email : bufferantifork.org
Take a look at my technical blog!
Currently I'm working as System Security Engineer in a Security Service Provider in the
Northern part of Italy.
I worked as researcher in Politecnico of Bari until June 2004. My research argument was TCP congestion control. In
particular, I introduced TCP Westwood+ support in GNU Linux kernel 2.4.19 and then ported it to 2.4.22,
2.4.23 and 2.4.24. Patches are available here.
TCP Westwood+ patch was included in the official Linux kernel in the release 2.6.3-rc1 and in the
release 2.4.26-pre1. If you are interested, you can look at the subsection TCP below where you can
find the first article proposed about this argument. Moreover, in the subsection Articles you can
find an article about the current implementation. If you want more informations about this project,
please contact me or take a look at the
TCP Westwood+ research home page. If you are interested, I had an
interview (in italian)
about this topic few times ago for Openlabs.
I'm a developer of AngeL security module.
In particular I'm the maintainer of anti syscall redirection module. AngeL is a Linux kernel module
designed to work with version 2.4.0 or later. It uses the new netfilter firewalling facility in order
to control all packets leaving from your host. AngeL will also compile on the old 2.2.xx family
kernels, using the ipchains firewalling facilities.
AngeL is a tool that makes your host unable to send hostile traffic across the network. It also
blocks a large number of root compromise attacks and local denial of services, by using system
call wrappers that perfom sanity checks on the input parameters before invoking the original system
Currently I'm writing documentation (in italian) about Linux kernel 2.4 TCP implementation. If you are
interested you can download it from here.
A patched version of rshaper written by Alessandro Rubini and
Rodolfo Giometti. This version introduces a new host management architecture which allows to set
bandwidth limits even on ports or set of ports. This feature was introduced by Rodolfo Giometti in the
last CVS version but it is not too much scalable when too much entries are set. I introduced statistics
"Linux 2.4 Implementation of Westwood+ TCP with Rate-Halving : A
Performance Evaluation Over the Internet"
Angelo Dell'Aera, Luigi Alfredo Grieco, Saverio Mascolo.
IEEE International Conference on Communication (ICC 2004), Paris, June 2004
[Download the ICC2004 speech I had in Paris on June, 22th 2004]
"Hijacking Linux Page Fault Handler Exception Table"
August 2003, published on Phrack #61.
[This version fixes some typos present in the official version published on Phrack #61]
"Alfiere in c7... page fault!"
December 2003, published on BFi12
"Astrolabio - Information Security: A Chess Battle All Over The Net" - Politecnico di Bari (Italy)
Net&System Security 2006 - Pisa (Italy)
"Exploiting Software: How To Break Code"
SMAU 2006 - Milano (Italy)
"Fingerprinting e attacco ad un sistema informatico"
Metro Olografix Crypto Meeting 2006 - Pescara (Italy)
"What's Going Wrong with WEP?"
Net&System Security 2005 - Pisa (Italy)
"Wireless Hacking Live"
Metro Olografix Camp - Pescara (Italy)
"TCP Congestion Control Demystified"
"Hijacking Linux Page Fault Handler Exception Table"
IEEE International Conference on Communications - Paris (France)
"Linux 2.4 Implementation of Westwood+ TCP with Rate-Halving : A
Performance Evaluation over the Internet"
Webbit - Padova (Italy)
"TCP Congestion Control : da Van Jacobson a TCP Westwood+"
Security Date - Ancona (Italy)
"Attacchi al kernel di Linux mediante LKM"
"Buffer overflow, shellcode and shellcode advanced"
Sistemi di calcolo alternativi al binomio Microsoft-Intel - Bari (Italy)
"Il modello di sviluppo Open Source : l'esempio di GNU Linux"
This subsection is dedicated to some interesting papers about TCP.
"Congestion Avoidance and Control"
In this fantastic article published at SIGCOMM88 and then reviewed in 1990 (since it contained an error in
the previous version), for the first time Van Jacobson pointed out the problem of congestion control
after a congestion collapse he observed at UC Berkeley. The result of this work was the first implementation
of TCP Reno, implemented for the first time in 4.3-BSD Reno.
"Start-up dynamics of TCP's Congestion Control and Avoidance Schemes"
Master Thesis 1995.
