20 years of pax
play

20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About - PowerPoint PPT Presentation

Mar 29, 2023 •390 likes •803 views

About Past Present Future 20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About Introduction Design Concepts Past Userland Present Kernel Self-Protection Toolchain Support Future Userland

  1. About Past Present Future 20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX

  2. About Past Present Future About Introduction Design Concepts Past Userland Present Kernel Self-Protection Toolchain Support Future Userland Kernel 20 Years of PaX

  3. About Past Present Future Introduction What is PaX? ◮ Host Intrusion Prevention System (HIPS) ◮ Focus: exploits for memory corruption bugs ◮ Bugs vs. exploits vs. exploit techniques ◮ Threat model: arbitrary read/write access to memory ◮ Local/remote and userland/kernel ◮ Linux 2.2.x-2.4.x-2.6.x-3.x (2000-2012) ◮ Developed by the PaX Team :) ◮ grsecurity by Brad Spengler (spender) 20 Years of PaX

  4. About Past Present Future Introduction PaX Features ◮ Runtime code generation control (non-executable pages) ◮ Address Space Layout Randomization (ASLR) ◮ Kernel self-protection ◮ Various infrastructure changes for supporting all the above 20 Years of PaX

  5. About Past Present Future Design Concepts Vulnerability Roadmap Where Things Can Go Wrong ◮ Idea/Design ◮ Education, talent, modeling, art vs. science ◮ Development ◮ Deployment/Configuration/Operation/Maintenance ◮ Procedures (manuals, standards, etc) ◮ Logging/monitoring/analysis 20 Years of PaX

  6. About Past Present Future Design Concepts How to Improve: Development ◮ Education ◮ Tools/Toolchain (analysis, runtime checks) ◮ Testing/Exploiting (fuzzing) ◮ Exploit-resistant runtime environment (PaX :) ◮ Instead of finding the exploitable bugs, make them non-exploitable 20 Years of PaX

  7. About Past Present Future Design Concepts Exploit Techniques ◮ Focus: exploits against memory corruption bugs ◮ Execute injected code (shellcode) ◮ Execute existing code out-of-(intended)-order (return-to-libc, ROP/JOP) ◮ Execute existing code in-(intended)-order (data-only attacks) 20 Years of PaX

  8. About Past Present Future About Introduction Design Concepts Past Userland Present Kernel Self-Protection Toolchain Support Future Userland Kernel 20 Years of PaX

  9. About Past Present Future Userland Overview ◮ Non-executable page support on i386 (PAGEEXEC/SEGMEXEC) ◮ Runtime code generation control (MPROTECT) ◮ Address Space Layout Randomization (ASLR, RANDEXEC) ◮ Compatibility (per-binary feature control, text relocations, trampoline emulation) 20 Years of PaX

  10. About Past Present Future Userland PAGEEXEC/SEGMEXEC/MPROTECT ◮ PAGEEXEC: paging based simulation of non-executable pages on i386 (in 2000, pre-NX days) ◮ SEGMEXEC: segmentation based simulation of non-executable pages on i386 (in 2002) ◮ MPROTECT: runtime code generation control (in 2000) ◮ NX-bit is in wide use nowadays (BSDs, iOS, Linux, Windows/DEP, etc) 20 Years of PaX

  11. About Past Present Future Userland ASLR ◮ Introduced in July 2001 as a stopgap measure (not how it turned out :) ◮ Idea: artificially inflated entropy in memory addresses (both code and data) ◮ Reduced exploit reliability ◮ In wide use nowadays (BSDs, iOS, Linux, Windows, etc) 20 Years of PaX

  12. About Past Present Future About Introduction Design Concepts Past Userland Present Kernel Self-Protection Toolchain Support Future Userland Kernel 20 Years of PaX

  13. About Past Present Future Kernel Self-Protection Overview ◮ Non-executable kernel pages (KERNEXEC) ◮ Read-only kernel data (KERNEXEC, CONSTIFY) ◮ Userland/kernel address space separation (UDEREF) ◮ Restricted userland-kernel copying (USERCOPY) ◮ Userland/kernel copying race reduction ◮ Instant free memory sanitization (SANITIZE) 20 Years of PaX

  14. About Past Present Future Kernel Self-Protection KERNEXEC ◮ Non-executable pages for the kernel’s address space ◮ Executable userland pages must not be executable from kernel mode ◮ i386: code segment excludes the entire userland address space ◮ amd64: compiler plugin or UDEREF ◮ Supervisory Mode Execution Protection ( CR4.SMEP ) since Ivy Bridge (in mainline linux already) ◮ Page table cleanup: read-write vs. read-execute regions (kmaps) ◮ Special cases: boot/BIOS, ACPI, EFI, PNP, v8086 mode memory, vsyscall (amd64) 20 Years of PaX

