buffer
play

Buffer Software Security overflows and other memory safety - PowerPoint PPT Presentation

Apr 01, 2023 •287 likes •1.33k views

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

  1. Buffer overflow char loc1[4]; ~0x0 0x0 code loc2 loc1 arg1 arg2 caller’s data %ebp %eip+… gets(loc1); 
 strcpy(loc1, <user input>); memcpy(loc1, <user input>); etc.

  2. Buffer overflow char loc1[4]; ~0x0 0x0 code loc2 loc1 arg1 arg2 caller’s data %ebp Input writes from low to high addresses %eip+… gets(loc1); 
 strcpy(loc1, <user input>); memcpy(loc1, <user input>); etc.

  3. Buffer overflow char loc1[4]; ~0x0 0x0 code loc2 loc1 arg1 arg2 caller’s data %ebp %eip+… Input writes from low to high addresses gets(loc1); 
 strcpy(loc1, <user input>); memcpy(loc1, <user input>); etc.

  4. Buffer overflow Can over-write other data (“AuthMe!”) char loc1[4]; ~0x0 0x0 code loc2 loc1 arg1 arg2 caller’s data %ebp %eip+… Input writes from low to high addresses gets(loc1); 
 strcpy(loc1, <user input>); memcpy(loc1, <user input>); etc.

  5. Buffer overflow Can over-write other data (“AuthMe!”) Can over-write the program’s control flow (%eip) char loc1[4]; ~0x0 0x0 code loc2 loc1 arg1 arg2 caller’s data %ebp %eip+… Input writes from low to high addresses gets(loc1); 
 strcpy(loc1, <user input>); memcpy(loc1, <user input>); etc.

  6. Code injection

  7. High-level idea void func(char *arg1) { char buffer[4]; sprintf(buffer, arg1); ... } ... %eip &arg1 %ebp 00 00 00 00 … buffer

  8. High-level idea void func(char *arg1) { char buffer[4]; sprintf(buffer, arg1); ... } ... %eip &arg1 Haxx0r c0d3 %ebp 00 00 00 00 … buffer (1) Load my own code into memory

  9. High-level idea void func(char *arg1) { char buffer[4]; sprintf(buffer, arg1); ... } %eip ... %eip &arg1 Haxx0r c0d3 Text %ebp 00 00 00 00 … buffer (1) Load my own code into memory (2) Somehow get %eip to point to it

  10. High-level idea void func(char *arg1) { char buffer[4]; sprintf(buffer, arg1); ... } %eip ... %eip &arg1 Haxx0r c0d3 Text %ebp 00 00 00 00 … buffer (1) Load my own code into memory (2) Somehow get %eip to point to it

  11. High-level idea void func(char *arg1) { char buffer[4]; sprintf(buffer, arg1); ... } %eip ... %eip &arg1 Haxx0r c0d3 Text %ebp 00 00 00 00 … buffer (1) Load my own code into memory (2) Somehow get %eip to point to it

  12. This is nontrivial • Pulling off this attack requires getting a few things really right (and some things sorta right) • Think about what is tricky about the attack • The key to defending it will be to make the hard parts really hard

  13. Challenge 1 Loading code into memory • It must be the machine code instructions (i.e., already compiled and ready to run) • We have to be careful in how we construct it: • It can’t contain any all-zero bytes Otherwise, sprintf / gets / scanf / … will stop copying - How could you write assembly to never contain a full zero - byte? • It can’t make use of the loader (we’re injecting) • It can’t use the stack (we’re going to smash it)

  14. What kind of code would we want to run? • Goal: full-purpose shell • The code to launch a shell is called “shell code” • It is nontrivial to it in a way that works as injected code No zeroes, can’t use the stack, no loader dependence - • There are many out there And competitions to see who can write the smallest - • Goal: privilege escalation • Ideally, they go from guest (or non-user) to root

  15. Shellcode #include <stdio.h> int main( ) { char *name[2]; name[0] = “/bin/sh”; name[1] = NULL; execve(name[0], name, NULL); }

  16. Shellcode #include <stdio.h> int main( ) { char *name[2]; name[0] = “/bin/sh”; name[1] = NULL; execve(name[0], name, NULL); } xorl %eax, %eax pushl %eax Assembly pushl $0x68732f2f pushl $0x6e69622f movl %esp,%ebx pushl %eax ...