This master thesis is really interesting since Janie Hoe was the first who introduced some basic concepts which
could be found few times later in many algorithms which deal with recovery from multiple losses inside a window
RFC2018 "TCP Selective Acknowledgement Options"
M. Mathis, J. Mahdavi, S. Floyd, A. Romanow.
RFC2581 "TCP Congestion Control"
M. Allman, V. Paxson, W. Stevens.
RFC2582 "The NewReno Modification to TCP's Fast Recovery Algorithm"
S. Floyd, T. Henderson.
RFC2861 "TCP Congestion Window Validation"
M. Handley, J. Padhye, S. Floyd.
RFC2883 "An Extension to the Selective Acknowledgement (SACK) Option for
S. Floyd, J. Mahdavi, M. Mathis, M. Podolsky.
RFC2988 "Computing TCP's Retransmission Timer"
V. Paxson, M. Allman.
RFC3390 "Increasing TCP's Initial Window"
M. Allman, S. Floyd, C. Partridge.
RFC3465 "TCP Congestion Control with Appropriate Byte Counting"
"Forward Acknowledgment : Refining TCP Congestion Control"
Matthew Mathis, Jamshid Mahdavi.
This algorithm is usually implemented together with Selective Acknowledgment and it allows great performance
improvements if compared with a standard implementation. Linux 2.4 still supports it but in a very particular way
since it could be disabled during normal data transfer if some situations occur.
"The Rate-Halving Algorithm for TCP Congestion Control"
Matthew Mathis, Jeff Semke, Jamshid Mahdav, Kevin Lahey.
Really interesting algorithm which modifies TCP behaviour during Fast Recovery/Fast Restransmit phase. This draft
is not so simple to understand especially if you don't know what self-clocking is. In such case, I suggest to read the
paper written by Van Jacobson before this one.
"F-RTO: A New Recovery Algorithm for TCP Retransmission Timeouts"
Pasi Sarolahti, Markku Kojo, Kimmo Raatikanen.
This paper describes a new algorithm for obtaining better performance in case of spurious retransmission timeouts.
Actually, Pasi Sarolahti and Markku Kojo proposed a draft about this algorithm. This algorithm is still included
in Linux kernel developement branch 2.5.
"TCP Westwood : Bandwidth Estimation for Enhanced Transport over Wireless Links"
Saverio Mascolo, Claudio Casetti, Mario Gerla, M.Y. Sanadidi, Ren Wang.
This paper describes TCP Westwood, a really cool congestion control algorithm designed for obtaining great
performances over wireless and satellite links. Currently I'm involved in developing TCP Westwood in Linux kernel
2.4.19 in Politecnico of Bari.
"Improving TCP Congestion Control over Internets with Heterogeneous Transmission
C. Parsa, J.J. Garcia-Luna-Aceves.
This paper describes TCP Santa Cruz, a really interesting congestion control algorithm designed to work with path
asymmetries, out-of-order packet delivery, and networks with lossy links, limited bandwidth and dynamic changes in
"Understanding the Performance of TCP Pacing"
Amit Aggarwal, Stefan Savage, Tom Anderson.
This paper describes a new interesting approach to congestion control through avoiding traffic source burstiness by
using a rate-based sending TCP.
"Service Disciplines For Guaranteed Performance Service in Packet-Switching
A really interesting paper about several service disciplines proposed in literature.
"Congestion Control in Linux TCP"
Pasi Sarolahti, Alexey Kuznetsov.
This article describes Linux 2.4 TCP implementation. It's a very interesting article even if it doesn't
describe implementation features in detail. In particular, if you plan to read kernel source code it's
useful to read it since kernel 2.4 is not completely RFC-compliant.
"Linux Traffic Control - Implementation Overview"
This article describes Linux traffic control functions. Really interesting for understanding one of the most
interesting part of kernel code mainly written by Alexey Kuznetsov.
"Performance Evaluation and Comparison of Westwood+, New Reno
and Vegas TCP Congestion Control"
Luigi A. Grieco, Saverio Mascolo.
ACM CCR, Vol.34 No.2, April 2004.
This article aims at evaluating a comparison between three TCP congestion control algorithms. A
really interesting reading.
Linux kernel documentation
Three lectures about Linux kernel debugging from "Linux Kernel Hacking Course" which took place in 2002
at University of "Tor Vergata" in Rome. This course was organized by Daniel P. Bovet and Marco Cesati, the
authors of "Understanding the Linux kernel".