  15. About Past Present Future Kernel Self-Protection Constification ◮ Creates read-only data mappings ◮ Moves data into read-only mappings ( .rodata , .data..read_only ) ◮ Patches (descriptor tables, top level page tables, etc) ◮ Compiler plugin (ops structures) 20 Years of PaX

  16. About Past Present Future Kernel Self-Protection UDEREF ◮ Prevents unintended userland access by kernel code ◮ Disadvantage of the shared user/kernel address space ◮ i386: based on segmentation ◮ data segment excludes the entire userland address space ◮ amd64: based on paging ◮ remaps userland page tables as non-executable while in kernel mode ◮ needs per-cpu page global directory (PGD) 20 Years of PaX

  17. About Past Present Future Kernel Self-Protection USERCOPY ◮ Bounds checking for copying from kernel memory to userland (info leak) or vice versa (buffer overflow) ◮ spender’s idea: ksize can determine the object’s size from the object’s address ◮ Originally heap (slab) buffers only ◮ Limited stack buffer support (see Future section) ◮ Disables SLUB merging 20 Years of PaX

  18. About Past Present Future Kernel Self-Protection Userland/Kernel Copying Races ◮ Userland/kernel copying can (be made to) sleep ◮ During that sleep userland memory can change ◮ Time-Of-Check-To-Time-Of-Use race (TOCTTOU) ◮ Unbounded userland/kernel copying based exploits become controllable ◮ Basically prefaults the userland range ◮ Reduces but does not eliminate race window ◮ Detects controlled unbounded copies before the actual copy 20 Years of PaX

  19. About Past Present Future Kernel Self-Protection SANITIZE ◮ Reduces potential info leaks from kernel memory to userland ◮ Freed memory is cleared immediately ◮ Low-level page allocator, not slab layer ◮ Works on whole pages, not individual heap objects ◮ Kernel stacks on task death ◮ Anonymous userland mappings on munmap ◮ Anti-forensics vs. privacy 20 Years of PaX

  20. About Past Present Future Toolchain Support Overview ◮ gcc plugins (gcc 4.5-4.7) ◮ Kernel stack leak reduction (STACKLEAK) ◮ Function pointer structure constification (CONSTIFY) ◮ User/kernel address space separation for code only (KERNEXEC) ◮ Size parameter overflow detection&prevention (SIZE_OVERFLOW) 20 Years of PaX

  21. About Past Present Future Toolchain Support GCC plugins ◮ Loadable module system introduced in gcc 4.5 ◮ Loaded early right after command line parsing ◮ No well defined API, all public symbols available for plugin use ◮ Typical (intended :) use: new IPA/GIMPLE/RTL passes 20 Years of PaX

  22. About Past Present Future Toolchain Support STACKLEAK plugin ◮ First plugin :) ◮ Reduces kernel stack information leaks ◮ Before a kernel/userland transition the used kernel stack part is cleared ◮ Stack depth is recorded in functions having a big enough stack frame ◮ Sideeffect: finds all (potentially exploitable :) alloca calls ◮ Special paths for ptrace/auditing ◮ Problems: considerable overhead, races, leaks from a single syscall still possible 20 Years of PaX

  23. About Past Present Future Toolchain Support CONSTIFY plugin ◮ Automatic constification of ops structures (200+ in linux) ◮ Structures with function pointer members only ◮ Structures explicitly marked with a do_const attribute ◮ no_const attribute for special cases ◮ Local variables not allowed 20 Years of PaX

  24. About Past Present Future Toolchain Support KERNEXEC plugin ◮ Prevents executing userland code on amd64 ◮ i386 achieves this already via segmentation ◮ Sets most significant bit in all function pointers ◮ Userland addresses become non-canonical ones ◮ GIMPLE pass: C function pointers ◮ RTL pass: return values ◮ Special cases: assembly source, asm() ◮ Two methods: bts vs. or (reserves %r10 for bitmask) ◮ Compatibility vs. performance 20 Years of PaX

  25. About Past Present Future Toolchain Support SIZE_OVERFLOW plugin ◮ Detects integer overflows in expressions used as a size parameter: kmalloc(count * sizeof...) ◮ Written by Emese Révfy ◮ Proper implementation of spender’s old idea ◮ Initial set of functions/parameters marked by the size_overflow function attribute ◮ Walks use-def chains and duplicates statements using a double-wide integer type ◮ SImode/DImode vs. DImode/TImode ◮ Special cases: asm(), function return values, constants (intentional overflows), etc ◮ More in the blog Real Soon Now: http://forums.grsecurity.net/viewforum.php?f=7 20 Years of PaX

  26. About Past Present Future About Introduction Design Concepts Past Userland Present Kernel Self-Protection Toolchain Support Future Userland Kernel 20 Years of PaX

  27. About Past Present Future Userland Overview ◮ Control Flow Enforcement ◮ Size overflow detection & prevention ◮ Kernel-assisted use-after-free detection 20 Years of PaX

  28. About Past Present Future Userland Control Flow Enforcement ◮ Compiler plugin ◮ (No) binary-only code support ◮ Assembly source instrumentation ◮ Runtime code generation support (Just-In-Time compiler engines) 20 Years of PaX

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

D r o u g h 33.6 -45.5 33.6 -45.5 11 years 5.4 years 11 years 5.4 years years t

D r o u g h 33.6 -45.5 33.6 -45.5 11 years 5.4 years 11 years 5.4 years years t

D r o u g h 33.6 -45.5 33.6 -45.5 11 years 5.4 years 11 years 5.4 years years t years Figure 2. Precipitation anomalies during 11 years of the dust bowl (1930-1940) Station Set-up Montana Mesonet January 2018 4 36 ranchers

533 views • 36 slides
CLASS OF 2021 Four years of English Three years of social studies Three years of

CLASS OF 2021 Four years of English Three years of social studies Three years of

CLASS OF 2021 Four years of English Three years of social studies Three years of science Three years of mathematics Two years of a world language Four years of physical education Five credits of visual/performing arts

1.04k views • 72 slides
CLASS OF 2023 Four years of English Three years of social studies Three years of

CLASS OF 2023 Four years of English Three years of social studies Three years of

CLASS OF 2023 Four years of English Three years of social studies Three years of science Three years of mathematics Two years of a world language Four years of physical education Five credits of visual/performing arts

915 views • 67 slides
CLASS OF 2020 Four years of English Three years of social studies Three years of

CLASS OF 2020 Four years of English Three years of social studies Three years of

CLASS OF 2020 Four years of English Three years of social studies Three years of science Three years of mathematics Two years of a world language Four years of physical education Five credits of visual/performing arts

1.25k views • 88 slides
Who Cares About the Impact on Performance Memory Hierarchy? Suppose a processor executes at

Who Cares About the Impact on Performance Memory Hierarchy? Suppose a processor executes at

8/20/08 Technology Trends Computer System Architecture Capacity Speed (latency) Logic: 2x in 3 years 2x in 3 years DRAM: 4x in 3 years 2x in 10 years Memory Part I Disk: 4x in 3 years 2x in 10 years DRAM Chalermek

290 views • 5 slides
Nature Education Kickoff 2018 Years of Service Recognition Heidi Brown 10 years Lois Peterson 10

Nature Education Kickoff 2018 Years of Service Recognition Heidi Brown 10 years Lois Peterson 10

Nature Education Kickoff 2018 Years of Service Recognition Heidi Brown 10 years Lois Peterson 10 years Tom Taber 10 years Gary Keeth 15 years Betty Murray 15 years Bob Walker 15 years Jackie James 25 years Carol Matthews 25 years Program

396 views • 22 slides
Who Am I 10 years factory planing 4 years live sience 3 years research assistent 12

Who Am I 10 years factory planing 4 years live sience 3 years research assistent 12

Now You Got a Search Engine MICES 14. June 2017 Peter Rieger Who Am I 10 years factory planing 4 years live sience 3 years research assistent 12 years search Dropped 3 courses of study Freelancer for 12 years CEO for 8 years

487 views • 20 slides
2 Years of Real World FP at REA @KenScambler Scala Developer at Me 14 years 5 years 5 years

2 Years of Real World FP at REA @KenScambler Scala Developer at Me 14 years 5 years 5 years

2 Years of Real World FP at REA @KenScambler Scala Developer at Me 14 years 5 years 5 years when possible when bored when forced - 3 teams @ - 17 codebases - 43K LOC Jul 13 Jan 14 Jul 14 Jan 15 Why Functional Programming?

1.95k views • 160 slides
ALL ABOUT ME JULIE EDWARDS 25 years in Marketing/PR 8 years in NPO Management 4 years

ALL ABOUT ME JULIE EDWARDS 25 years in Marketing/PR 8 years in NPO Management 4 years

ALL ABOUT ME JULIE EDWARDS 25 years in Marketing/PR 8 years in NPO Management 4 years as Executive Director Mom to rescues Roxie & Charlie Vegetarian home chef Lover of naps, folk art and happy hours Show

132 views • 11 slides
Floral Design Committee Kickoff 2018 Years of Service Recognition Irene Kane - 10 years Joan

Floral Design Committee Kickoff 2018 Years of Service Recognition Irene Kane - 10 years Joan

Floral Design Committee Kickoff 2018 Years of Service Recognition Irene Kane - 10 years Joan Upton -10 years Michelle Bosschart -16 years Debbie Kundrat - 20 years Georgine Premo - 20 years Marian Vanden Bosch - 20 years Meeting Agenda 1)

