Security Vulnerability Mitigations

C1 | Fri 25 Jan | 10:40 a.m.–11:25 a.m.


Presented by

  • Joel Sing

    Joel is a computer scientist with more than 20 years of industry experience, including more than five years working as a Site Reliability Engineer with Google Australia. Over the years he has been is involved in various open source projects, including being an OpenBSD developer for over 10 years, a founder and lead developer for the LibreSSL project and a developer with the Go programming language. Joel has also spent time in academia and holds a PhD in Computer Science.

Abstract

Security vulnerabilities allow software to be manipulated in such a way that it misbehaves to the benefit of an attacker - security vulnerability mitigations work to thwart attempts to successfully exploit such a vulnerability. This landscape is continually changing in both the types of attacks and the required mitigations. While the last decade saw buffer overflows as a primary source of attacks, Return Oriented Programming (ROP) and Blind Return Oriented Programming (BROP) attacks pose new threats. Over the last 20+ years, OpenBSD has essentially been a research and development playground that has designed and implemented such mitigations, in both the kernel and userspace. Many of these mitigations have made their way into other platforms, including Linux, Microsoft Windows, iOS and Android. This talk will look at various long standing mitigations such as W^X and Address Space Layout Randomisation (ASLR), before moving on to more recent developments such as pledge, unveil, KARL, trapsleds, retguard and MAP_STACK.