context/rnd restructure: add weakness mitigation
This commit is contained in:
parent
5fb007ba40
commit
5ec6c7245e
5 changed files with 449 additions and 264 deletions
|
|
@ -7,7 +7,6 @@
|
|||
% TLB needs to be reset on Task Change
|
||||
% ISR-Stack-Frame needs to be updated on context-switch
|
||||
|
||||
|
||||
\section{Software Fault Isolation}
|
||||
% TODO: content from \cite{Balasubramanian2017}
|
||||
|
||||
|
|
@ -19,20 +18,138 @@
|
|||
% TODO * Tasks can't access unallocated (physical) memory
|
||||
% TODO * Tasks can't access other tasks memory
|
||||
|
||||
\chapter{An Introduction To Rust}
|
||||
\label{context::rust}
|
||||
Described by the maintainers, it is a "systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety.", (www.rust-lang.org)
|
||||
|
||||
\chapter{Porting \glsentrytext{C} Vulnerabilities}
|
||||
\label{rnd::porting-c-vulns}
|
||||
In this chapter, the weakness manifestations given in \cref{context::common-mem-safety-mistakes::manifestations} are rewritten in \gls{Rust} to examine if these are mitigated just by porting them.
|
||||
\section{Compiler Architecture}
|
||||
- TODO: Tokens? AST? LLVM? (http://embed.rs/articles/2016/arm-inline-assembly-rust/)
|
||||
|
||||
- TODO: BSYS SS17 GITHUB IO Rust Memory Layout - 4
|
||||
|
||||
\subsection{Static Analyser}
|
||||
- TODO: mention electrolyte, formal verification for Rust
|
||||
|
||||
\section{Language Features}
|
||||
- TODO: How does static typing help with preventing programming errors
|
||||
|
||||
- TODO: How does the Rust's static analysis work, theoretically and practically
|
||||
|
||||
- TODO: How can memory be dynamically allocated and still safety checked?
|
||||
|
||||
\subsection{Ownership And Borrows}
|
||||
- TODO: Who owns global 'static variables?
|
||||
|
||||
|
||||
\subsection{Lifetimes}
|
||||
- TODO: Where are global 'static variables allocated?
|
||||
|
||||
\subsection{Type Safety}
|
||||
- TODO: demonstrate casts
|
||||
|
||||
- TODO: demonstrate raw pointers
|
||||
|
||||
- TODO: discuss the equivalents of void*?
|
||||
|
||||
\subsection{Inner- and Outer Mutability}
|
||||
- TODO: describe Rc, Arc, and {Ref,}Cell
|
||||
|
||||
- https://nercury.github.io/rust/guide/2015/01/19/ownership.html
|
||||
|
||||
\subsection{Zero-Cost Abstraction}
|
||||
\section{Language Extension}
|
||||
\subsection{Syntax Extension}
|
||||
\subsubsection{Macros}
|
||||
\subsubsection{Annotations}
|
||||
\subsection{Compiler Plugins}
|
||||
|
||||
\section{Idioms And Patterns}
|
||||
|
||||
\subsection{The Newtype Pattern}
|
||||
https://aturon.github.io/features/types/newtype.html
|
||||
|
||||
\section{Limitations}
|
||||
* TODO: deadlock example
|
||||
* TODO: cyclic reference memory leak example
|
||||
|
||||
\chapter{Weakness Mitigation Evaluation}
|
||||
\label{rnd::weakness-mitig-eval}
|
||||
|
||||
\section{CWE Mitigation Suggestions Evaluation}
|
||||
\label{rnd::weakness-mitig-eval::cwe-mitig-suggestion-eval}
|
||||
|
||||
\section{Porting \glsentrytext{C} Vulnerabilities}
|
||||
\label{rnd::weakness-mitig-eval::porting-c-vulns}
|
||||
|
||||
In this chapter, the weakness manifestations given in \cref{context::weaknesses-mem-safety::manifestations} are rewritten in \gls{Rust} to examine if these are mitigated just by porting them.
|
||||
This is done incrementally by first porting the vulnerability to unsafe Rust, followed by a rewrite to drop all unsafe code but keeping the intended functionality.
|
||||
% TODO official CWE-119 examples
|
||||
|
||||
\section{Stack Protection}
|
||||
\label{rnd::weakness-mitig-eval::stack-protection}
|
||||
The goal of this chapter is to learn about \gls{Rust}'s stack protection mechanisms.
