();}
void foo();
![Page 18: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/18.jpg)
NovelCode Reuse
Attacks
![Page 19: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/19.jpg)
Control-Flow Bending
● Attacker-controlled execution along “valid” CFG– Generalization of non-control-data attacks
● Each individual control-flow transfer is valid– Execution trace may not match non-exploit case
● Circumvents static, fully-precise CFI
Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross“Control-Flow Bending”, Usenix SEC'15http://nebelwelt.net/publications/#15SEC
![Page 20: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/20.jpg)
CFI's limitation: statelessness
● Each state is verified without context– Unaware of constraints between states
● Bending CF along valid states undetectable– Search path in CFG that matches desired behavior
![Page 21: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/21.jpg)
Weak CFI is broken
● Out of Control: Overcoming CFIGoektas et al., Oakland '14
● ROP is still dangerous: breaking modern defensesCarlini et al., Usenix SEC '14
● Stitching the gadgets: on the effectiveness of coarse-grained CFI protectionDavi et al., Usenix SEC '14
● Size does matter: why using gadget-chain length to prevent code-reuse is hardGoektas et al., Usenix SEC '14
![Page 22: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/22.jpg)
Weak CFI is broken
● Out of Control: Overcoming CFIGoektas et al., Oakland '14
● ROP is still dangerous: breaking modern defensesCarlini et al., Usenix SEC '14
● Stitching the gadgets: on the effectiveness of coarse-grained CFI protectionDavi et al., Usenix SEC '14
● Size does matter: why using gadget-chain length to prevent code-reuse is hardGoektas et al., Usenix SEC '14
Microsoft's Control-Flow Guard is aninstance of a weak CFI mechanism
![Page 23: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/23.jpg)
Strong CFI
● Precise CFG: no over-approximation● Stack integrity (through shadow stack)● Fully-precise static CFI: a transfer is only allowed if some
benign execution uses it
● How secure is CFI?– With and without stack integrity
![Page 24: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/24.jpg)
CFI, no stack integrity: ROP challenges
● Find path to system() in CFG.● Divert control-flow along this path
– Constrained through memory vulnerability
● Control arguments to system()
![Page 25: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/25.jpg)
What does a CFG look like?
system()
vuln()
![Page 26: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/26.jpg)
What does a CFG look like? Really?
system()
vuln()
memcpy()
![Page 27: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/27.jpg)
Dispatcher functions
● Frequently called● Arguments are under attacker's control● May overwrite their own return address
memcpy(dst, src, 8)
CallerStackFrame
memcpy()
StackFrameLocalData
ReturnAddress
AttackerData
![Page 28: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/28.jpg)
Control-Flow Bending, no stack integrity
● CFI without stack integrity is broken– Stateless defenses insufficient for stack attacks
– Arbitrary code execution in all cases
● Attack is program-dependent, harder than w/o CFI
![Page 29: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/29.jpg)
Counterfeit Object-Oriented Programming
● A function can be a gadget too!class Course {private:
Student **students;size_t nstudents;
public:virtual ~Course() {
for (size_t i = 0; i < nstudents; ++i) {students[i]->decCourseCount();
}delete students;
}
Control lengthof loop
Array with ptrs.to vtables
Keywordfor ind. call
Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, “Counterfeit Object-Oriented Programming”, Oakland'15.
![Page 30: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/30.jpg)
Counterfeit Object-Oriented Programming
class Exam {private: size_t scoreA, scoreB, scoreC;public: char *topic; size_t score; virtual void updateAbsoluteScore() { score = scoreA + scoreB + scoreC; }};struct SimpleString { char *buffer; size_t len; virtual void set(char *s) { strncpy(buffer, s, len); }};
Arithmetic
“memcpy”
vptr
size_t scoreA
size_t scoreB
size_t scoreC
size_t score
size_t len
char* topic
size_t score / char *buffer
char* topic / vptr
![Page 31: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/31.jpg)
Existing CFI mechanisms
● Lockdown (DIMVA'15)● MCFI and piCFI (PLDI'14 and CCS'15)● Google LLVM-CFI● Google IFCC (Usenix SEC'14)● MS Control-Flow Guard● Many many others
![Page 32: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/32.jpg)
Remember CFI?