  17. Shellcode #include <stdio.h> int main( ) { char *name[2]; name[0] = “/bin/sh”; name[1] = NULL; execve(name[0], name, NULL); } xorl %eax, %eax pushl %eax Assembly pushl $0x68732f2f pushl $0x6e69622f movl %esp,%ebx pushl %eax ...

  18. Shellcode #include <stdio.h> int main( ) { char *name[2]; name[0] = “/bin/sh”; name[1] = NULL; execve(name[0], name, NULL); } xorl %eax, %eax “\x31\xc0” Machine code pushl %eax “\x50” Assembly pushl $0x68732f2f “\x68””//sh” pushl $0x6e69622f “\x68””/bin” movl %esp,%ebx “\x89\xe3” pushl %eax “\x50” ... ...

  19. Shellcode #include <stdio.h> int main( ) { char *name[2]; name[0] = “/bin/sh”; name[1] = NULL; execve(name[0], name, NULL); } xorl %eax, %eax “\x31\xc0” Machine code pushl %eax “\x50” Assembly (Part of) pushl $0x68732f2f “\x68””//sh” your pushl $0x6e69622f “\x68””/bin” input movl %esp,%ebx “\x89\xe3” pushl %eax “\x50” ... ...

  20. Privilege escalation • Permissions later, but for now… • Recall that each file has: • Permissions: read / write / execute • For each of: owner / group / everyone else • Consider a service like passwd • Owned by root (and needs to do root-y things) • But you want any user to be able to run it

  21. Effective userid • Userid = the user who ran the process • Effective userid = what is used to determine what access the process has • Consider passwd: root owns it, but users can run it • getuid() will return you (real userid) • seteuid(0) to set the effective userid to root It’s allowed to because root is the owner - • What is the potential attack?

  22. Effective userid • Userid = the user who ran the process • Effective userid = what is used to determine what access the process has • Consider passwd: root owns it, but users can run it • getuid() will return you (real userid) • seteuid(0) to set the effective userid to root It’s allowed to because root is the owner - • What is the potential attack? If you can get a root-owned process to run 
 setuid(0)/seteuid(0), then you get root permissions

  23. Challenge 2 Getting our injected code to run • All we can do is write to memory from buffer onward • With this alone we want to get it to jump to our code • We have to use whatever code is already running ... %eip &arg1 %ebp 00 00 00 00 … buffer Thoughts?

  24. Challenge 2 Getting our injected code to run • All we can do is write to memory from buffer onward • With this alone we want to get it to jump to our code • We have to use whatever code is already running ... %eip &arg1 %ebp 00 00 00 00 … buffer Thoughts?

  25. Challenge 2 Getting our injected code to run • All we can do is write to memory from buffer onward • With this alone we want to get it to jump to our code • We have to use whatever code is already running ... %eip &arg1 %ebp 00 00 00 00 … \x0f \x3c \x2f ... buffer Thoughts?

  26. Challenge 2 Getting our injected code to run • All we can do is write to memory from buffer onward • With this alone we want to get it to jump to our code • We have to use whatever code is already running %eip ... %eip &arg1 Text %ebp 00 00 00 00 … \x0f \x3c \x2f ... buffer Thoughts?

  27. Challenge 2 Getting our injected code to run • All we can do is write to memory from buffer onward • With this alone we want to get it to jump to our code • We have to use whatever code is already running %eip ... %eip &arg1 Text %ebp 00 00 00 00 … \x0f \x3c \x2f ... buffer Thoughts?

  28. Challenge 2 Getting our injected code to run • All we can do is write to memory from buffer onward • With this alone we want to get it to jump to our code • We have to use whatever code is already running %eip ... %eip &arg1 Text %ebp 00 00 00 00 … \x0f \x3c \x2f ... buffer Thoughts?

  29. Stack and functions: Summary Calling function: 1. Push arguments onto the stack (in reverse) 2. Push the return address , i.e., the address of the instruction you want run after control returns to you: %eip+something 3. Jump to the function’s address Called function: 4. Push the old frame pointer onto the stack: %ebp 5. Set frame pointer %ebp to where the end of the stack is right now: %esp 6. Push local variables onto the stack; access them as offsets from %ebp Returning function: 7. Reset the previous stack frame : %ebp = (%ebp) 8. Jump back to return address : %eip = 4(%ebp)

  30. Hijacking the saved %eip %eip %ebp ... %eip &arg1 Text %ebp 00 00 00 00 … \x0f \x3c \x2f ... buffer 0xbff

  31. Hijacking the saved %eip %eip %ebp ... %eip &arg1 Text %ebp 00 00 00 00 0xbff … \x0f \x3c \x2f ... buffer 0xbff

  32. Hijacking the saved %eip %eip %ebp ... %eip &arg1 Text %ebp 00 00 00 00 0xbff … \x0f \x3c \x2f ... buffer 0xbff

  33. Hijacking the saved %eip %eip %ebp ... %eip &arg1 Text %ebp 00 00 00 00 0xbff … \x0f \x3c \x2f ... buffer 0xbff But how do we know the address?

  34. Hijacking the saved %eip What if we are wrong? %eip %ebp ... %eip &arg1 Text %ebp 00 00 00 00 0xbff … \x0f \x3c \x2f ... buffer 0xbff

  35. Hijacking the saved %eip What if we are wrong? %eip %ebp ... %eip &arg1 Text %ebp 00 00 00 00 0xbff 0xbdf … \x0f \x3c \x2f ... buffer 0xbff

  36. Hijacking the saved %eip What if we are wrong? %eip %ebp ... %eip &arg1 Text %ebp 00 00 00 00 0xbff 0xbdf … \x0f \x3c \x2f ... buffer 0xbff

  37. Hijacking the saved %eip What if we are wrong? %eip %ebp ... %eip &arg1 Text %ebp 00 00 00 00 0xbdf 0xbff … \x0f \x3c \x2f ... buffer 0xbff This is most likely data, so the CPU will panic (Invalid Instruction)

  38. Challenge 3 Finding the return address

  39. Challenge 3 Finding the return address • If we don’t have access to the code, we don’t know how far the buffer is from the saved %ebp

  40. Challenge 3 Finding the return address • If we don’t have access to the code, we don’t know how far the buffer is from the saved %ebp • One approach: just try a lot of different values!

  41. Challenge 3 Finding the return address • If we don’t have access to the code, we don’t know how far the buffer is from the saved %ebp • One approach: just try a lot of different values! • Worst case scenario: it’s a 32 (or 64) bit memory space, which means 2 32 (2 64 ) possible answers

  42. Challenge 3 Finding the return address • If we don’t have access to the code, we don’t know how far the buffer is from the saved %ebp • One approach: just try a lot of different values! • Worst case scenario: it’s a 32 (or 64) bit memory space, which means 2 32 (2 64 ) possible answers • But without address randomization: • The stack always starts from the same, fixed address • The stack will grow, but usually it doesn’t grow very deeply (unless the code is heavily recursive)

  43. Improving our chances: nop sleds nop is a single-byte instruction (just moves to the next instruction) %eip %ebp ... %eip &arg1 Text %ebp 00 00 00 00 0xbff 0xbdf … \x0f \x3c \x2f ... buffer 0xbff

  44. Improving our chances: nop sleds nop is a single-byte instruction (just moves to the next instruction) %eip %ebp ... %eip &arg1 Text %ebp 00 00 00 00 0xbff 0xbdf … \x0f \x3c \x2f ... nop nop nop … buffer 0xbff

  45. Improving our chances: nop sleds nop is a single-byte instruction (just moves to the next instruction) Jumping anywhere %eip %ebp here will work ... %eip &arg1 Text %ebp 00 00 00 00 0xbff 0xbdf … \x0f \x3c \x2f ... nop nop nop … buffer 0xbff

  46. Improving our chances: nop sleds nop is a single-byte instruction (just moves to the next instruction) Jumping anywhere %eip %ebp here will work ... %eip &arg1 Text %ebp 00 00 00 00 0xbff 0xbdf … \x0f \x3c \x2f ... nop nop nop … buffer

  47. Improving our chances: nop sleds nop is a single-byte instruction (just moves to the next instruction) Jumping anywhere %eip %ebp here will work ... %eip &arg1 Text %ebp 00 00 00 00 0xbff 0xbdf … \x0f \x3c \x2f ... nop nop nop … buffer Now we improve our chances 
 of guessing by a factor of #nops

  48. Putting it all together %eip ... %eip &arg1 Text %ebp 00 00 00 00 … buffer

  49. Putting it all together padding %eip ... %eip &arg1 Text %ebp 00 00 00 00 … buffer

  50. Putting it all together But it has to be something ; 
 we have to start writing wherever 
 the input to gets /etc. begins. padding %eip ... %eip &arg1 Text %ebp 00 00 00 00 … buffer

  51. Putting it all together But it has to be something ; 
 we have to start writing wherever 
 the input to gets /etc. begins. good 
 padding %eip guess ... %eip &arg1 Text %ebp 00 00 00 00 0xbdf … buffer

  52. Putting it all together But it has to be something ; 
 we have to start writing wherever 
 the input to gets /etc. begins. good 
 padding %eip guess ... %eip &arg1 Text %ebp 00 00 00 00 0xbdf … nop nop nop … buffer nop sled

  53. Putting it all together But it has to be something ; 
 we have to start writing wherever 
 the input to gets /etc. begins. good 
 padding %eip guess ... %eip &arg1 Text %ebp 00 00 00 00 0xbdf … \x0f \x3c \x2f ... nop nop nop … buffer nop sled malicious code

  54. Putting it all together But it has to be something ; 
 we have to start writing wherever 
 the input to gets /etc. begins. good 
 padding guess %eip ... %eip &arg1 Text %ebp 00 00 00 00 0xbdf … \x0f \x3c \x2f ... nop nop nop … buffer nop sled malicious code

  55. Putting it all together But it has to be something ; 
 we have to start writing wherever 
 the input to gets /etc. begins. good 
 padding guess %eip ... %eip &arg1 Text %ebp 00 00 00 00 0xbdf … \x0f \x3c \x2f ... nop nop nop … buffer nop sled malicious code

  56. Project one will be posted by tomorrow morning Due 2 weeks later (11:59pm Wednesday Feb 18)

  57. Defenses

  58. Recall our challenges How can we make these even more difficult? • Putting code into the memory (no zeroes) • Getting %eip to point to our code (dist buff to stored eip) • Finding the return address (guess the raw addr)

  59. Detecting overflows with canaries %eip ... %eip &arg1 Text %ebp 00 00 00 00 … buffer

  60. Detecting overflows with canaries %eip ... %eip &arg1 Text %ebp 00 00 00 00 … buffer

  61. Detecting overflows with canaries %eip ... %eip &arg1 Text %ebp 00 00 00 00 02 8d e2 10 … buffer canary

  62. Detecting overflows with canaries %eip ... %eip &arg1 Text %ebp 00 00 00 00 02 8d e2 10 0xbdf … \x0f \x3c \x2f ... nop nop nop … buffer canary

  63. Detecting overflows with canaries %eip ... %eip &arg1 Text %ebp 00 00 00 00 02 8d e2 10 0xbdf … \x0f \x3c \x2f ... nop nop nop … buffer canary

  64. Detecting overflows with canaries Not the expected value: abort %eip ... %eip &arg1 Text %ebp 00 00 00 00 02 8d e2 10 0xbdf … \x0f \x3c \x2f ... nop nop nop … buffer canary

  65. Detecting overflows with canaries Not the expected value: abort %eip ... %eip &arg1 Text %ebp 00 00 00 00 02 8d e2 10 0xbdf … \x0f \x3c \x2f ... nop nop nop … buffer canary What value should the canary have?

  66. Canary values From StackGuard [Wagle & Cowan] 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new random value @ each process start • Save the real value somewhere in memory • Must write-protect the stored value 3. Random XOR canaries • Same as random canaries • But store canary XOR some control info, instead

  67. Recall our challenges How can we make these even more difficult? • Putting code into the memory (no zeroes) • Option: Make this detectable with canaries 
 • Getting %eip to point to our code(dist buff to stored eip) • Finding the return address (guess the raw addr)

  68. Return-to-libc good 
 padding %eip guess ... Text %eip &arg1 %ebp 00 00 00 00 0xbdf … \x0f \x3c \x2f ... nop nop nop … buffer libc nop sled malicious code

  69. Return-to-libc good 
 padding %eip guess ... Text %eip &arg1 %ebp 00 00 00 00 0xbdf … nop nop nop … buffer libc nop sled

  70. Return-to-libc good 
 padding %eip guess ... Text %eip &arg1 %ebp 00 00 00 00 0xbdf … buffer libc

  71. Return-to-libc padding %eip ... Text %eip &arg1 %ebp 00 00 00 00 … buffer libc

  72. Return-to-libc padding %eip ... Text %eip &arg1 %ebp 00 00 00 00 … buffer libc ... ... ... exec() printf() “/bin/sh” libc

  73. Return-to-libc known 
 padding %eip location ... Text %eip &arg1 %ebp 00 00 00 00 0x17f … buffer libc ... ... ... exec() printf() “/bin/sh” libc

  74. Return-to-libc known 
 padding %eip location ... Text %eip &arg1 %ebp 00 00 00 00 0x17f 0x20d … buffer libc ... ... ... exec() printf() “/bin/sh” libc

  75. Recall our challenges How can we make these even more difficult? • Putting code into the memory (no zeroes) • Option: Make this detectable with canaries 
 • Getting %eip to point to our code (dist buff to stored eip) • Non-executable stack doesn’t work so well • Finding the return address (guess the raw addr)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Buffer Manager Each relation is can be mapped onto many files (each file containing data from one

Buffer Manager Each relation is can be mapped onto many files (each file containing data from one

Buffer Management The database buffer is the mediator between the basic file system and the tuple-oriented file system. The buffer managers task is to make the pages addressable in main memory and to coordinate the writing of pages to disk

1.12k views • 8 slides
Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security vulnerability in the 90s. Buffer overflows dominate in the area of remote network penetration vulnerabilities. CS 465 They represent one of the

651 views • 4 slides
Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

497 views • 30 slides
External buffer Raslan Darawsheh Mellanox External buffer First was introduced by Olivier

External buffer Raslan Darawsheh Mellanox External buffer First was introduced by Olivier

x External buffer Raslan Darawsheh Mellanox External buffer First was introduced by Olivier in his presentation in 2016. The support for External buffer has been there since DPDK 18.05 2 External buffer: Contd 3 External

544 views • 12 slides
Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows One of the most common vulnerabilities in software Programming languages commonly associated with buffer overflows including C and C++

1.14k views • 17 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
TinyOS Determine when Fill message Specify Pass buffer message buffer Network Communication

TinyOS Determine when Fill message Specify Pass buffer message buffer Network Communication

Inter-Node Communication General idea: Sender: TinyOS Determine when Fill message Specify Pass buffer message buffer Network Communication buffer with data Recipients to OS can be reused Computer Network Receiver:

176 views • 3 slides
Week 03 Lectures PostgreSQL Buffer Manager 1/95 PostgreSQL buffer manager: provides a shared

Week 03 Lectures PostgreSQL Buffer Manager 1/95 PostgreSQL buffer manager: provides a shared

Week 03 Lectures PostgreSQL Buffer Manager 1/95 PostgreSQL buffer manager: provides a shared pool of memory buffers for all backends all access methods get data from disk via buffer manager Buffers are located in a large region of shared

505 views • 25 slides
Riparian Buffer or Riparian Forest Buffer Equivalency Demonstration and Offsetting Water

Riparian Buffer or Riparian Forest Buffer Equivalency Demonstration and Offsetting Water

Implementation of Act 162 of 2014 Riparian Buffer or Riparian Forest Buffer Equivalency Demonstration and Offsetting Water Resources Advisory Committee August 12, 2015 Tom Wolf, Governor John Quigley, Secretary Agenda 1. Overview of Act 162

530 views • 37 slides
Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by the Morris Worm in 1988 Prevention techniques known NX bit, stack canaries, ASLR Still of major concern Recent examples:

354 views • 21 slides
Buffer Trees Lars Arge. The Buffer Tree: A New Technique for Optimal I/O Algorithms . In

Buffer Trees Lars Arge. The Buffer Tree: A New Technique for Optimal I/O Algorithms . In

Buffer Trees Lars Arge. The Buffer Tree: A New Technique for Optimal I/O Algorithms . In Proceedings of Fourth Workshop on Algorithms and Data Structures (WADS), Lecture Notes in Computer Science Vol. 955, Springer-Verlag, 1995, 334-345. 1

518 views • 27 slides
AKC Education Webinar Series: Social Media Resources Buffer: What Is It? Buffer is a software

AKC Education Webinar Series: Social Media Resources Buffer: What Is It? Buffer is a software

AKC Education Webinar Series: Social Media Resources Buffer: What Is It? Buffer is a software application for the web and mobile, designed to manage accounts in social networks, by providing the means for a user to schedule posts to Twitter,

506 views • 35 slides
More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester Rebeiro Indian Institute of Technology Madras Buffer Overreads 2 Buffer Overread Example 3 Buffer Overread Example len read from command line

906 views • 76 slides
k + -buffer: Fragment Synchronized k-buffer I3D 2014 Andreas A. Vasilakis &amp; Ioannis Fudos {

k + -buffer: Fragment Synchronized k-buffer I3D 2014 Andreas A. Vasilakis &amp; Ioannis Fudos {

k + -buffer: Fragment Synchronized k-buffer I3D 2014 Andreas A. Vasilakis &amp; Ioannis Fudos { abasilak,fudos } @cs.uoi.gr Department of Computer Science &amp; Engineering, University of Ioannina, Greece 16 March 2014 Introduction

782 views • 44 slides
Database Systems IIB: DBMS-Implementation Chapter 5: The Buffer Cache Prof. Dr. Stefan Brass

Database Systems IIB: DBMS-Implementation Chapter 5: The Buffer Cache Prof. Dr. Stefan Brass

Storage Hierarchy, Buffer Manager Disk/Buffer Performance in Oracle Database Systems IIB: DBMS-Implementation Chapter 5: The Buffer Cache Prof. Dr. Stefan Brass Martin-Luther-Universit at Halle-Wittenberg Wintersemester 2019/20

623 views • 50 slides
Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes &amp; Koen Koning

Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes &amp; Koen Koning

Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes &amp; Koen Koning Erik van der Kouwe Herbert Bos Cristiano Giuffrida June 19, 2018 Preview buffer[10] secret 2 Preview buffer[10] secret buffer[5] 2 Preview