Kernel Debugging 1
Kernel Debugging 2
Kernel Debugging 3
Do you need to add or simply modify a system call for your own purposes? Well take a look at these short papers!
Changing a systemcall
Making a systemcall
Documentation about Linux kernel 2.4 API. Really useful if you want to code a
A very interesting document written by Rusty Russel about concurrency problems and
locking mechanisms in Linux kernel 2.4. It focuses mainly on SMP architectures but it's really interesting to read
it even if you hack only on UP architectures. Remember that Linux 2.5 is designed with a fully preemptible kernel
and this means your UP architecture will be seen from now ago in a really similar manner compared to a
SMP. Simply read it!
Tigran Aivazian drives us deep inside Linux kernel 2.4 internals.
An introduction to /proc filesystem. Even if I think it's almost incomplete it
could be useful for understanding how this filesystem works within the kernel and how it's possible to use it for useful
purposes. Here you can find another lecture about how to create a procfile
A guide to the implementation and modification of the Linux protocol stack written
by Glenn Herrin. It refers to kernel 2.2.14 and it could be actually considered obsolete. I think it's still useful
for understanding what could be considered one of the most difficult portion of code within the kernel.
An article written by Rik van Riel in 2001 and titled "Page replacement in
Linux 2.4 memory management". This article describes changes in virtual memory management passing from kernel 2.2
to kernel 2.4. An interesting reading.
"Proceedings of the 2002 Ottawa Linux Symposium"
June 26th - 29th, Ottawa, Ontario (Canada).
Two really interesting articles about read-copy update locking which improves synchronization performances. Read-copy
update is still used in Linux kernel 2.6.
"Read-Copy Update : Using Execution History to Solve Concurrency Problems"
Paul E. McKenney, John D. Slingwine.
Paul E. McKenney, Jonathan Appavoo, Andi Kleen, Orran Krieger, Rusty Russell, Dipankar Sarma, Maneesh Soni.
Shellcode Contest - December 2002
A shellcode contest took place on December 2002. At the beginning, the main goal was to write the shortest
shellcode. But, when we started having fun, we began developing some strange shellcodes too. Here you may
find some shellcodes I developed during this period.
23 bytes shellcode written by ALoR and me. No one did better in the contest!
Shellcode which shows the possibility of using popa instruction just to avoid touching register eax.
Optimization of buffer-i386-cool.c.
Three rules to code cool shellcodes. Written just for fun using Awgn's Dante.
Alphanumeric shellcode written using Rix's Assembler Shellcode Compiler (presented on Phrack 57).
Alphanumeric shellcode completely written by hand. I spent a whole night for finding the right offsets and
here you can see what I saw when I realized it was working!
Alphanumeric code completely written by hand which builds a shellcode and then executes it. A nice delirium!
"__atexit in memory bugs"
A very short paper showing a way to execute arbitrary instructions using atexit().
"w00w00 on Heap Overflows"
Matt Conover & w00w00 Security Team
This article provides a better understanding of heap-based overflows along with several methods of exploitation,
demonstrations, and some possible solutions/fixes.
A proof of concept local zlib-1.1.4 exploit
A proof of concept code for testing Linux kernel
Few reports I received about this topic :
- Seth Arnold reported a subtle bug in the code. In fact, pid could be five digits
long so it could leave no space for the NULL byte in the string path (still corrected);
- John Caruso reported it "hangs RedHat Advanced Server 2.1 with the 2.4.9-e.30smp
errata kernel (although it does produce the correct output first)";
- Gabriele Marrone reported it hangs RedHat kernel 2.6.0-1.104.
It seems just like it's a RedHat kernel problem. I couldn't investigate the reasons
why it happens. The code should be safe since it doesn't corrupt any kernel data.
Nevertheless, if you're a RedHat user please mind it!
Tool Interface Standard (TIS) and Executable and Linking Format (ELF)
Specification version 1.2
Really interesting reading if you are interested in understanding ELF format.
GnuPG public key : buffer-gpg.asc
GnuPG fingerprint : 48CC B0D8 C394 CD30 355F E36D A4E3 48CF 19C1 5CA2
This site Copyright © 2000-2006 Antifork Research, Inc.