…jmpl *%eax…call *(0xb)…call *(0xc)call *4(0xc)
0xa0xb0xc0xd
0xd0xe
0x20xf
Indirect CF transfers Equivalence classes
Size ofa class
![Page 33: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/33.jpg)
Forward edge precision: size of eqi classes
Median
25th percentile
75th percentile
outliers
Required
![Page 34: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/34.jpg)
Existing CFI mechanisms
CFI mechanism Forward Edge Backward Edge CFB
IFCC ~ MS CFG ~ LLVM-CFI MCFI/piCFI ~Lockdown ~+
![Page 35: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/35.jpg)
What if we have stack integrity?
● ROP no longer an option● Attack becomes harder
– Need to find a path through virtual calls
– Resort to “restricted COOP”
● An interpreter would make attacks much simpler...
![Page 36: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/36.jpg)
printf()-oriented programming
● Translate program to format string– Memory reads: %s
– Memory writes: %n
– Conditional: %.*d
● Program counter becomes format string counter– Loops? Overwrite the format specific counter
● Turing-complete domain-specific language
![Page 37: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/37.jpg)
Ever heard of brainfuck?
● > == dataptr++● < == dataptr--● + == *dataptr++● - == *datapr--● . == putchar(*dataptr)● , == getchar(dataptr)● [ == if (*dataptr == 0) goto ']'● ] == if (*dataptr != 0) goto '['
%1$65535d%1$.*1$d%2$hn
%1$.*1$d %2$hn
%3$.*3$d %4$hhn
%3$255d%3$.*3$d%4$hhn
%3$.*3$d%5$hn
%13$.*13$d%4$hn
%1$.*1$d%10$.*10$d%2$hn
%1$.*1$d%10$.*10$d%2$hn
![Page 38: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/38.jpg)
void loop() { char* last = output; int* rpc = &progn[pc];
while (*rpc != 0) { // fetch -- decode next instruction sprintf(buf, "%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%2$hn", *rpc, (short*)(&real_syms));
// execute -- execute instruction sprintf(buf, *real_syms, ((long long int)array)&0xFFFF, &array, // 1, 2 *array, array, output, // 3, 4, 5 ((long long int)output)&0xFFFF, &output, // 6, 7 &cond, &bf_CGOTO_fmt3[0], // 8, 9 rpc[1], &rpc, 0, *input, // 10, 11, 12, 13 ((long long int)input)&0xFFFF, &input // 14, 15 );
// retire -- update PC sprintf(buf, "12345678%.*d%hn", (int)(((long long int)rpc)&0xFFFF), 0, (short*)&rpc);
// for debug: do we need to print? if (output != last) { putchar(output[-1]); last = output; } }}
![Page 39: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/39.jpg)
Introducing: printbf
● Turing complete interpreter● Relies on format strings● Allows you to execute stuff
http://github.com/HexHive/printbf
![Page 40: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/40.jpg)
Conclusion
![Page 41: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/41.jpg)
Conclusion
● Low level languages are here to stay– ... and they are full of “potential”
● Without stack integrity, defenses are broken
● Even with stack integrity we can do fun stuff– Enjoy our Turing-complete printbf interpreter
![Page 42: New memory corruption attacks: why can't we have nice things? · DR. STRANGELOVE OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE SEGFAULT (c) Castro Theatre and Spoke Art, 2013](https://reader034.vdocuments.site/reader034/viewer/2022043006/5f90fcfbe4cf242e6c5ff12a/html5/thumbnails/42.jpg)
Thank you! Questions?
Mathias Payer (@gannimo) and Nicholas Carlinihttp://hexhive.github.io