Chapter 36 Further Reading: Exploit Mitigations

Open Assembly Language Project

Chapter 36 Further Reading: Exploit Mitigations

Foundational Papers

"StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks" (USENIX Security 1998) by Crispin Cowan et al. The original stack canary paper. Describes the design, implementation, and performance measurements of the first practical stack canary system. Essential reading for understanding the design choices (why the null byte, why TLS, why the specific placement).

"Control-Flow Integrity" (CCS 2005) by Abadi, Budiu, Erlingsson, Ligatti The paper that defined CFI as a concept. Describes the threat model, the enforcement mechanism, and the implementation. All subsequent CFI work (Clang CFI, Intel CET) builds on this foundation. Available free online.

"Bypassing Browser Memory Protections" (Black Hat 2008) by Alexander Sotirov and Mark Dowd The paper that demonstrated practical ASLR bypass via heap spraying, information leaks, and partial overwrites. Required reading for understanding why ASLR alone is insufficient. Historically significant for driving the development of stronger mitigations.

Intel Documentation

Intel® 64 and IA-32 Architectures Software Developer's Manual, Volume 1, Chapter 18: Control-flow Enforcement Technology The authoritative specification for CET. Describes SHSTK and IBT in precise detail: the SSP register, the shadow stack page attribute, the ENDBR64/ENDBR32 encodings, the WRSS, SAVEPREVSSP, and RSTORSSP instructions. Document number 325462. https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html

"A Technical Look at Intel's Control-flow Enforcement Technology" (Intel Technology Blog) A readable overview of CET design for software developers, explaining SHSTK and IBT without the full specification depth. Good starting point before diving into the SDM chapter.

Online Resources

"Exploit Mitigations" chapter of pwn.college The PWN.college "Program Security" module covers each mitigation with hands-on challenges. Progress through bypassing each mitigation individually, then in combination. Browser-based Linux environment. https://pwn.college/

"Return-Oriented Programming: Systems, Languages, and Applications" (ACM TISSEC 2012) by Ryan Roemer et al. The academic formalization of ROP as a complete programming model. Useful context before Chapter 37 — understand the theoretical foundation for what mitigations must defeat.

checksec script (GitHub) https://github.com/slimm609/checksec.sh The source of the checksec tool, with documentation on what each flag means and how it is detected. Reading the source reveals exactly what ELF header fields encode each security feature.

Books

"A Guide to Kernel Exploitation" by Enrico Perla and Massimiliano Oldani Covers kernel-mode exploitation and the kernel-mode equivalents of the user-space mitigations in this chapter. Kernel ASLR (KASLR), SMEP/SMAP, and kernel canaries. Puts user-space mitigations in context by showing what additional layers exist in the kernel.

"The Shellcoder's Handbook" by Koziol et al. (2nd edition) Despite the name, this is as much about defenses as attacks. Covers the history of each mitigation and the corresponding bypass techniques as they developed. The chapters on canary bypass (format string leaks) and ASLR bypass are historically accurate and well-explained.

Compiler Documentation

GCC security hardening documentation https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html Documents all GCC security instrumentation flags: -fstack-protector*, -D_FORTIFY_SOURCE, -fcf-protection, and more. The official reference for understanding exactly what each flag generates.

Linker security flags (GNU ld) https://sourceware.org/binutils/docs/ld/Options.html Documents -z relro, -z now, and other security-relevant linker options. Understanding these is necessary for secure build systems and Makefiles.