How compilers got less terrible

Slide 1

Slide 1 text

how compilers got less terribad richo

Slide 2

Slide 2 text

or: richo drinks and is mad about golang richo

Slide 3

Slide 3 text

who am I • security engineering at Stripe • work on (and have capital-F Feelings about) compilers • Co-own the only CVE for a skateboard with mike • (Go lookup 2015-2247 it’s pretty lols) • wrong island con

Slide 4

Slide 4 text

What this isn’t • Why you should use $technology • Why you should not use $technology

Slide 5

Slide 5 text

Compilers are super neat • Sometimes they’ll save you from yourself • Sometimes they won’t • Sometimes they’ll essentially go out of their way to be footguns

Slide 6

Slide 6 text

what even is a compiler Lex tokens Parse AST Codegen asm Assembler Object Link Executable input

Slide 7

Slide 7 text

int thing(char* s) { puts(s); }

Slide 8

Slide 8 text

TOK int TOK thing LPAREN tok void STAR tok s LBRACE tok puts LPAREN STRING hi! RPAREN SEMI RBRACE

Slide 9

Slide 9 text

FnDecl RetVal int Args char* s StmtList Ident thing call … puts s

Slide 10

Slide 10 text

(FnDecl thing ((char* s)) (apply puts (s))

Slide 11

Slide 11 text

Sidenote: Golang src/cmd/internal/gc/lex.go

Slide 12

Slide 12 text

Sidenote: Golang src/cmd/internal/gc/lex.go

Slide 13

Slide 13 text

Sidenote: Golang

Slide 14

Slide 14 text

what even is a compiler Lex tokens Parse AST Codeg asm Assem Objec Link Execu input Analysis!

Slide 15

Slide 15 text

what even is a compiler Lex tokens Parse AST Codeg asm Assem Objec Link Execu input Type checking Coherence Optimisation

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

cool, so why do I give a fuck? • In the context of safety there are really only two high level things you should actually care about:

Slide 19

Slide 19 text

cool, so why do I give a fuck? • How hard is it to crash my program? • How hard is it for an attacker to make that crash turing complete?

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

difﬁculty of crash == memory safety • Naïve solutions, fully managed memory: • Refcounting • Garbage collection

Slide 22

Slide 22 text

memory safety: hardcode mode • Region based analysis: • Apple’s ARC • Rust’s borrow checker • enferex wrote a paper on slapping this onto golang

Slide 23

Slide 23 text

rust’s approach

Slide 24

Slide 24 text

You can ~always subvert this

Slide 25

Slide 25 text

You can ~always subvert this

Slide 26

Slide 26 text

The thing about people is

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

Smashing the Stack

Slide 30

Slide 30 text

How *did* it work?

Slide 31

Slide 31 text

An stack frame Dataz Old frame pointer return address

Slide 32

Slide 32 text

Creating an stack frame Dataz Old frame pointer return address mflr r0 stw r0, 4(r1) stwu r1, -16(r1) Dataz Old frame pointer return address

Slide 33

Slide 33 text

Destroying an stack frame Dataz Old frame pointer return address addi r1, r1, 16 lwz r0, 4(r1) mtlr r0 blr Dataz Old frame pointer return address

Slide 34

Slide 34 text

ohnoes Dataz Old frame pointer return address lwz r3, -16(r1) blr sym.gets addi r1, r1, 16 lwz r0, 4(r1) mtlr r0 blr Dataz Old frame pointer return address

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

Why doesn’t this work? • SSP: Stack Smashing Protection

Slide 37

Slide 37 text

• SSP: Stack Smashing Protection

Slide 38

Slide 38 text

• SSP: Stack Smashing Protection

Slide 39

Slide 39 text

• SSP: Stack Smashing Protection

Slide 40

Slide 40 text

Why doesn’t this work? • ASLR: envp is randomised

Slide 41

Slide 41 text

• ASLR: everything! is randomised.. kinda

Slide 42

Slide 42 text

• ASLR: everything! is randomised.. kinda

Slide 43

Slide 43 text

• ASLR: everything! is randomised.. kinda

Slide 44

Slide 44 text

• echo 0 | sudo tee /proc/sys/kernel/ randomize_va_space

Slide 45

Slide 45 text

Why doesn’t this work? • DEP: the stack isn’t executable

Slide 46

Slide 46 text

You don’t even have to do that iff: * Your overwite is big enough * Some idiot made the stack executable

Slide 47

Slide 47 text

It’s 2015 though

Slide 48

Slide 48 text

It’s 2015 though Noone would do that

Slide 49

Slide 49 text

*cough*golang*cough* https://github.com/golang/go/commit/ 3f34248a7712e451b4217aa135e9236e93ece964

Slide 50

Slide 50 text

No content

Slide 51

Slide 51 text

RELRO • Not actually a great protection, but a ﬁne deterrent • Some pretty neat WTF about it’s original design

Slide 52

Slide 52 text

No relro .got .dtors .data .bss

Slide 53

Slide 53 text

Partial RELRO .got .dtors .data .bss

Slide 54

Slide 54 text

FULL RELRO .got .dtors .data .bss

Slide 55

Slide 55 text

One last lol-go

Slide 56

Slide 56 text

Conclusion • I did not actually have a point • I just think compilers are neat • Rust == Good • Go == Good but fucking lulzy if you dare peek under the covers • Shoutout to ben who lent me a charger at 1 this morning

Slide 57

Slide 57 text

Questions? • richo • @rich0H • github.com/richo • some slideshare url, I’ll toot it