rlbot

Problem

Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. Top-level domains (TLD) are a part of the Domain Name System (DNS), and are used to lookup an Internet Protocol (IP) address of a requested website. There are a few different types of top-level domains. Generic, sponsored and country-code TLDs are generally accessible to the public. Registrars that govern the assignment of domain names within the TLD may choose to sell specific domain names to an interested party. However, some registrars are known to have less strict rules for assigning domain names. Attackers often abuse gaps in governance and actively seek to register their malicious domains in such TLDs. This issue is raised for all domains registered within TLDs that harbor an excessive number of malicious sites. While the presence of suspicious TLDs does not imply malicious intent, all of its uses in a software package should be documented and approved.

Problem

Control Flow Guard (CFG/CFI) protects the code flow integrity by ensuring that dynamic calls are made only to vetted functions. Trusted execution paths rely on the ability of the operating system to build a list of valid function targets. Certain functions can intentionally be disallowed to prevent malicious code from deactivating vulnerability mitigation features. A list of such invalid function targets can include publicly exported symbols. Applications that enhance control flow integrity through export suppression rely on libraries to mark their publicly visible symbols as suppressed. This is done for all symbols that are considered to be sensitive functions, and to which access should be restricted. It is considered dangerous to mix applications that perform export suppression with libraries that do not.

Problem

Control Flow Guard (CFG/CFI) protects the code flow integrity by ensuring that indirect calls are made only to vetted functions. This mitigation protects dynamically resolved function targets by instrumenting the code responsible for transferring execution control. Higher-level programming languages implement structured exception handling by managing their own code flow execution paths. As such, they are subject to code flow hijacking during runtime. Language-specific exception handling mitigation enforces execution integrity by instrumenting calls to manage execution context switching. Any deviation from the known and trusted code flow paths will cause the application to terminate. This makes malicious code less likely to execute.

Problem

On Linux, external symbols are resolved via the procedure linkage table (PLT) and the global offset table (GOT). Without any protection, both are writable at runtime and thus leave the executable vulnerable to pointer hijacking - an attack where the function address is overwritten with an address of a malicious function. Pointer hijacking can be mitigated by using full read-only relocations, which instruct the compiler to unify global offset tables into a single read-only table. This requires that all external function symbols are resolved at load-time instead of during execution, and may increase loading time for large programs.

Problem

Common compilers often embed source code information into executables for debugging purposes, usually by mapping symbols to source filenames or paths. While this is typically desirable in open-source software and standard tools, that information can be used to determine security weaknesses, code repository layout, trade secrets and similar sensitive information. Such symbols make it easier to reverse-engineer a closed source application.

Problem

Fortified functions are usually wrappers around standard glibc functions (such as memcpy) which perform boundary checks either at compile time or run time to determine if a memory violation has occurred. The compiler needs additional context to generate such calls (for example, array size that needs to be known at compile time). Because of this, the compiler will virtually never substitute all viable functions with their fortified counterparts in complex programs. However, lack of any fortified functions may indicate that this compiler feature was not used at all.