Overview
Explore the vulnerabilities of Clang's SafeStack security feature in this 43-minute Black Hat conference talk. Dive into the implementation details of SafeStack, which aims to protect return addresses on the stack from memory vulnerabilities. Learn about the separation of data and return addresses into unsafe and safe stacks, respectively. Discover three potential problems with SafeStack's implementation, including memory corruption, analysis of dynamic thread vectors, and stack user variables. Examine case studies involving Firefox and MySQL to understand entropy reducibility. Investigate two primitives for exploiting SafeStack: spraying and persistent allocation. Gain insights into the effectiveness of SafeStack as a replacement for stack cookies and understand its limitations in providing complete protection against return address overwrites.
Syllabus
Introduction
Outline
SafeStack
What is SafeStack
SafeStack in Memory
SafeStack Internals
How Safe is SafeStack
Three Problems
Memory Corruption
Analysis
Dynamic Thread Vector
Stack User Variables
Other Stack Variables
Entropy Reducibility
Firefox
MySQL
Spraying
Two Primitives
Persistent Allocation
Conclusion
Taught by
Black Hat