1. There are types of vulnerabilities at the system level: authentication, malware, memory management, and file system vulnerabilities.
  2. There are 2 main issues with memory security: Preventing someone from reading from RAM they shouldn't, and preventing someone from writing to RAM they shouldn't.
  3. We already know how reading protection is done: in hardware. Each memory access is compared to a bounds pointer before being allowed to go to memory. If a reference exceeds the bounds pointer, generate an exception.
  4. But what about shared memory?
    1. One process makes the request, we allocate a page for the memory.
    2. The process has a virtual address that corresponds to the page.
    3. Another process attaches to the shared memory, receives a different virtual address that corresponds to the same physical address in the page table.
    4. In POSIX, permissions are handled just like file permissions, so as long as authentication is assured, we're pretty good. See ipcs -m
  5. Write to memory. See demo.
  6. Usually the point is not to modify the data like that, but to overwrite the pointer
  7. We need to know something about the layout of the program to be effective. This is easy for open source, harder for closed, but not that much harder...
  8. See demo... disas main, info registers
  9. Another thing a bad guy can do is insert code into the stack, and if he can get the old fram pointer to point to that code, then it can run arbitrary code. Disco.
  10. So what can we do about this:
    1. Program-time defenses
      1. Don't use C. Seriously, use something with modern memory protections.
      2. Don't program stupidly. Don't use gets(), use fgets(). Or get individual characters. Or don't use C.
    2. Compile and link time
      1. Have compiler insert bounds checks automatically. Works for staticly allocated arrays, but can't be done for dynamic.
      2. Use fancy safe extensions like libsafe.
      3. Compiler generates code that examines the stack frame for evidence of corruption.
      4. Stackguard compiler extension writes a canary value before and after the the old frame pointer, and checks to see if it is modified before returning.
    3. Run time
      1. Why not tag some pages as executable, and all others are not. Requires hardware support.
      2. Randomize addresses. System calls?