|
||||
|
||||
\subsection{Return Address Manipulation Experiments}
|
||||
\label{rnd::weakness-mitig-eval::stack-protection::ret-addr-experiments}
|
||||
The following manifestations are minimal constructions, supposedly to easy to understand.
|
||||
They should allow to get a grasp of what vulnerabilities might look like, and at the same time display weaknesses of the \gls{C} language.
|
||||
|
||||
\Cref{code::context::examples::sf-modification-simple} is a little example program in \gls{C}, which manipulates the return function address stored on the \gls{stack}.
|
||||
This is done by simple and legal pointer arithmetic.
|
||||
It abuses the address of the first local variable to create references into the \gls{sf} below on the \gls{stack}.
|
||||
Since the first variable is in the beginning of the \gls{sf} of the called function, it can be used to guess the position of the return address on the \gls{stack}.
|
||||
Depending on the \gls{compiler} settings, the return address is stored either one or two stack entries in front of the first local variable for a function with no arguments.
|
||||
In a brute-force manner the program simply overwrites both entries with the address of \code{simple_printer}.
|
||||
By writing a different function address at these entries, the \code{ret} instruction will jump there, since the original return address has been overwritten.
|
||||
|
||||
\begin{figure}[ht!]
|
||||
\begin{subfigure}[T]{0.60\textwidth}
|
||||
\centering
|
||||
\begin{minted}[linenos,breaklines]{c}
|
||||
void modifier(void) {
|
||||
uint64_t *p;
|
||||
*(&p + 1) =
|
||||
(uint64_t *)simple_printer;
|
||||
*(&p + 2) =
|
||||
(uint64_t *)simple_printer;
|
||||
}
|
||||
\end{minted}
|
||||
\subcaption{C code}
|
||||
\end{subfigure}
|
||||
\begin{subfigure}[T]{0.39\textwidth}
|
||||
\centering
|
||||
\begin{minted}[linenos,breaklines]{objdump}
|
||||
movabs rax,0x400690
|
||||
mov QWORD PTR [rsp],rax
|
||||
mov QWORD PTR [rsp+0x8],rax
|
||||
ret
|
||||
\end{minted}
|
||||
\subcaption{ASM code}
|
||||
\end{subfigure}
|
||||
\caption{Stack-Frame Modification in C}
|
||||
\label{code::context::examples::sf-modification-simple}
|
||||
\end{figure}
|
||||
|
||||
\Cref{TODO-callstack-manipulation} is an attempt to visualize what happens in memory and with the \gls{stack} and the \gls{cpu}'s RIP {64-Bit Instruction Pointer} register.
|
||||
|
||||
\begin{figure}
|
||||
\includegraphics[width=\textwidth]{gfx/TODO-callstack-manipulation}
|
||||
\caption{TODO-callstack-manipulation}
|
||||
\label{TODO-callstack-manipulation}
|
||||
\end{figure}
|
||||
\FloatBarrier
|
||||
|
||||
\subsection{Rust and the Stack Clash}
|
||||
\label{rnd::weakness-mitig-eval::stack-protection::rust-stack-clash}
|
||||
This subsection determines if \gls{Rust} can solve the issue described in \cpnameref{context::weaknesses-mem-safety::manifestations::stack-clash} from userspace and \gls{os} perspectives.
|
||||
|
||||
% TODO https://github.com/rust-lang/rust/issues/16012
|
||||
|
||||
\chapter{\glsentrytext{LX} Modules Written In \glsentrytext{Rust}}
|
||||
The numerous \gls{LX} vulnerabilities are a great motivator for using \gls{Rust} for \gls{LX} drivers.
|
||||
This chapter presents the attempt to use \gls{Rust} for a simple buffer that is presented to userspace as a character device.
|
||||
|
||||
\chapter{Stack Protection}
|
||||
The goal of this chapter is to learn about \gls{Rust}'s stack protection mechanisms, and determine if it can help with the issue described in \cnameref{context::common-mem-safety-mistakes::manifestations::stack-clash}.
|
||||
|
||||
% TODO stack frame manipulation example
|
||||
|
||||
- TODO: explain the difficulty to use the Kernel's C Macros, which are required to expose a character device
|
||||
|
||||
\chapter{Existing \glsentrytext{os}-Development Projects Based On Rust}
|
||||
\label{rnd::existing-os-dev-with-rust}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue