SlideShare a Scribd company logo

Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite

Download as PPTX, PDF
Jeremy Haung
Jeremy Haung

http://adl.tw/~jeremy/slides/presentation2.pptx Attached detailed Analysis of CVE-2013-2094 (&on x86-32). Exploit the CVE-2013-2094 with animation There have been more vulnerabilities in the Linux Kernel in 2013 than there had been in the previous decade. In this paper, the research was focused on defending against arbitrary memory overwrites in Privilege Escalation. To avoid malicious users getting root authority. The easiest way is to set the sensitive data structure to read-only. But we are not sure the sensitive data structure will never be modified by legal behavior from a normal device driver; thus, we posed a compatible solution between read-only solutions and writable solutions to enhance compatibility. The main idea that we posed not only solves the above problem, but also the general problem which is ensuring that important memory values can only be changed within a safe range. It is not just set to read-only. Key Word : Linux Kernel Vulnerabilities、exploit、Privilege Escalation

Software
1 of 52
Libra: A Compatible Method for Defending Against Arbitrary Memory Overwrite
Outline • Chapter1 Introduction – Statistics of Vulnerabilities and Exploits – Attack Principle • Chapter2 Mechanism of Attack and Example – At the Second Step … – Kernel Data Structures to Overwrite • Chapter3 Proposed Solution – Background Knowledge – Compatible Solution – Characteristics • Chapter4 Implementation • Chapter5 Evaluation – Compatible Comparison – Performance – Stability Testing – False Positive & Negative Positive • Appendix – A Case Study : CVE-2013-2094 2
Statistics of Linux Kernel Vulnerabilities 3 From : www.cvedetails.com
Statistics of Vulnerabilities in 2013 4 From : www.cvedetails.com
Statistics of Exploits 5
Attack Principle • A typical exploit for arbitrary memory overwrite of Privilege Escalation is described as following: 1. Triggering the vulnerabilities for arbitrary memory overwrite. 6 Normal function Function pointer(addr1) addr1
Attack Principle 2. Overwriting any kernel function pointer, to make the pointer pointing to the payload address in user space. 7 addr2 Normal function Function pointer(addr2) addr1
Attack Principle 3. Because the overwritten kernel function can be easily used when serving user requests, an unauthorized attacker can get the root access when the modified kernel function was used. 1. A Case Study : CVE-2013-2094 2. CVE-2013-2094 on x86-32 8 commit_creds(prepare_kernel_cred(NULL)); addr2 Normal function Function pointer(addr2) addr1
Kernel Data Structures Can Be Overwritten 9 • IDT table • ptmx_fops • …
Proposed Solution : Background knowledge The interrupt handler address fields in an IDT table entry are composed of low_offset field, middle_offset field, and high_offset field. 10
ptmx_fops ? pty (pseudo-teletype) is a pair of virtual character devices that provide a bidirectional communication channel. Pty consists of ptmx and pts. For example: USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT xue pts/0 61.66.243.96 Mon16 17:24m 0.21s 0.04s ssh bbs@ptt.cc jeremy pts/1 36-231-101-220.d 10:27 0.00s 0.19s 0.01s w 11
Linux Device Driver Architecture 12
ptmx_fops ? • static struct file_operations ptmx_fops; • file_operations – defined in <include/linux/fs.h> – contain a set of function pointers • int (*fsync) (struct file *,loff_t,loff_t,int datasync); – used by Kernel to access device driver’s functions 13
Ways to Find Addresses of Related Kernel Data Structures 14 • Use the assembly instruction - sidt • Search – system.map – /proc/kallsyms
Example 15 • grep ptmx_fops /boot/System.map-$(uname -r) • grep ptmx_fops /proc/kallsyms • /* 56 is offset of fsync in struct file_operations on x86- 32 */ int target = pmtx_ops + 56 //target is a kernel pointer
Hiding the Kernel Function Addresses • #chmod o-r /boot/System.map- 3.0.42-0.7-default • #sysctl -w kernel.kptr_restrict=1 16
Kees Cook’s patch (Linux official patch) __set_fixmap(FIX_RO_IDT,_pa_symbol(idt_table), PAGE_KERNEL_RO); idt_descr.address = fix_to_virt(FIX_RO_IDT); 17
Proposed Solution 18 Important value : x Let 1 ≤ 𝐱 ≤ 5 If x=1, it is ok. If x=6, it will fail. Read-only Page fault handler helps us to modify value (x=1)
Page fault error code bits • The CPU pushes an error code on the stack before firing a page fault exception. • The error code must be analyzed by the exception handler to determine how to handle the exception. http://wiki.osdev.org/Paging 19
Meaning of “error code = 3” – bit 0 == 0: no page found 1: protection fault – bit 1 == 0: read access 1: write access – bit 2 == 0: kernel-mode access 1: user-mode access 20
21 Flowchart of Linux Page fault handler Access to kernel space Access in Kernel Mode Noncontiguous memory area address Address is a wrong System call parameter Compatible solution
Flowchart of Libra for IDT Table 22 Invalid address= read_cr2 Page fault handler executes no_context() Does the invalid address fall into the IDT table address range? Is the error_code equal to 3? Continuing to execute no_context()
Flowchart of Libra for IDT Table 23 Is the new value in Kernel space? Close the Read-only attribute of IDT table Modify the value Open the Read-only attribute of IDT table Update the program counter Page fault handler returns to the program that needs to change IDT table
Flowchart of Libra for ptmx_fops 24 kallsyms_lookup_name("ptmx_fops"); Invalid address = read_cr2(); Is the invalid address in the ptmx_fops structure ? Error code == 3 ? && Modified value > 0xffffffff80000000 Continuing to execute no_context()
25 Close the read-only attribute of ptmx_fops Modify the value Open the read-only attribute of ptmx_fops Update the program counter Page fault returns to the program that needs change ptmx_fops
Characteristics of Libra – It is a software solution that does not require any extra hardware cost. – It is a compromised solution between read-only solutions and writable solutions to enhance compatibility. – It is a response-oriented security solution to avoid spending CPU resource for monitoring. 26
Implementation • On Ubuntu 13.04 (Kernel version: 3.10.15) • On x86-64 architecture. • Intel(R) Pentium(R) D CPU 3.00GHz, 1GB RAM • [patch]x86: Use a read-only IDT alias on all CPUs, by Kees Cook. 27
Evaluation: Compatible Comparison • Adding a system call for compatible comparison  idt_table2 = ((gate_desc *) idtr.address); idt_table2[i].offset_low = 0xbeef; idt_table2[i].offset_middle = 0xdead; idt_table2[i].offset_high = 0x12345678; • Original zeroth entry of IDT table : *0xffffffffff57a008 (high_offset)= ffffffff *0xffffffffff57a000 (low_offset)=4df0 *0xffffffffff57a004 (middle_offset)=816a 28
Evaluation: Compatible Comparison • Kees cook’s solution led to this result that is as follow: • [131360.581351] pte_write(8000000001e22161):0 • [131360.581355] *0xffffffffff57a008 (offset_high)= ffffffff • [131360.581358] *0xffffffffff57a000 (offset_low)=4df0 • [131360.581360] *0xffffffffff57a004 (offset_middle)=816a 29
Evaluation: Compatible Comparison • Libra solution led to this result that is as follow: • [11679.083463] pte_write(8000000001e22161):0 • [11679.083466] *0xffffffffff57a008 (offset_high)= ffffffff • [11679.083469] *0xffffffffff57a000 (offset_low)=beef • [11679.083472] *0xffffffffff57a004 (offset_middle)=dead 30
Evaluation: Compatible Comparison Kees Cook’s solution Libra Solution offset_low Read-only Writable offset_middle Read-only Writable offset_high Read-only Read-only 31
Evaluation: Compatible Comparison • [ 146.215132] flush: (null) • [ 146.215132] release value:ffffffff813e5880 • [ 146.215132] fsync value: (null) • [ 146.215132] aio_fsync value: (null) • [ 146.215132] fasync value:ffffffff813e4430 • [ 146.215132] Jeremy, cr2 = ffffffffff577060 • [ 146.215132] Jeremy, page fault handler in kernel space is trigger!!! • [ 146.215132] address 0xffffffffff577060 in CR2 • [ 146.215132] error_code = 3 • [ 146.215132] page fault run to line 1068 • [ 146.215132] page fault run to line 772 • [ 146.215132] Jeremy, *kallsyms_lookup_name(ptmx_fops) : ffffffffff577000 in fault.c • [ 146.215132] The modified value at ptmx_fops : ffffffff8100beef • [ 146.215132] address : ffffffffff577060 • [ 146.236822] flush:ffffffff8100beef 32
Evaluation: Performance • We do performance testing through perf that is in Linux Kernel source code. • “perf stat –r 100000 ./test_modify_idt 0” • The performance of Kees Cook’s solution : 33
Evaluation: Performance • The performance of compatible solution : 34
Evaluation: Performance 0.058 0.0585 0.059 0.0595 0.06 0.0605 0.061 0.0615 Kees Cook solution Compatible solution Seconds seconds (+- 0.02%) 35
Evaluation: Stability testing • “The Linux™ Test Project (LTP)is a joint project started by SGI™ and maintained by IBM®, that has a goal to deliver test suites to the open source community that validate the reliability, robustness, and stability of Linux.” - http://linux-test-project.github.io/ 36
Evaluation: Stability testing • Total Tests: 1424 37 Original Ubuntu Libra Ubuntu Total Skipped Tests 117 138 Total Failures 59 80 Kernel Version 3.8.0-19-generic 3.10.15
Evaluation: False Positives & False Negatives • False Positives : – Run four months. – Firefox, LibreOffice, OpenSSH, LXR website, MSMBuilder. 38
Evaluation: False Positives & False Negatives • False Negatives : – Linux PERF_EVENTS - Local Root Exploit • Sd, wzt, Vitaly Nikolenko, sorbo – FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit – Nvidia Linux driver Privileges Escalation – CVE-2010-3081 & CVE-2010-3301: Linux kernel COMPAT Privilege Escalation 39
Related Work • RGBDroid: A Novel Response-based Approach to Android Privilege Escalation Attacks. • Kees Cook’s patch: x86: Use a read-only IDT alias on all CPUs • 2014-05-31, Vitaly Nikolenko’s exploit * Supported targets: * [0] Ubuntu 12.04.0 - 3.2.0-23-generic * [1] Ubuntu 12.04.1 - 3.2.0-29-generic * [2] Ubuntu 12.04.2 - 3.5.0-23-generic • uint64_t targets[3][3] = {{0xffffffff81ef67e0, // perf_swevent_enabled 0xffffffff81091630, // commit_creds 0xffffffff810918e0}, // prepare_kernel_cred {0xffffffff81ef67a0, 0xffffffff81091220, 0xffffffff810914d0}, {0xffffffff81ef5940, 0xffffffff8107ee30, 0xffffffff8107f0c0} }; • Kernel address space layout randomization, Kees Cook, October 9, 2013, Linux Security Summit 40
Any Questions? Thank you~ 41
Appendix A • A Case Study : CVE-2013-2094 • A Case Study : CVE-2013-2094 on x86-32 42
Integer issues - Sign conversion issues (CVE-2013-2094) • int fd = syscall(__NR_perf_event_open, ,…) • After executing perf_swevent_init, an attacker can increase the content of any kernel address by 1. after close(fd) • After executing sw_perf_event_destroy, an attacker can decrease the content of any user address by 1. 43
A case study : CVE-2013-2094 • /kernel/events/core.c 1.static int perf_swevent_init( 2. ) 3.{ 4. int event_id = event->attr.config; 5. 6. /* ... */ 7. 8. if (event_id >= PERF_COUNT_SW_MAX) 9. return -ENOENT; 10. // PERF_COUNT_SW_MAX == 9 11. /* ... */ 12. 13. atomic_inc(&perf_swevent_enabled[event_id] ); 44
A case study : CVE-2013-2094 /kernel/events/core.c 1.static void sw_perf_event_destroy( 2. ) 3.{ 4. u64 event_id = event->attr.config; 5. 6. /* ... */ 7. 8.atomic_dec(&perf_swevent_enabled[event_i d]); 9. 10. /* ... */ 45
46 Physical memoryUser Space 0x00000000 00000000 0x00007fff ffffffff Virtual memory 128 TB 64 TB 0xffff8000 00000000 guard hole 0xffff8800 00000000 __PAGE_OFFSET 0xffffffff 80000000 __START_KERNEL_map Kernel text 512MB 8MB VSYSCALL 4KB (a page size) FIXADDR_TOP FIXADDR_START
Linux 64-bit memory layout 0000000000000000 - 00007fffffffffff (=47 bits) user space, different per mm hole caused by [48:63] sign extension ffff800000000000 - ffff80ffffffffff (=40 bits) guard hole ffff880000000000 - ffffc7ffffffffff (=64 TB) direct mapping of all phys. memory ffffc80000000000 - ffffc8ffffffffff (=40 bits) hole ffffc90000000000 - ffffe8ffffffffff (=45 bits) vmalloc/ioremap space ffffe90000000000 - ffffe9ffffffffff (=40 bits) hole ffffea0000000000 - ffffeaffffffffff (=40 bits) virtual memory map (1TB) ... unused hole ... ffffffff80000000 - ffffffffa0000000 (=512 MB) kernel text mapping, from phys 0 ffffffffa0000000 - ffffffffff5fffff (=1525 MB) module mapping space ffffffffff600000 - ffffffffffdfffff (=8 MB) vsyscalls ffffffffffe00000 - ffffffffffffffff (=2 MB) unused hole • From (Documentation/x86/x86_64/mm.txt) 47
Integer issues - Sign conversion issues(CVE-2013-2094) In perf_swevent_init $ cat /boot/System.map-2.6.32-358.el6.x86_64 | grep perf_swevent_enabled ffffffff81f360c0 B perf_swevent_enabled P.S : signed extension because of int type int event_id == 0xffffffff == -1 == 0xffffffffffffffff (x86-64) perf_swevent_enabled[-1] == 0xffffffffffffffff * 4 + 0xffffffff81f360c0 == 0xFFFFFFFF81F360BC int event_id == 0xfffffffe == -2 --> perf_swevent_enabled[-2] == 0xfffffffffffffffe * 4 + 0xffffffff81f360c0 == 0xFFFFFFFF81F360B8 48
Integer issues - Sign conversion issues In sw_perf_event_destroy() Let's assume again event->attr.config == 0xffffffff --> P.S. No signed extension 0xffffffff [32bit] => 0x00000000ffffffff [64bit] • perf_swevent_enabled[-1] address in sw_perf_event_destroy: – 0x00000000ffffffff * 4 + 0xffffffff81f360c0 == 0x00000003 81f360bc • perf_swevent_enabled[-1] address in perf_swevent_init: – 0xffffffffffffffff * 4 + 0xffffffff81f360c0 == 0xffffffff 81f360bc  Even though the addresses of perf_swevent_enabled[-1] in sw_perf_event_destroy() and perf_swevent_init() are different, the 6 MSBs of their last 8 hex digitals are the same. 49
Perf_swevent_enabled[0] 0xffff ffff +1 Perf_swevent_enabled[-2] Perf_swevent_enabled[-1] user Kernel NOP + Shellcode <-0x00000000 81000000 <- 0xffffffff 81734000 <-0x00000003 80000000 <- 0xffffffff 81734048 Hijacked idt.addr Offset1-----------> idt.addr + 0x48 0000…. -1 by destroy(-2) <-0x00000003 90000000 -1 by destroy(-1) 1.Allocate red region & green region. 2. Trigger vulnerability for measuring perf_event_open(-1) perf_event_open(-2) <- 0xffffffff 817e1340 <-0x00000003 817e1338 <-0x00000003 817e133c 4.asm(“int $0x4”); root got! <- 0xffffffff 80000008 sw_perf_event_destroy() a.k.a destroy() 50 offset2 offset3(0x48) offset1 +=1 by init(-2) +=1 by init(-1) idt table perf_swevent_init() a.k.a init() Offst1-----------> 0x0000 0000 3. perf_event_open( - i + (((idt.addr&0xffff ffff)-0x80000000)/4)+16) offset1 offset2÷4 offset3÷4
Modify the ptmx_fops  In exploit // 56 is offset of fsync in struct file_operations int target = pmtx_ops + 56; int payload = -((perf_swevent_enabled - target)/4);  perf_swevent_enabled + (payload*4)  Trigger int ptmx = open("/dev/ptmx", O_RDWR); fsync(ptmx); Source code : cve-2013-2094 port to x86-32 51
4. Trigger vulnerability . fsync(ptmx); root got! 4. Create a lot of child process. Each process executes Perf_event_open(Offset) 256 times. Total 256 processes.( 256*256= 65536) 1. Allocate 0x10000 for payload 52 Payload Null 3.Offset= (Perf_swevent_enabled - fsync)/4; 56 12 2. Find perf_swevent_enabled & ptmx_fops by system.map 3…65536(0x10000)

Recommended

Berkeley Packet Filters
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet FiltersKernel TLV
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101SUSE Labs Taipei
 
ACM Applicative System Methodology 2016
ACM Applicative System Methodology 2016ACM Applicative System Methodology 2016
ACM Applicative System Methodology 2016Brendan Gregg
 
Linux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF SuperpowersLinux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF SuperpowersBrendan Gregg
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Brendan Gregg
 
CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017CanSecWest
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!Affan Syed
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBrendan Gregg
 

Recommended

Berkeley Packet Filters
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet FiltersKernel TLV
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101SUSE Labs Taipei
 
ACM Applicative System Methodology 2016
ACM Applicative System Methodology 2016ACM Applicative System Methodology 2016
ACM Applicative System Methodology 2016Brendan Gregg
 
Linux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF SuperpowersLinux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF SuperpowersBrendan Gregg
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Brendan Gregg
 
CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017CanSecWest
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!Affan Syed
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBrendan Gregg
 
FIFODC
FIFODCFIFODC
FIFODCsumeet jain
 
Ch7
Ch7Ch7
Ch7kinnarshah8888
 
Getting started with Burst – Unite Copenhagen 2019
Getting started with Burst – Unite Copenhagen 2019Getting started with Burst – Unite Copenhagen 2019
Getting started with Burst – Unite Copenhagen 2019Unity Technologies
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
 
Analyzing OS X Systems Performance with the USE Method
Analyzing OS X Systems Performance with the USE MethodAnalyzing OS X Systems Performance with the USE Method
Analyzing OS X Systems Performance with the USE MethodBrendan Gregg
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsBrendan Gregg
 
We Love Performance! How Tic Toc Games Uses ECS in Mobile Puzzle Games
We Love Performance! How Tic Toc Games Uses ECS in Mobile Puzzle GamesWe Love Performance! How Tic Toc Games Uses ECS in Mobile Puzzle Games
We Love Performance! How Tic Toc Games Uses ECS in Mobile Puzzle GamesUnity Technologies
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsemBO_Conference
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceSUSE Labs Taipei
 
Optimize your game with the Profile Analyzer - Unite Copenhagen 2019
Optimize your game with the Profile Analyzer - Unite Copenhagen 2019Optimize your game with the Profile Analyzer - Unite Copenhagen 2019
Optimize your game with the Profile Analyzer - Unite Copenhagen 2019Unity Technologies
 
Parallel Processing with IPython
Parallel Processing with IPythonParallel Processing with IPython
Parallel Processing with IPythonEnthought, Inc.
 
Run time
Run timeRun time
Run timeRoyalzig Luxury Furniture
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf toolsBrendan Gregg
 
A deep dive into energy efficient multi core processor
A deep dive into energy efficient multi core processorA deep dive into energy efficient multi core processor
A deep dive into energy efficient multi core processorZongYing Lyu
 
SREcon 2016 Performance Checklists for SREs
SREcon 2016 Performance Checklists for SREsSREcon 2016 Performance Checklists for SREs
SREcon 2016 Performance Checklists for SREsBrendan Gregg
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debuggingHao-Ran Liu
 
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling ToolsTIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling ToolsXiaozhe Wang
 
Onnc intro
Onnc introOnnc intro
Onnc introLuba Tang
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudAndrea Righi
 
Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesJérôme KUNEGIS
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 

More Related Content

What's hot

Getting started with Burst – Unite Copenhagen 2019
Getting started with Burst – Unite Copenhagen 2019Getting started with Burst – Unite Copenhagen 2019
Getting started with Burst – Unite Copenhagen 2019Unity Technologies
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
 
Analyzing OS X Systems Performance with the USE Method
Analyzing OS X Systems Performance with the USE MethodAnalyzing OS X Systems Performance with the USE Method
Analyzing OS X Systems Performance with the USE MethodBrendan Gregg
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsBrendan Gregg
 
We Love Performance! How Tic Toc Games Uses ECS in Mobile Puzzle Games
We Love Performance! How Tic Toc Games Uses ECS in Mobile Puzzle GamesWe Love Performance! How Tic Toc Games Uses ECS in Mobile Puzzle Games
We Love Performance! How Tic Toc Games Uses ECS in Mobile Puzzle GamesUnity Technologies
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsemBO_Conference
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceSUSE Labs Taipei
 
Optimize your game with the Profile Analyzer - Unite Copenhagen 2019
Optimize your game with the Profile Analyzer - Unite Copenhagen 2019Optimize your game with the Profile Analyzer - Unite Copenhagen 2019
Optimize your game with the Profile Analyzer - Unite Copenhagen 2019Unity Technologies
 
Parallel Processing with IPython
Parallel Processing with IPythonParallel Processing with IPython
Parallel Processing with IPythonEnthought, Inc.
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf toolsBrendan Gregg
 
A deep dive into energy efficient multi core processor
A deep dive into energy efficient multi core processorA deep dive into energy efficient multi core processor
A deep dive into energy efficient multi core processorZongYing Lyu
 
SREcon 2016 Performance Checklists for SREs
SREcon 2016 Performance Checklists for SREsSREcon 2016 Performance Checklists for SREs
SREcon 2016 Performance Checklists for SREsBrendan Gregg
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debuggingHao-Ran Liu
 
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling ToolsTIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling ToolsXiaozhe Wang
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudAndrea Righi
 

What's hot (20)

FIFODC
FIFODCFIFODC
FIFODC
 
Ch7
Ch7Ch7
Ch7
 
Getting started with Burst – Unite Copenhagen 2019
Getting started with Burst – Unite Copenhagen 2019Getting started with Burst – Unite Copenhagen 2019
Getting started with Burst – Unite Copenhagen 2019
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 
Analyzing OS X Systems Performance with the USE Method
Analyzing OS X Systems Performance with the USE MethodAnalyzing OS X Systems Performance with the USE Method
Analyzing OS X Systems Performance with the USE Method
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame Graphs
 
We Love Performance! How Tic Toc Games Uses ECS in Mobile Puzzle Games
We Love Performance! How Tic Toc Games Uses ECS in Mobile Puzzle GamesWe Love Performance! How Tic Toc Games Uses ECS in Mobile Puzzle Games
We Love Performance! How Tic Toc Games Uses ECS in Mobile Puzzle Games
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf Tools
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
 
Optimize your game with the Profile Analyzer - Unite Copenhagen 2019
Optimize your game with the Profile Analyzer - Unite Copenhagen 2019Optimize your game with the Profile Analyzer - Unite Copenhagen 2019
Optimize your game with the Profile Analyzer - Unite Copenhagen 2019
 
Parallel Processing with IPython
Parallel Processing with IPythonParallel Processing with IPython
Parallel Processing with IPython
 
Run time
Run timeRun time
Run time
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf tools
 
A deep dive into energy efficient multi core processor
A deep dive into energy efficient multi core processorA deep dive into energy efficient multi core processor
A deep dive into energy efficient multi core processor
 
SREcon 2016 Performance Checklists for SREs
SREcon 2016 Performance Checklists for SREsSREcon 2016 Performance Checklists for SREs
SREcon 2016 Performance Checklists for SREs
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling ToolsTIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
 
Onnc intro
Onnc introOnnc intro
Onnc intro
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
 

Viewers also liked

Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesJérôme KUNEGIS
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel BugsJiahong Fang
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
 
Windows system - memory개념잡기
Windows system - memory개념잡기Windows system - memory개념잡기
Windows system - memory개념잡기ChangKyu Song
 
Ch9 프로세스의 메모리 구조
Ch9 프로세스의 메모리 구조Ch9 프로세스의 메모리 구조
Ch9 프로세스의 메모리 구조Minchul Jung
 

Viewers also liked (6)

Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary Properties
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64
 
Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel Bugs
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
 
Windows system - memory개념잡기
Windows system - memory개념잡기Windows system - memory개념잡기
Windows system - memory개념잡기
 
Ch9 프로세스의 메모리 구조
Ch9 프로세스의 메모리 구조Ch9 프로세스의 메모리 구조
Ch9 프로세스의 메모리 구조
 

Similar to Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite

Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing LandscapeSasha Goldshtein
 
running stable diffusion on android
running stable diffusion on androidrunning stable diffusion on android
running stable diffusion on androidKoan-Sin Tan
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerMarina Kolpakova
 
Moving Toward Deep Learning Algorithms on HPCC Systems
Moving Toward Deep Learning Algorithms on HPCC SystemsMoving Toward Deep Learning Algorithms on HPCC Systems
Moving Toward Deep Learning Algorithms on HPCC SystemsHPCC Systems
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing LandscapeKernel TLV
 
Exploring Compiler Optimization Opportunities for the OpenMP 4.x Accelerator...
Exploring Compiler Optimization Opportunities for the OpenMP 4.x Accelerator...Exploring Compiler Optimization Opportunities for the OpenMP 4.x Accelerator...
Exploring Compiler Optimization Opportunities for the OpenMP 4.x Accelerator...Akihiro Hayashi
 
Combining Phase Identification and Statistic Modeling for Automated Parallel ...
Combining Phase Identification and Statistic Modeling for Automated Parallel ...Combining Phase Identification and Statistic Modeling for Automated Parallel ...
Combining Phase Identification and Statistic Modeling for Automated Parallel ...Mingliang Liu
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Jagadisha Maiya
 
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIW
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIWLec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIW
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIWHsien-Hsin Sean Lee, Ph.D.
 
dokumen.tips_linux-networking-commands.ppt
dokumen.tips_linux-networking-commands.pptdokumen.tips_linux-networking-commands.ppt
dokumen.tips_linux-networking-commands.pptThorOdinson55
 
Exploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelExploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelVitaly Nikolenko
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityBrendan Gregg
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 
Code instrumentation
Code instrumentationCode instrumentation
Code instrumentationBryan Reinero
 
Understand and Harness the Capabilities of Intel® Xeon Phi™ Processors
Understand and Harness the Capabilities of Intel® Xeon Phi™ ProcessorsUnderstand and Harness the Capabilities of Intel® Xeon Phi™ Processors
Understand and Harness the Capabilities of Intel® Xeon Phi™ ProcessorsIntel® Software
 
Apache Flink Deep Dive
Apache Flink Deep DiveApache Flink Deep Dive
Apache Flink Deep DiveVasia Kalavri
 
JVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixJVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixCodemotion Tel Aviv
 

Similar to Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite (20)

Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing Landscape
 
running stable diffusion on android
running stable diffusion on androidrunning stable diffusion on android
running stable diffusion on android
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
 
Moving Toward Deep Learning Algorithms on HPCC Systems
Moving Toward Deep Learning Algorithms on HPCC SystemsMoving Toward Deep Learning Algorithms on HPCC Systems
Moving Toward Deep Learning Algorithms on HPCC Systems
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing Landscape
 
Exploring Compiler Optimization Opportunities for the OpenMP 4.x Accelerator...
Exploring Compiler Optimization Opportunities for the OpenMP 4.x Accelerator...Exploring Compiler Optimization Opportunities for the OpenMP 4.x Accelerator...
Exploring Compiler Optimization Opportunities for the OpenMP 4.x Accelerator...
 
Combining Phase Identification and Statistic Modeling for Automated Parallel ...
Combining Phase Identification and Statistic Modeling for Automated Parallel ...Combining Phase Identification and Statistic Modeling for Automated Parallel ...
Combining Phase Identification and Statistic Modeling for Automated Parallel ...
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
 
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIW
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIWLec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIW
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIW
 
dokumen.tips_linux-networking-commands.ppt
dokumen.tips_linux-networking-commands.pptdokumen.tips_linux-networking-commands.ppt
dokumen.tips_linux-networking-commands.ppt
 
Exploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelExploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernel
 
Java On CRaC
Java On CRaCJava On CRaC
Java On CRaC
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF Observability
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
 
Flink internals web
Flink internals web Flink internals web
Flink internals web
 
Code instrumentation
Code instrumentationCode instrumentation
Code instrumentation
 
Understand and Harness the Capabilities of Intel® Xeon Phi™ Processors
Understand and Harness the Capabilities of Intel® Xeon Phi™ ProcessorsUnderstand and Harness the Capabilities of Intel® Xeon Phi™ Processors
Understand and Harness the Capabilities of Intel® Xeon Phi™ Processors
 
Apache Flink Deep Dive
Apache Flink Deep DiveApache Flink Deep Dive
Apache Flink Deep Dive
 
JVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixJVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, Wix
 

Recently uploaded

Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNeo4j
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypseTomasz Kowalczewski
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...drm1699
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Clinic
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit MilanWorkshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit MilanNeo4j
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)Roberto Bettazzoni
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Eraconfluent
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Henry Schreiner
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdftimtebeek1
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Andreas Granig
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Lisi Hocke
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024SimonedeGijt
 
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphGraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphNeo4j
 

Recently uploaded (20)

Abortion Pill Prices Aliwal North ](+27832195400*)[ 🏥 Women's Abortion Clinic...
Abortion Pill Prices Aliwal North ](+27832195400*)[ 🏥 Women's Abortion Clinic...Abortion Pill Prices Aliwal North ](+27832195400*)[ 🏥 Women's Abortion Clinic...
Abortion Pill Prices Aliwal North ](+27832195400*)[ 🏥 Women's Abortion Clinic...
 
Abortion Pill Prices Jane Furse ](+27832195400*)[🏥Women's Abortion Clinic in ...
Abortion Pill Prices Jane Furse ](+27832195400*)[🏥Women's Abortion Clinic in ...Abortion Pill Prices Jane Furse ](+27832195400*)[🏥Women's Abortion Clinic in ...
Abortion Pill Prices Jane Furse ](+27832195400*)[🏥Women's Abortion Clinic in ...
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit MilanWorkshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
Abortion Clinic in Bloemfontein [(+27832195400*)]🏥Safe Abortion Pills In Bloe...
Abortion Clinic in Bloemfontein [(+27832195400*)]🏥Safe Abortion Pills In Bloe...Abortion Clinic in Bloemfontein [(+27832195400*)]🏥Safe Abortion Pills In Bloe...
Abortion Clinic in Bloemfontein [(+27832195400*)]🏥Safe Abortion Pills In Bloe...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
 
Abortion Clinic in Midrand [(+27832195400*)]🏥Safe Abortion Pills In Midrand |...
Abortion Clinic in Midrand [(+27832195400*)]🏥Safe Abortion Pills In Midrand |...Abortion Clinic in Midrand [(+27832195400*)]🏥Safe Abortion Pills In Midrand |...
Abortion Clinic in Midrand [(+27832195400*)]🏥Safe Abortion Pills In Midrand |...
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
Abortion Pill Prices Polokwane ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Polokwane ](+27832195400*)[ 🏥 Women's Abortion Clinic in...Abortion Pill Prices Polokwane ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Polokwane ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphGraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
 

Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite

  • 1. Libra: A Compatible Method for Defending Against Arbitrary Memory Overwrite
  • 2. Outline • Chapter1 Introduction – Statistics of Vulnerabilities and Exploits – Attack Principle • Chapter2 Mechanism of Attack and Example – At the Second Step … – Kernel Data Structures to Overwrite • Chapter3 Proposed Solution – Background Knowledge – Compatible Solution – Characteristics • Chapter4 Implementation • Chapter5 Evaluation – Compatible Comparison – Performance – Stability Testing – False Positive & Negative Positive • Appendix – A Case Study : CVE-2013-2094 2
  • 3. Statistics of Linux Kernel Vulnerabilities 3 From : www.cvedetails.com
  • 4. Statistics of Vulnerabilities in 2013 4 From : www.cvedetails.com
  • 6. Attack Principle • A typical exploit for arbitrary memory overwrite of Privilege Escalation is described as following: 1. Triggering the vulnerabilities for arbitrary memory overwrite. 6 Normal function Function pointer(addr1) addr1
  • 7. Attack Principle 2. Overwriting any kernel function pointer, to make the pointer pointing to the payload address in user space. 7 addr2 Normal function Function pointer(addr2) addr1
  • 8. Attack Principle 3. Because the overwritten kernel function can be easily used when serving user requests, an unauthorized attacker can get the root access when the modified kernel function was used. 1. A Case Study : CVE-2013-2094 2. CVE-2013-2094 on x86-32 8 commit_creds(prepare_kernel_cred(NULL)); addr2 Normal function Function pointer(addr2) addr1
  • 9. Kernel Data Structures Can Be Overwritten 9 • IDT table • ptmx_fops • …
  • 10. Proposed Solution : Background knowledge The interrupt handler address fields in an IDT table entry are composed of low_offset field, middle_offset field, and high_offset field. 10
  • 11. ptmx_fops ? pty (pseudo-teletype) is a pair of virtual character devices that provide a bidirectional communication channel. Pty consists of ptmx and pts. For example: USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT xue pts/0 61.66.243.96 Mon16 17:24m 0.21s 0.04s ssh bbs@ptt.cc jeremy pts/1 36-231-101-220.d 10:27 0.00s 0.19s 0.01s w 11
  • 12. Linux Device Driver Architecture 12
  • 13. ptmx_fops ? • static struct file_operations ptmx_fops; • file_operations – defined in <include/linux/fs.h> – contain a set of function pointers • int (*fsync) (struct file *,loff_t,loff_t,int datasync); – used by Kernel to access device driver’s functions 13
  • 14. Ways to Find Addresses of Related Kernel Data Structures 14 • Use the assembly instruction - sidt • Search – system.map – /proc/kallsyms
  • 15. Example 15 • grep ptmx_fops /boot/System.map-$(uname -r) • grep ptmx_fops /proc/kallsyms • /* 56 is offset of fsync in struct file_operations on x86- 32 */ int target = pmtx_ops + 56 //target is a kernel pointer
  • 16. Hiding the Kernel Function Addresses • #chmod o-r /boot/System.map- 3.0.42-0.7-default • #sysctl -w kernel.kptr_restrict=1 16
  • 17. Kees Cook’s patch (Linux official patch) __set_fixmap(FIX_RO_IDT,_pa_symbol(idt_table), PAGE_KERNEL_RO); idt_descr.address = fix_to_virt(FIX_RO_IDT); 17
  • 18. Proposed Solution 18 Important value : x Let 1 ≤ 𝐱 ≤ 5 If x=1, it is ok. If x=6, it will fail. Read-only Page fault handler helps us to modify value (x=1)
  • 19. Page fault error code bits • The CPU pushes an error code on the stack before firing a page fault exception. • The error code must be analyzed by the exception handler to determine how to handle the exception. http://wiki.osdev.org/Paging 19
  • 20. Meaning of “error code = 3” – bit 0 == 0: no page found 1: protection fault – bit 1 == 0: read access 1: write access – bit 2 == 0: kernel-mode access 1: user-mode access 20
  • 21. 21 Flowchart of Linux Page fault handler Access to kernel space Access in Kernel Mode Noncontiguous memory area address Address is a wrong System call parameter Compatible solution
  • 22. Flowchart of Libra for IDT Table 22 Invalid address= read_cr2 Page fault handler executes no_context() Does the invalid address fall into the IDT table address range? Is the error_code equal to 3? Continuing to execute no_context()
  • 23. Flowchart of Libra for IDT Table 23 Is the new value in Kernel space? Close the Read-only attribute of IDT table Modify the value Open the Read-only attribute of IDT table Update the program counter Page fault handler returns to the program that needs to change IDT table
  • 24. Flowchart of Libra for ptmx_fops 24 kallsyms_lookup_name("ptmx_fops"); Invalid address = read_cr2(); Is the invalid address in the ptmx_fops structure ? Error code == 3 ? && Modified value > 0xffffffff80000000 Continuing to execute no_context()
  • 25. 25 Close the read-only attribute of ptmx_fops Modify the value Open the read-only attribute of ptmx_fops Update the program counter Page fault returns to the program that needs change ptmx_fops
  • 26. Characteristics of Libra – It is a software solution that does not require any extra hardware cost. – It is a compromised solution between read-only solutions and writable solutions to enhance compatibility. – It is a response-oriented security solution to avoid spending CPU resource for monitoring. 26
  • 27. Implementation • On Ubuntu 13.04 (Kernel version: 3.10.15) • On x86-64 architecture. • Intel(R) Pentium(R) D CPU 3.00GHz, 1GB RAM • [patch]x86: Use a read-only IDT alias on all CPUs, by Kees Cook. 27
  • 28. Evaluation: Compatible Comparison • Adding a system call for compatible comparison  idt_table2 = ((gate_desc *) idtr.address); idt_table2[i].offset_low = 0xbeef; idt_table2[i].offset_middle = 0xdead; idt_table2[i].offset_high = 0x12345678; • Original zeroth entry of IDT table : *0xffffffffff57a008 (high_offset)= ffffffff *0xffffffffff57a000 (low_offset)=4df0 *0xffffffffff57a004 (middle_offset)=816a 28
  • 29. Evaluation: Compatible Comparison • Kees cook’s solution led to this result that is as follow: • [131360.581351] pte_write(8000000001e22161):0 • [131360.581355] *0xffffffffff57a008 (offset_high)= ffffffff • [131360.581358] *0xffffffffff57a000 (offset_low)=4df0 • [131360.581360] *0xffffffffff57a004 (offset_middle)=816a 29
  • 30. Evaluation: Compatible Comparison • Libra solution led to this result that is as follow: • [11679.083463] pte_write(8000000001e22161):0 • [11679.083466] *0xffffffffff57a008 (offset_high)= ffffffff • [11679.083469] *0xffffffffff57a000 (offset_low)=beef • [11679.083472] *0xffffffffff57a004 (offset_middle)=dead 30
  • 31. Evaluation: Compatible Comparison Kees Cook’s solution Libra Solution offset_low Read-only Writable offset_middle Read-only Writable offset_high Read-only Read-only 31
  • 32. Evaluation: Compatible Comparison • [ 146.215132] flush: (null) • [ 146.215132] release value:ffffffff813e5880 • [ 146.215132] fsync value: (null) • [ 146.215132] aio_fsync value: (null) • [ 146.215132] fasync value:ffffffff813e4430 • [ 146.215132] Jeremy, cr2 = ffffffffff577060 • [ 146.215132] Jeremy, page fault handler in kernel space is trigger!!! • [ 146.215132] address 0xffffffffff577060 in CR2 • [ 146.215132] error_code = 3 • [ 146.215132] page fault run to line 1068 • [ 146.215132] page fault run to line 772 • [ 146.215132] Jeremy, *kallsyms_lookup_name(ptmx_fops) : ffffffffff577000 in fault.c • [ 146.215132] The modified value at ptmx_fops : ffffffff8100beef • [ 146.215132] address : ffffffffff577060 • [ 146.236822] flush:ffffffff8100beef 32
  • 33. Evaluation: Performance • We do performance testing through perf that is in Linux Kernel source code. • “perf stat –r 100000 ./test_modify_idt 0” • The performance of Kees Cook’s solution : 33
  • 34. Evaluation: Performance • The performance of compatible solution : 34
  • 36. Evaluation: Stability testing • “The Linux™ Test Project (LTP)is a joint project started by SGI™ and maintained by IBM®, that has a goal to deliver test suites to the open source community that validate the reliability, robustness, and stability of Linux.” - http://linux-test-project.github.io/ 36
  • 37. Evaluation: Stability testing • Total Tests: 1424 37 Original Ubuntu Libra Ubuntu Total Skipped Tests 117 138 Total Failures 59 80 Kernel Version 3.8.0-19-generic 3.10.15
  • 38. Evaluation: False Positives & False Negatives • False Positives : – Run four months. – Firefox, LibreOffice, OpenSSH, LXR website, MSMBuilder. 38
  • 39. Evaluation: False Positives & False Negatives • False Negatives : – Linux PERF_EVENTS - Local Root Exploit • Sd, wzt, Vitaly Nikolenko, sorbo – FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit – Nvidia Linux driver Privileges Escalation – CVE-2010-3081 & CVE-2010-3301: Linux kernel COMPAT Privilege Escalation 39
  • 40. Related Work • RGBDroid: A Novel Response-based Approach to Android Privilege Escalation Attacks. • Kees Cook’s patch: x86: Use a read-only IDT alias on all CPUs • 2014-05-31, Vitaly Nikolenko’s exploit * Supported targets: * [0] Ubuntu 12.04.0 - 3.2.0-23-generic * [1] Ubuntu 12.04.1 - 3.2.0-29-generic * [2] Ubuntu 12.04.2 - 3.5.0-23-generic • uint64_t targets[3][3] = {{0xffffffff81ef67e0, // perf_swevent_enabled 0xffffffff81091630, // commit_creds 0xffffffff810918e0}, // prepare_kernel_cred {0xffffffff81ef67a0, 0xffffffff81091220, 0xffffffff810914d0}, {0xffffffff81ef5940, 0xffffffff8107ee30, 0xffffffff8107f0c0} }; • Kernel address space layout randomization, Kees Cook, October 9, 2013, Linux Security Summit 40
  • 42. Appendix A • A Case Study : CVE-2013-2094 • A Case Study : CVE-2013-2094 on x86-32 42
  • 43. Integer issues - Sign conversion issues (CVE-2013-2094) • int fd = syscall(__NR_perf_event_open, ,…) • After executing perf_swevent_init, an attacker can increase the content of any kernel address by 1. after close(fd) • After executing sw_perf_event_destroy, an attacker can decrease the content of any user address by 1. 43
  • 44. A case study : CVE-2013-2094 • /kernel/events/core.c 1.static int perf_swevent_init( 2. ) 3.{ 4. int event_id = event->attr.config; 5. 6. /* ... */ 7. 8. if (event_id >= PERF_COUNT_SW_MAX) 9. return -ENOENT; 10. // PERF_COUNT_SW_MAX == 9 11. /* ... */ 12. 13. atomic_inc(&perf_swevent_enabled[event_id] ); 44
  • 45. A case study : CVE-2013-2094 /kernel/events/core.c 1.static void sw_perf_event_destroy( 2. ) 3.{ 4. u64 event_id = event->attr.config; 5. 6. /* ... */ 7. 8.atomic_dec(&perf_swevent_enabled[event_i d]); 9. 10. /* ... */ 45
  • 46. 46 Physical memoryUser Space 0x00000000 00000000 0x00007fff ffffffff Virtual memory 128 TB 64 TB 0xffff8000 00000000 guard hole 0xffff8800 00000000 __PAGE_OFFSET 0xffffffff 80000000 __START_KERNEL_map Kernel text 512MB 8MB VSYSCALL 4KB (a page size) FIXADDR_TOP FIXADDR_START
  • 47. Linux 64-bit memory layout 0000000000000000 - 00007fffffffffff (=47 bits) user space, different per mm hole caused by [48:63] sign extension ffff800000000000 - ffff80ffffffffff (=40 bits) guard hole ffff880000000000 - ffffc7ffffffffff (=64 TB) direct mapping of all phys. memory ffffc80000000000 - ffffc8ffffffffff (=40 bits) hole ffffc90000000000 - ffffe8ffffffffff (=45 bits) vmalloc/ioremap space ffffe90000000000 - ffffe9ffffffffff (=40 bits) hole ffffea0000000000 - ffffeaffffffffff (=40 bits) virtual memory map (1TB) ... unused hole ... ffffffff80000000 - ffffffffa0000000 (=512 MB) kernel text mapping, from phys 0 ffffffffa0000000 - ffffffffff5fffff (=1525 MB) module mapping space ffffffffff600000 - ffffffffffdfffff (=8 MB) vsyscalls ffffffffffe00000 - ffffffffffffffff (=2 MB) unused hole • From (Documentation/x86/x86_64/mm.txt) 47
  • 48. Integer issues - Sign conversion issues(CVE-2013-2094) In perf_swevent_init $ cat /boot/System.map-2.6.32-358.el6.x86_64 | grep perf_swevent_enabled ffffffff81f360c0 B perf_swevent_enabled P.S : signed extension because of int type int event_id == 0xffffffff == -1 == 0xffffffffffffffff (x86-64) perf_swevent_enabled[-1] == 0xffffffffffffffff * 4 + 0xffffffff81f360c0 == 0xFFFFFFFF81F360BC int event_id == 0xfffffffe == -2 --> perf_swevent_enabled[-2] == 0xfffffffffffffffe * 4 + 0xffffffff81f360c0 == 0xFFFFFFFF81F360B8 48
  • 49. Integer issues - Sign conversion issues In sw_perf_event_destroy() Let's assume again event->attr.config == 0xffffffff --> P.S. No signed extension 0xffffffff [32bit] => 0x00000000ffffffff [64bit] • perf_swevent_enabled[-1] address in sw_perf_event_destroy: – 0x00000000ffffffff * 4 + 0xffffffff81f360c0 == 0x00000003 81f360bc • perf_swevent_enabled[-1] address in perf_swevent_init: – 0xffffffffffffffff * 4 + 0xffffffff81f360c0 == 0xffffffff 81f360bc  Even though the addresses of perf_swevent_enabled[-1] in sw_perf_event_destroy() and perf_swevent_init() are different, the 6 MSBs of their last 8 hex digitals are the same. 49
  • 50. Perf_swevent_enabled[0] 0xffff ffff +1 Perf_swevent_enabled[-2] Perf_swevent_enabled[-1] user Kernel NOP + Shellcode <-0x00000000 81000000 <- 0xffffffff 81734000 <-0x00000003 80000000 <- 0xffffffff 81734048 Hijacked idt.addr Offset1-----------> idt.addr + 0x48 0000…. -1 by destroy(-2) <-0x00000003 90000000 -1 by destroy(-1) 1.Allocate red region & green region. 2. Trigger vulnerability for measuring perf_event_open(-1) perf_event_open(-2) <- 0xffffffff 817e1340 <-0x00000003 817e1338 <-0x00000003 817e133c 4.asm(“int $0x4”); root got! <- 0xffffffff 80000008 sw_perf_event_destroy() a.k.a destroy() 50 offset2 offset3(0x48) offset1 +=1 by init(-2) +=1 by init(-1) idt table perf_swevent_init() a.k.a init() Offst1-----------> 0x0000 0000 3. perf_event_open( - i + (((idt.addr&0xffff ffff)-0x80000000)/4)+16) offset1 offset2÷4 offset3÷4
  • 51. Modify the ptmx_fops  In exploit // 56 is offset of fsync in struct file_operations int target = pmtx_ops + 56; int payload = -((perf_swevent_enabled - target)/4);  perf_swevent_enabled + (payload*4)  Trigger int ptmx = open("/dev/ptmx", O_RDWR); fsync(ptmx); Source code : cve-2013-2094 port to x86-32 51
  • 52. 4. Trigger vulnerability . fsync(ptmx); root got! 4. Create a lot of child process. Each process executes Perf_event_open(Offset) 256 times. Total 256 processes.( 256*256= 65536) 1. Allocate 0x10000 for payload 52 Payload Null 3.Offset= (Perf_swevent_enabled - fsync)/4; 56 12 2. Find perf_swevent_enabled & ptmx_fops by system.map 3…65536(0x10000)

