Antifork Research, Inc. Logo
[ home | about | members | projects ]


buffer homepage




Take a look at my technical blog!

Currently I'm working as System Security Engineer in a Security Service Provider in the Northern part of Italy.

I worked as researcher in Politecnico of Bari until June 2004. My research argument was TCP congestion control. In particular, I introduced TCP Westwood+ support in GNU Linux kernel 2.4.19 and then ported it to 2.4.22, 2.4.23 and 2.4.24. Patches are available here. TCP Westwood+ patch was included in the official Linux kernel in the release 2.6.3-rc1 and in the release 2.4.26-pre1. If you are interested, you can look at the subsection TCP below where you can find the first article proposed about this argument. Moreover, in the subsection Articles you can find an article about the current implementation. If you want more informations about this project, please contact me or take a look at the TCP Westwood+ research home page. If you are interested, I had an interview (in italian) about this topic few times ago for Openlabs.

I'm a developer of AngeL security module. In particular I'm the maintainer of anti syscall redirection module. AngeL is a Linux kernel module designed to work with version 2.4.0 or later. It uses the new netfilter firewalling facility in order to control all packets leaving from your host. AngeL will also compile on the old 2.2.xx family kernels, using the ipchains firewalling facilities.
AngeL is a tool that makes your host unable to send hostile traffic across the network. It also blocks a large number of root compromise attacks and local denial of services, by using system call wrappers that perfom sanity checks on the input parameters before invoking the original system calls.

Currently I'm writing documentation (in italian) about Linux kernel 2.4 TCP implementation. If you are interested you can download it from here.

A patched version of rshaper written by Alessandro Rubini and Rodolfo Giometti. This version introduces a new host management architecture which allows to set bandwidth limits even on ports or set of ports. This feature was introduced by Rodolfo Giometti in the last CVS version but it is not too much scalable when too much entries are set. I introduced statistics support too.




"Linux 2.4 Implementation of Westwood+ TCP with Rate-Halving : A Performance Evaluation Over the Internet"
Angelo Dell'Aera, Luigi Alfredo Grieco, Saverio Mascolo.
IEEE International Conference on Communication (ICC 2004), Paris, June 2004
[Download the ICC2004 speech I had in Paris on June, 22th 2004]

"Hijacking Linux Page Fault Handler Exception Table"
Angelo Dell'Aera.
August 2003, published on Phrack #61.
[This version fixes some typos present in the official version published on Phrack #61]

"Alfiere in c7... page fault!"
Angelo Dell'Aera.
December 2003, published on BFi12
[English version] [French version]




[May 2010]
"Astrolabio - Information Security: A Chess Battle All Over The Net" - Politecnico di Bari (Italy)

"Emerging Threats"
Slides [ppt] [pdf]

[October 2006]
Net&System Security 2006 - Pisa (Italy)

"Exploiting Software: How To Break Code"
Slides [ppt]

[October 2006]
SMAU 2006 - Milano (Italy)

"Fingerprinting e attacco ad un sistema informatico"
Slides [ppt] [pdf]

[March 2006]
Metro Olografix Crypto Meeting 2006 - Pescara (Italy)

"What's Going Wrong with WEP?"
Slides [sxi] [pdf]

[October 2005]
Net&System Security 2005 - Pisa (Italy)

"Wireless Hacking Live"

[August 2004]
Metro Olografix Camp - Pescara (Italy)

"TCP Congestion Control Demystified"
"Hijacking Linux Page Fault Handler Exception Table"

[June 2004]
IEEE International Conference on Communications - Paris (France)

"Linux 2.4 Implementation of Westwood+ TCP with Rate-Halving : A Performance Evaluation over the Internet"

[June 2004]
Webbit - Padova (Italy)

"TCP Congestion Control : da Van Jacobson a TCP Westwood+"

[April 2004]
Security Date - Ancona (Italy)

"Attacchi al kernel di Linux mediante LKM"
"Buffer overflow, shellcode and shellcode advanced"

[April 2003]
Sistemi di calcolo alternativi al binomio Microsoft-Intel - Bari (Italy)

"Il modello di sviluppo Open Source : l'esempio di GNU Linux"




This subsection is dedicated to some interesting papers about TCP.

"Congestion Avoidance and Control"
Van Jacobson.
In this fantastic article published at SIGCOMM88 and then reviewed in 1990 (since it contained an error in the previous version), for the first time Van Jacobson pointed out the problem of congestion control after a congestion collapse he observed at UC Berkeley. The result of this work was the first implementation of TCP Reno, implemented for the first time in 4.3-BSD Reno.

