similar to: [LLVMdev] Adding diversity for security (and testing)

Stephen Crane wrote: > Thanks for all the feedback! It seems there is some interest, so I thought I'd try to summarize discussions so far, and provide patches for closer inspection. I'm not sure if patches should end up here or on a different list in this instance, so if I should instead send this to a different list, I'm happy to do so. > > - Is diversity needed, or are

Nick, Thanks so much for such a detailed review. I definitely missed a few of the details of the LLVM standards. Sorry. Here's a new patch that should resolve the issues you pointed out. I've also included a few comments below -- anything I haven't replied to has been fixed. In particular, I'd like to discuss RNG seeding with the list. I currently use a static singleton to make

I searched source code of LLVM/Clang 4.0.0 for 'random_seed' with grep. It seems the -frandom-seed option is not supported. The -rng-seed option appears to be defined in ./lib/Support/RandomNumberGenerator.cpp, which is source code for class RandomNumberGenerator. The constructor of class RandomNumberGenerator is private and is only called by Module::createRNG (defined in

On 08/28/2013 12:01 PM, Stephen Checkoway wrote: > 2. Local attacker who cannot read the contents of the binary. (This is a pretty strange one, but it's possible.) The attacker is forced to rely on side channel information such as timing channels in an attempt to discover the length of the inserted NOP sleds. This sounds like an extraordinarily difficult task, but possibly doable. With a

On Aug 28, 2013, at 1:50 PM, Paul Robinson <pogo.work at gmail.com> wrote: > On Mon, Aug 26, 2013 at 9:14 PM, Todd Jackson <quantum.skyline at gmail.com>wrote: > >> Personally, I think it is necessary to go for the strongest random number >> generator possible. Cryptographically secure pseudorandom number >> generators have good properties that make them

Hi Stephen, > Greetings LLVM Devs! > > I am a PhD student in the Secure Systems and Software Lab at UC > Irvine. We have been working on adding randomness into code generation > to create a diverse population of binaries. This diversity prevents > code-reuse attacks such as return-oriented-programming (ROP) by > denying the attacker information about the exact code layout.

On 08/28/2013 02:37 PM, Nick Lewycky wrote: > 1. I'm concerned about the deployment problem. I realize that being in > the compiler means you can transform the program in more exciting > ways, but it gives you a much worse deployment story than something > which modifies the program on disk like "prelink". Yes, definitely. Deployment is an issue which users will need

Greetings LLVM Devs! I am a PhD student in the Secure Systems and Software Lab at UC Irvine. We have been working on adding randomness into code generation to create a diverse population of binaries. This diversity prevents code-reuse attacks such as return-oriented-programming (ROP) by denying the attacker information about the exact code layout. ROP has been used is several high-profile recent

On Mon, Aug 26, 2013 at 9:14 PM, Todd Jackson <quantum.skyline at gmail.com>wrote: > > > We would also include a secure random number generator which links >> > against OpenSSL. This would of course be an optional module disabled >> > by default, but is necessary so the randomization is cryptographically >> > secure and useful in security applications.

> > We would also include a secure random number generator which links > > against OpenSSL. This would of course be an optional module disabled > > by default, but is necessary so the randomization is cryptographically > > secure and useful in security applications. > > I am not sure why you need this feature. You can provide LLVM with a > SEED value that can be

On 26 August 2013 11:39, Stephen Crane <sjcrane at uci.edu> wrote: > Greetings LLVM Devs! > > I am a PhD student in the Secure Systems and Software Lab at UC > Irvine. We have been working on adding randomness into code generation > to create a diverse population of binaries. This diversity prevents > code-reuse attacks such as return-oriented-programming (ROP) by >

Hi, I have a small simple data frame (attached) - to compare diversity of insects encountered in disturbed and unditurbed site. What i have is the count of insects - the total number of times they were encountered over 30 monitoring slots. Can someone please check for me to make sure how the 'community data matrix' for the diversity function needs to be oriented so that i'm

Hi   I want to make a grid map using diversity indices. I have a soil grid map with 7 class in r. how can I make a diversity map based on soil map in r?  I found something for calculation diversity in a table (.csv).   Thanks [[alternative HTML version deleted]]

On 29 August 2013 15:29, Stephen Crane <sjcrane at uci.edu> wrote: > On 08/28/2013 02:37 PM, Nick Lewycky wrote: > >> 1. I'm concerned about the deployment problem. I realize that being in >> the compiler means you can transform the program in more exciting ways, but >> it gives you a much worse deployment story than something which modifies >> the program

Hi All, It's my pleasure to announce the Diversity and Inclusion in Compilers and Tools workshop that will be held on the afternoon of April 5th, at the same venue as the EuroLLVM'20. This event features speakers and discussion aiming to increase diversity and inclusion within the LLVM community, attendee's workplace or university, and within the field of compilers and tools. It is

Dear R-help members. Maybe this is not the right platform to ask this, but I'm looking desperately for a test which is calculating confidence intervals from diversity measurements (non-normaly distributed) (fishers alpha diversity). I was checking the package "vegan" but there seems to be nothing useful. Does anyone of you know with what package I easily could calculate such a

On Aug 26, 2013, at 11:39 AM, Stephen Crane <sjcrane at uci.edu> wrote: > I am a PhD student in the Secure Systems and Software Lab at UC > Irvine. We have been working on adding randomness into code generation > to create a diverse population of binaries. This diversity prevents > code-reuse attacks such as return-oriented-programming (ROP) by > denying the attacker

Hi, there, I am working on a project on software control flow checking, which instruments a program to check if the control flow at runtime matches the control flow graph computed at compile-time. My instrumentation process has to make use of control flow information, including as control flow graph and dominator/post-dominator trees, so it is better part of the compiler. On the other

On Aug 26, 2013, at 2:39 PM, Stephen Crane <sjcrane at uci.edu> wrote: > We have been working on adding randomness into code generation > to create a diverse population of binaries. This diversity prevents > code-reuse attacks such as return-oriented-programming (ROP) by > denying the attacker information about the exact code layout. Putting on my security hat (as opposed to

I read a lot of white papers, but is there not any open source implementation of SFI or artificial diversity? I google around, but I can't find anywhere anything regarding what I could openly download. In the same respect, I would also like to make an innovation proposal to create such an endeavor if there is not one already. -------------- next part -------------- An HTML attachment was