Skip to content

Security

LLVM CFI and Cross-Language LLVM CFI Support for Rust

We’re pleased to share that we’ve worked with the Rust community to add support for LLVM CFI and cross-language LLVM CFI (and LLVM KCFI and cross-language LLVM KCFI) to the Rust compiler as part of our work in the Rust Exploit Mitigations Project Group. This is the first implementation of cross-language, fine-grained, forward-edge control flow protection for mixed-language binaries that we know of.

Exploit Mitigations for Rust

Info

The contents of this post are now part of the official Rust documentation as part of the The rustc book.

This post documents the exploit mitigations supported by the Rust compiler, and is by no means an extensive survey of the Rust programming language’s security features.

This post is for software engineers working with the Rust programming language, and assumes prior knowledge of the Rust programming language and its toolchain.

CWE Compatibility for Red Hat

Info

This post was also published at https://access.redhat.com/blogs/766093/posts/1975773.

Red Hat is pleased to announce it has attained Common Weakness Enumeration (CWE) compatibility.

The CWE Compatibility and Effectiveness Program is a formal review and evaluation process for declaring products and services as “CWE-Compatible” and “CWE-Effective”. For the last few months, Red Hat was engaged in the CWE Compatibility and Effectiveness Program and worked towards fulfilling its requirements. These requirements included providing a common language for discussing, identifying, and dealing with the causes of vulnerabilities in our products.

CWE Risk Assessment Report for Red Hat

Info

This post was also published at https://access.redhat.com/blogs/766093/posts/1975723.

Common Weakness Enumeration (CWE) is a dictionary or formal list of common software weaknesses. It is a common language or taxonomy for describing vulnerabilities and weaknesses; a standard measurement for software assurance tools and services’ capabilities; and a base for software vulnerability and weakness identification, mitigation, and prevention.

CWE Coverage for Red Hat Customer Portal

Info

The contents of this post are now part of the Red Hat Customer Portal as a Knowledgebase article.

Info

This post was also published at https://access.redhat.com/blogs/766093/posts/1975963.

CWE has different views for different audiences and purposes. In the early stages of development, CWE only had one hierarchical representation, which originated the current Development Concepts View (or Development View). CWE is currently organized in two main views: Development Concepts (CWE-699), and Research Concepts (CWE-1000).

CWE Compatibility for Red Hat Customer Portal

Info

The contents of this post are now part of the Red Hat Customer Portal as a Knowledgebase article.

Info

This post was also published at https://access.redhat.com/blogs/766093/posts/1975953.

We are currently engaged in the CWE Compatibility and Effectiveness Program, and working towards fulfilling its requirements for using CWE in our CWE risk assessment process for working towards identifying and eliminating the most dangerous software errors and weaknesses in our products. The CWE Compatibility and Effectiveness Program is a formal review and evaluation process for declaring products and services as “CWE-Compatible” and “CWE-Effective”.

CWE Risk Assessment for Red Hat

Info

This post was also published at https://access.redhat.com/blogs/766093/posts/1975943.

CWE risk assessment is a process for identifying and eliminating some of the most dangerous and potentially exploitable weaknesses in your existing products and projects.

Some well-known secure software development methodologies have their security practices grouped into phases, from training to response. However, you may have your main product already within the response phase, where its development may not have been done practicing a secure software development methodology. This is often the case for open source software vendors, where training upstream developers for development of its own software is not always viable. This is where the CWE risk assessment can help.

Exploiting Linux sock_sendpage() NULL Pointer Dereference on Power

Sep 10, 2009

We released a third and final version of the exploit. The third version has complete support for i386, x86_64, ppc, and ppc64; uses the personality trick published by Tavis Ormandy and Julien Tinnes; uses the TOC pointer workaround for data items addressing on ppc64 (i.e., functions in exploit code and libc can be referenced); and for SELinux-enforced systems, has improved search for domains configured to allow mmap_zero it can transition to.

Sep 7, 2009

We released a second version of the exploit. The second version also works with Linux kernel versions that have copy-on-write (COW) credentials (e.g., Fedora 11), and for SELinux-enforced systems, it automatically searches the SELinux policy rules for domains configured to allow mmap_zero it can transition to, and tries to exploit the vulnerability using these domains.

We wrote an exploit for the Linux kernel sock_sendpage NULL pointer dereference vulnerability, discovered by Tavis Ormandy and Julien Tinnes, to demonstrate the exploitability of this vulnerability on Linux running on Power/Cell BE architecture -based processors.