A non-exhaustive list of buzzwords, each with a TMEDR (Too Much Effort, Didn't Research style "definition"), which you may or may not find on this blog.
- System V AMD64 ABI - Calling convention specifying how registers are used for function calls. The first six integer or pointer arguments are passed in registers RDI, RSI, RDX, RCX, R8, and R9, while XMM0, XMM1, XMM2, XMM3, XMM4, XMM5, XMM6 and XMM7 are used for floating-point arguments. For system calls, R10 is used instead of RCX. Additional arguments are passed on the stack and the return value is stored in RAX. Registers RBP, RBX, and R12-R15 are callee-saved registers. All others must be saved by the caller if they wish to preserve their values.
- Exploit - A program or system designed to take advantage of a particular error or security vulnerability in computers or networks.
- ROP - Return Oriented Programming is the concept of reusing existing code snippets and chain them together to for a full exploit chain. This is possible due to an attacker having full stack control and each code snippet having to end with a return statement.
- SROP - Another technique to exploit stack-based overflows by abusing a frame (the signal handler) on the stack that the kernel creates upon receiving a signal.
- JROP - This technique eliminates the reliance on the stack and
ret
instructions. Instead of having numerous ROP gadget addresses on the stack and using aret
at the end of each gadget to jump to the next, JOP uses a jump table on the heap (identical to a ROP chain but with JOP gadgets instead) and a dispatcher. Each JOP gadget is a chunk of library code in the form "do x; jump [reg]". - Exploit mitigation - A hardening mechanism introduced in either hardware, user-, or kernel-land to make exploitation as difficult as possible.
- DEP - Data eXecution Prevention (or sometimes also NX, XN) is an exploit mitigation that marks the stack non-executable. This denies jumping to shellcode on the stack and executing it directly from there.
- (Kernel)-Stack cookies/canaries - Another exploit mitigation that typically has the form of a randomly generated (on each startup) value that is placed in a function call frame. A stack-based buffer overflow wanting to overwrite e.g. the return address would also end up overwriting this value, which is verified at the end of a function before returning to the caller again. When a mismatch is encountered (expected != actual) execution is aborted. Exploitation typically requires an information leak of any kind.
- (K)ASLR - Short for (Kernel) Address Space Layout Randomization that introduces another random element to make exploitation more difficult. Libraries and application-specific segments (like the stack, or heap) are loaded into different, random addresses upon each execution. This denies an attacker easy access to target addresses, functions, ROP gadgets and more. Exploitation typically requires an information leak of any kind.
- CFG - Short for Control Flow Graph, is a visualized graph structure of how execution flow within an application looks like. Such a graph can be based on different granularities (functions vs. basic blocks).
- CFI - Short for Control Flow Integrity, is yet another exploit mitigation that aims at verifying that no derivation from the original control flow in any situation can ever occur, e.g. due to an attacker abusing a type confusion bug, a memory corruption or hijacking the control flow by using ROP.
- SMEP - Supervisor Mode Execution Prevention, a kernel feature that marks all userland memory pages in the page table as non-executable (compare DEP), when a process's execution is in kernel-mode. This effectively eliminates the option to jump back to an attacker written and controlled user-land function (e.g. within the actual exploit). We require kernel ROP for effective exploitation. Common bypasses include pure in-kernel ROP chains, a stack pivot + user-land ROP, or abusing
mmap
'ed pages. - SMAP - Supervisor Mode Access Prevention, a complimentary feature to SMEP that also marks the same pages as non-accessible when execution happens in kernel-mode. As a result, user land page tables are not readable or writable anymore. SMAP forces us to have a strong exploit primitive (ret2dir, abuse
task_struct
) - KPTI - Kernel Page-Table Isolation, this takes SMEP/SMAP a step further by completely separating user land and kernel land page tables. So, instead of using just one set of page tables, which contain both user-land and kernel-land pages, two sets are now maintained. One full set similar to before containing both user land and kernel land pages that is used when running in kernel land. The other set is a minimal one for when a process operates in userland. These contain a copy of the user land pages and a minimal needed set of kernel land ones. Bypassing KTPI can be done with the KTPI trampoline, or abusing modprobe.
- SELinux - "SELinux defines access controls for the applications, processes, and files on a system. It uses security policies, which are a set of rules that tell SELinux what can or can’t be accessed, to enforce the access allowed by a policy." SELinux operates in either of two modes permissive (SELinux prints warnings instead of enforcing), or enforcing (SELinux security policy is enforced). On Android, this is set to "enforcing" by default. However,
selinux_enforcing
is a global variable, which we may be able to overwrite with NULL to disable SELinux. - SecComp - Secure Computing is a feature that allows filtering syscalls. The only system calls that a calling thread is permitted to make are read, write, _exit (but not exit_group), and sigreturn when being subject to seccomp.
- Fuzzing - The act of generating "random" data (whether the dumb or smart way) and throwing it against an application to see if anything sticks and crashes said application.
- Code coverage - A quality measure that has been used in fuzzing for a while that is supposed to highlight the effectiveness of a fuzzing campaign. In layman terms, the more code one reached in a targeted application with the generated random inputs, the better as the less code remains untested the higher the confidence in not having missed any bugs.
- RCA - Root Cause Analysis is the act of backtracking a crash to its origins, so one can properly reason about why this particular input caused a misbehavior. When having equipped your offensive goggles, this also aims at finding clues about whether a crash is exploitable or not.
- TEE - Trusted Execution Environment, is a form of isolation/sandboxing that aims at securing/separating critical operations within a system from non-critical ones.
- SLAB/SLOB/SLUB - Different allocators in the Linux Kernel. SLUB is the de-facto default on modern systems nowadays. SLOB has been the original implementation, which SLAB built on later one, which implementation in turn was simplified/streamlined in SLUB. In terms of a hierarchy this yields SLAB < SLOB < SLUB.