934 views • 74 slides
Weaponizing Wireless Networks: An Attack Tool for Launching Attacks against Sensor Networks

Weaponizing Wireless Networks: An Attack Tool for Launching Attacks against Sensor Networks

Weaponizing Wireless Networks: An Attack Tool for Launching Attacks against Sensor Networks Thanassis Giannetsos and Tassos Dimitriou Athens Information Technology Algorithms &amp; Security (agia@ait.edu.gr) Black Hat Spain, 2010 Barcelona

700 views • 46 slides
A Blue print fo r Chang e make rs c ha ng e la b so lutio ns.o rg / b lue print Our la unc h we b

A Blue print fo r Chang e make rs c ha ng e la b so lutio ns.o rg / b lue print Our la unc h we b

A Blue print fo r Chang e make rs c ha ng e la b so lutio ns.o rg / b lue print Our la unc h we b ina r will sta rt a t 11:00a m PT / 2:00 pm E T . T he a udio will stre a m thro ug h yo ur c o mpute r spe a ke rs yo u sho uld b e he a

710 views • 24 slides
Launching Your VISTA Service Audio by phone: 866-609-4997 Connecting to Audio Dial: 866-609-4997

Launching Your VISTA Service Audio by phone: 866-609-4997 Connecting to Audio Dial: 866-609-4997

You will need an Well begin soon. While youre Oath of Service form for this waiting, please share your answer webinar. Download and print the in the chat panel on the right: form from the Handouts panel, Why did you join VISTA? but

720 views • 22 slides
Designing and launching the next-generation database system: from whiteboard to production Guido

Designing and launching the next-generation database system: from whiteboard to production Guido

April 25, 2018 Designing and launching the next-generation database system: from whiteboard to production Guido Iaquinti $whoami Guido Iaquinti Operations Engineer in Dublin Member of the storage team No previous DBA experience

3.28k views • 99 slides
Kotlin Puzzlers, vol 2 KotlinConf 2018, Amsterdam #kotlinpuzzlers @antonkeks Tallinn, Estonia

Kotlin Puzzlers, vol 2 KotlinConf 2018, Amsterdam #kotlinpuzzlers @antonkeks Tallinn, Estonia

Kotlin Puzzlers, vol 2 KotlinConf 2018, Amsterdam #kotlinpuzzlers @antonkeks Tallinn, Estonia (Estland) Kotlin island How can we save Java? Why not use Kotlin :-) Kotlin? A new type-safe JVM language Very good Java interop Now also

371 views • 12 slides
Launching Enterprise Risk Management in Your Agency A Senior Leadership Workshop Aug. 24-25,

Launching Enterprise Risk Management in Your Agency A Senior Leadership Workshop Aug. 24-25,

Launching Enterprise Risk Management in Your Agency A Senior Leadership Workshop Aug. 24-25, 2015 NCHRP 20-24 (105) StarIsis Welcome and Introduction Tim Henkel Launching Enterprise Risk Management in Your Agency NCHRP 20-24 (105) Host,

595 views • 15 slides
Launching e-FRRR Step 1 in achieving STP Andrew Sheng Chairman Securities and Futures

Launching e-FRRR Step 1 in achieving STP Andrew Sheng Chairman Securities and Futures

Launching e-FRRR Step 1 in achieving STP Andrew Sheng Chairman Securities and Futures Commission Agenda Launch e-FRRR Linking SDNet to form FinNet Recognising contribution of pilot registrants e-FRRR Straight through

335 views • 18 slides
Catching Up Step 2: Activities and Supplies Pre-Course work provides The Dog Gurus

Catching Up Step 2: Activities and Supplies Pre-Course work provides The Dog Gurus

9/29/16 Goal of Daycare 2.0 Master Mind To help you plan and implement the best possible Daycare 2.0 Program at your facility Launching Your Program Progress Not Perfec@on 2 www.safeoffleashdogplay.com Catching Up Step 2: Activities and

278 views • 3 slides

More recommend