"Start-up dynamics of TCP's Congestion Control and Avoidance Schemes"
Janie Hoe.
Master Thesis 1995.
This master thesis is really interesting since Janie Hoe was the first who introduced some basic concepts which could be found few times later in many algorithms which deal with recovery from multiple losses inside a window a data.

RFC2018 "TCP Selective Acknowledgement Options"
M. Mathis, J. Mahdavi, S. Floyd, A. Romanow.
October 1996.

RFC2581 "TCP Congestion Control"
M. Allman, V. Paxson, W. Stevens.
April 1999.

RFC2582 "The NewReno Modification to TCP's Fast Recovery Algorithm"
S. Floyd, T. Henderson.
April 1999.

RFC2861 "TCP Congestion Window Validation"
M. Handley, J. Padhye, S. Floyd.
June 2000.

RFC2883 "An Extension to the Selective Acknowledgement (SACK) Option for TCP"
S. Floyd, J. Mahdavi, M. Mathis, M. Podolsky.
July 2000.

RFC2988 "Computing TCP's Retransmission Timer"
V. Paxson, M. Allman.
November 2000.

RFC3390 "Increasing TCP's Initial Window"
M. Allman, S. Floyd, C. Partridge.
October 2002.

RFC3465 "TCP Congestion Control with Appropriate Byte Counting"
M. Allman.
February 2003.

"Forward Acknowledgment : Refining TCP Congestion Control"
Matthew Mathis, Jamshid Mahdavi.
This algorithm is usually implemented together with Selective Acknowledgment and it allows great performance improvements if compared with a standard implementation. Linux 2.4 still supports it but in a very particular way since it could be disabled during normal data transfer if some situations occur.

"The Rate-Halving Algorithm for TCP Congestion Control"
Matthew Mathis, Jeff Semke, Jamshid Mahdav, Kevin Lahey.
Really interesting algorithm which modifies TCP behaviour during Fast Recovery/Fast Restransmit phase. This draft is not so simple to understand especially if you don't know what self-clocking is. In such case, I suggest to read the paper written by Van Jacobson before this one.

"F-RTO: A New Recovery Algorithm for TCP Retransmission Timeouts"
Pasi Sarolahti, Markku Kojo, Kimmo Raatikanen.
This paper describes a new algorithm for obtaining better performance in case of spurious retransmission timeouts. Actually, Pasi Sarolahti and Markku Kojo proposed a draft about this algorithm. This algorithm is still included in Linux kernel developement branch 2.5.

"TCP Westwood : Bandwidth Estimation for Enhanced Transport over Wireless Links"
Saverio Mascolo, Claudio Casetti, Mario Gerla, M.Y. Sanadidi, Ren Wang.
This paper describes TCP Westwood, a really cool congestion control algorithm designed for obtaining great performances over wireless and satellite links. Currently I'm involved in developing TCP Westwood in Linux kernel 2.4.19 in Politecnico of Bari.

"Improving TCP Congestion Control over Internets with Heterogeneous Transmission Media"
C. Parsa, J.J. Garcia-Luna-Aceves.
This paper describes TCP Santa Cruz, a really interesting congestion control algorithm designed to work with path asymmetries, out-of-order packet delivery, and networks with lossy links, limited bandwidth and dynamic changes in delay.

"Understanding the Performance of TCP Pacing"
Amit Aggarwal, Stefan Savage, Tom Anderson.
This paper describes a new interesting approach to congestion control through avoiding traffic source burstiness by using a rate-based sending TCP.

"Service Disciplines For Guaranteed Performance Service in Packet-Switching Networks"
H. Zhang.
A really interesting paper about several service disciplines proposed in literature.

"Congestion Control in Linux TCP"
Pasi Sarolahti, Alexey Kuznetsov.
This article describes Linux 2.4 TCP implementation. It's a very interesting article even if it doesn't describe implementation features in detail. In particular, if you plan to read kernel source code it's useful to read it since kernel 2.4 is not completely RFC-compliant.

"Linux Traffic Control - Implementation Overview"
Werner Almesberger.
This article describes Linux traffic control functions. Really interesting for understanding one of the most interesting part of kernel code mainly written by Alexey Kuznetsov.

"Performance Evaluation and Comparison of Westwood+, New Reno and Vegas TCP Congestion Control"
Luigi A. Grieco, Saverio Mascolo.
ACM CCR, Vol.34 No.2, April 2004.
This article aims at evaluating a comparison between three TCP congestion control algorithms. A really interesting reading.



