Explore the intricacies of LD_PRELOAD process injection and whitelisting solutions in this Shmoocon 2020 conference talk. Delve into how adversaries exploit LD_PRELOAD, understand its built-in audit system, and learn how to leverage it for whitelisting. Examine design and implementation considerations for whitelisting, and discover why built-in checks in the dynamic linker are more effective than bolt-on solutions. Follow along as the speaker demonstrates the creation and subsequent bypassing of a whitelisting solution, emphasizing the importance of integrating security measures closely with code.
Overview
Syllabus
Intro
Intro to LD_PRELOAD
Make It Persistent
It Can Be Good!
Evil Use Cases
Hooking Functions
Hooking Example
Execution on Load
Execution Example
The rtld-audit Subsystem
Lots of functions
At First, I Wanted to Log
Intercept Before Load
Let's Block Some Preloads!
Unauthorized Preloads
Monitor & Block Preloads
Enter Libpreloadvaccine!
Simple Logic
Simple Authorized List
Simple Deployment
Catch it in Action!
And Bypass it After!
Keep Security Close to Code
Taught by
0xdade