Editor's Notes

  1. 這主要是對Arbitrary Memory Overwrite的Vulnerabilities 提出compatible solution.
  2. statistics [stəˋtɪstɪks] mechanism [ˋmɛkə͵nɪzəm] Characteristic [͵kærəktəˋrɪstɪk] Comparison  [kəmˋpærəsn] 
  3. 而有vulnerability未必有相對應的exploit 這裡統計2009至2013的一些exploit This statistics of Linux Kernel exploits is collected by exploit-db [21], packetstorm [22] from 2009 to 2013. Therefore, we know the exploits of Linux Kernel are in the majority. Privilege Escalation 16 DoS 6 Buffer Overflow 1 Memory Disclosure 2 Total(弱點總數) 25
  4. Privilege Escalation 有很多種形式,這裡我們針對比較general的形式做處理。 也就是arbitrary [ˋɑrbə͵trɛrɪ] memory overwrite
  5. These kernel functions will create a new credit structure with root privileges, and then commit that credit structure to the current process. After returning to user-space, a root shell can be spawned.
  6. 等下會介紹ptmx_fops
  7. 除了IDT table之外,attacker也喜歡修改ptmx_fops。 ptmx_fops是什麼呢? 先談一下linux device driver 跟 ssh shell Pty 也就是pseudo-teletype是由ptmx 跟 pts 所組成 。分別代表master跟slave。 方便user做remote ssh login。
  8. Architecture [ˋɑrkə͵tɛktʃɚ]  pseudo-teletype 是在character Device Driver的東西
  9. Ptmx_fops 是由file_operations這個structure所define。 Kernel藉著file_operations來access driver’s function Fsync :讓應用程式用來將滯留在記憶體中的資料全數確實寫入裝置. 開發Linux device driver時常用 於virtual device driver
  10. 那我們要怎樣才能找到ptmx_fops呢? 我們可以查symbol table得知。以下這兩個就是系統中 的symbol table
  11. 主要main idea:
  12. unsigned long error_code, 8 bytes http://code.woboq.org/linux/linux/arch/x86/mm/fault.c.html
  13. Is the new value in Kernel space? Modify the value
  14. 原exploit只改offset_high為了測試相容性,我們另外增加一個system call。 Offset_high, offset_middle,offset_low也改。
  15. ***說明ptmx_fops目前還是沒人把他set read-only。
  16. 相差1ms(millisecond),其實是沒有甚麼差距的。
  17. 1. 因為不是我的solution不是在FreeBSD上,所以沒做。 2. nvidia linux driver 找不到
  18. 0. 就是這次主要分析的exploit,在附錄有提供詳細的說明 1. 因為不是我的solution不是在FreeBSD上,所以沒做。 2. nvidia linux driver 找不到是哪個板子的driver 3. Linux kernel COMPAT Privilege Escalation : 版本久遠還沒做測試
  19. 這個是我們一般user使用system call 呼叫 perform monitoring interface 的流程。首先會呼叫initial function 隨後 一般user 可以call close(fd) 再呼叫 destroy function 。結束整個流程。 正常情況下這個initial內把 enable array中index所指定的位置內加一,結束時又透過destroy把同一位置內的值減1回去。 但是當我們把array 的index 設為-1或者任意的負值的時候 ,這個值會分別加在不同處。 仔細地說 當index 為負值 initial 會再某個 kernel mode address 所指向的位置內 +1 隨後destroy也會在某個user mode adresss 所指向的位置內 -1
  20. 4-bit Linux allows up to 128 TB of virtual address space for individual processes, and can address approximately 64 TB of physical memory Ref. http://en.wikipedia.org/wiki/X86-64 http://code.woboq.org/linux/linux/arch/x86/include/asm/page_64_types.h.html
  21. Ref: http://wiki.bit-hive.com/linuxkernelmemo/pg/64bit%A4%C7%A4%CE%A5%A2%A5%C9%A5%EC%A5%B9%B6%F5%B4%D6
  22. 我們先看一些例子,在init function中 若 event->attr.config 給定 -1 (0xffff ffff) 也就是 signed number。 因為int是有號數,32bit的index要跟64bit的base address of array 做運算,會做sign extension /ɪkst‘ɛnʃən/ 根據x86-64 bit 的memory layout (p9),-1跟-2這兩個index所產生的address接在kernel address space。
  23. 0xC0 – 0xB8 = 8 而destroy function呢 ?我們回想一下他跟initial function之間的關係(P-6), 因為是先經由initial function 在做destroy function。 注意這裡沒有No signed extension ,經過陣列的運算後。 我們會得到兩個user space 的address similarly when event->attr.config == 0xfffffffe --> 0x00000000fffffffe * 4 + 0xffffffff81f360c0 == 0x00000003 81f360b8 0xfffffffffffffffe * 4 + 0xffffffff81f360c0 == 0xfffffffff 81f360b8
  24. Start_kernel_map = 0xffffffff 80000000; Same distance . From Start_kernel_map to perf_swevent_enabled