Linux kernel documentation

Three lectures about Linux kernel debugging from "Linux Kernel Hacking Course" which took place in 2002 at University of "Tor Vergata" in Rome. This course was organized by Daniel P. Bovet and Marco Cesati, the authors of "Understanding the Linux kernel".
Kernel Debugging 1
Kernel Debugging 2
Kernel Debugging 3

Do you need to add or simply modify a system call for your own purposes? Well take a look at these short papers!
Changing a systemcall
Making a systemcall

Documentation about Linux kernel 2.4 API. Really useful if you want to code a device driver.

A very interesting document written by Rusty Russel about concurrency problems and locking mechanisms in Linux kernel 2.4. It focuses mainly on SMP architectures but it's really interesting to read it even if you hack only on UP architectures. Remember that Linux 2.5 is designed with a fully preemptible kernel and this means your UP architecture will be seen from now ago in a really similar manner compared to a SMP. Simply read it!

Tigran Aivazian drives us deep inside Linux kernel 2.4 internals.

An introduction to /proc filesystem. Even if I think it's almost incomplete it could be useful for understanding how this filesystem works within the kernel and how it's possible to use it for useful purposes. Here you can find another lecture about how to create a procfile

A guide to the implementation and modification of the Linux protocol stack written by Glenn Herrin. It refers to kernel 2.2.14 and it could be actually considered obsolete. I think it's still useful for understanding what could be considered one of the most difficult portion of code within the kernel.

An article written by Rik van Riel in 2001 and titled "Page replacement in Linux 2.4 memory management". This article describes changes in virtual memory management passing from kernel 2.2 to kernel 2.4. An interesting reading.

"Proceedings of the 2002 Ottawa Linux Symposium"
June 26th - 29th, Ottawa, Ontario (Canada).

Two really interesting articles about read-copy update locking which improves synchronization performances. Read-copy update is still used in Linux kernel 2.6.
"Read-Copy Update : Using Execution History to Solve Concurrency Problems"
Paul E. McKenney, John D. Slingwine.
"Read-Copy Update"
Paul E. McKenney, Jonathan Appavoo, Andi Kleen, Orran Krieger, Rusty Russell, Dipankar Sarma, Maneesh Soni.



Shellcode Contest - December 2002

A shellcode contest took place on December 2002. At the beginning, the main goal was to write the shortest shellcode. But, when we started having fun, we began developing some strange shellcodes too. Here you may find some shellcodes I developed during this period.

23 bytes shellcode written by ALoR and me. No one did better in the contest!

Shellcode which shows the possibility of using popa instruction just to avoid touching register eax.

Optimization of buffer-i386-cool.c.

Three rules to code cool shellcodes. Written just for fun using Awgn's Dante.

Alphanumeric shellcode written using Rix's Assembler Shellcode Compiler (presented on Phrack 57).

Alphanumeric shellcode completely written by hand. I spent a whole night for finding the right offsets and here you can see what I saw when I realized it was working!

Alphanumeric code completely written by hand which builds a shellcode and then executes it. A nice delirium!




"__atexit in memory bugs"
Pascal Bouchareine
A very short paper showing a way to execute arbitrary instructions using atexit().

"w00w00 on Heap Overflows"
Matt Conover & w00w00 Security Team
This article provides a better understanding of heap-based overflows along with several methods of exploitation, demonstrations, and some possible solutions/fixes.

A proof of concept local zlib-1.1.4 exploit
Angelo Dell'Aera

A proof of concept code for testing Linux kernel do_mremap() vulnerability
Angelo Dell'Aera

Few reports I received about this topic :

- Seth Arnold reported a subtle bug in the code. In fact, pid could be five digits long so it could leave no space for the NULL byte in the string path (still corrected);
- John Caruso reported it "hangs RedHat Advanced Server 2.1 with the 2.4.9-e.30smp errata kernel (although it does produce the correct output first)";
- Gabriele Marrone reported it hangs RedHat kernel 2.6.0-1.104.

It seems just like it's a RedHat kernel problem. I couldn't investigate the reasons why it happens. The code should be safe since it doesn't corrupt any kernel data. Nevertheless, if you're a RedHat user please mind it!




Tool Interface Standard (TIS) and Executable and Linking Format (ELF) Specification version 1.2
Really interesting reading if you are interested in understanding ELF format.



email :
GnuPG public key : buffer-gpg.asc
GnuPG fingerprint : 48CC B0D8 C394 CD30 355F E36D A4E3 48CF 19C1 5CA2

This site Copyright 2000-2006 Antifork Research, Inc.