112 views • 10 slides
Migrate Python from 2.X to 3.X WHO AM I? C++ & PYTHON DEVELOPER 6,5 years in 20,5 years in

Migrate Python from 2.X to 3.X WHO AM I? C++ & PYTHON DEVELOPER 6,5 years in 20,5 years in

Migrate Python from 2.X to 3.X WHO AM I? C++ & PYTHON DEVELOPER 6,5 years in 20,5 years in CAD&Numeric C++ simulations PHILIPPE BOULANGER 3 years in 19,5 years in embedded Python programming 11,5 years in finance

879 views • 51 slides
www.agilegurgaon.com Who am I? 1. 20+ years of experience , 18+ in IT and 2 years in

www.agilegurgaon.com Who am I? 1. 20+ years of experience , 18+ in IT and 2 years in

www.agilegurgaon.com Who am I? 1. 20+ years of experience , 18+ in IT and 2 years in manufacturing 2. 6 years of experience in Agile Transformation 3. Clients worked - HP Product Division, Symantec, SKF, Healthways and Philips 4. Currently

643 views • 21 slides
Art Committee Kickoff 2018 Years of Service Recognition Debra Symons - 10 years Pathamar Park -

Art Committee Kickoff 2018 Years of Service Recognition Debra Symons - 10 years Pathamar Park -

Art Committee Kickoff 2018 Years of Service Recognition Debra Symons - 10 years Pathamar Park - 11 years Elizabeth Holman - 15 years Marian Vanden Bosch - 20 years Lillian Balliet - 39 years Meeting Agenda 1) Jane Fernald & Judy Webster,

303 views • 12 slides
Hounslow Highways Hounslow Highways 25 years and beyond First 5 Years 25 years and beyond

Hounslow Highways Hounslow Highways 25 years and beyond First 5 Years 25 years and beyond

Hounslow Highways Hounslow Highways 25 years and beyond First 5 Years 25 years and beyond www.hounslowhighways.org Hounslow PFI Update July 2017 INTRODUCTION What is included in the PFI? Core Investment Period Progress

456 views • 22 slides
BUILDING ON LIBBITCOIN L I S B O N 2 0 1 8 Libbitcoin Developer (5 years) E R I C VO S K U

BUILDING ON LIBBITCOIN L I S B O N 2 0 1 8 Libbitcoin Developer (5 years) E R I C VO S K U

BUILDING ON LIBBITCOIN L I S B O N 2 0 1 8 Libbitcoin Developer (5 years) E R I C VO S K U I L Entrepreneur (20 years) eric@voskuil.org Investor/Advisor (12 years) https://github.com/evoskuil Microsoft Architect (3 years)

479 views • 17 slides
Years Down Years To Go A WALK A W A L K A R O U N D Q U E E N AROUND E L I Z

Years Down Years To Go A WALK A W A L K A R O U N D Q U E E N AROUND E L I Z

Years Down Years To Go A WALK A W A L K A R O U N D Q U E E N AROUND E L I Z A B E T H O L Y M P I C P A R K QUEEN ELIZABETH OLYMPIC PARK LEYTON Clapton Park Forest Gate Homerton Maryland HA HACK HA

424 views • 15 slides
Kprobes internals Thomas Bitzberger bitz@lse.epita.fr What are kprobes Kprobes enables you

Kprobes internals Thomas Bitzberger bitz@lse.epita.fr What are kprobes Kprobes enables you

Kprobes internals Thomas Bitzberger bitz@lse.epita.fr What are kprobes Kprobes enables you to dynamically break into any kernel routine and collect debugging and performance information non-disruptively. You can trap at almost any kernel

642 views • 36 slides
Binary Code Retrofitting and Hardening Using SGX Shuai Wang, Wenhao Wang, Qinkun Bao, Pei Wang,

Binary Code Retrofitting and Hardening Using SGX Shuai Wang, Wenhao Wang, Qinkun Bao, Pei Wang,

Binary Code Retrofitting and Hardening Using SGX Shuai Wang, Wenhao Wang, Qinkun Bao, Pei Wang, XiaoFeng Wang, and Dinghao Wu The Pennsylvania State University, Indiana University Bloomington, Institute of Information Engineering Motivation

822 views • 25 slides
and Compiler-Automated Instrumentation Adisak Pochanayon Principal Software Engineer

and Compiler-Automated Instrumentation Adisak Pochanayon Principal Software Engineer

Runtime CPU Spike Detection using Manual and Compiler-Automated Instrumentation Adisak Pochanayon Principal Software Engineer Netherrealm Studios adisak@wbgames.com Topics to Cover This talk is about runtime instrumentation-based

892 views • 67 slides
Classification with Partial Labels Weibin Meng , Ying Liu, Shenglin Zhang, Dan Pei Hui Dong, Lei

Classification with Partial Labels Weibin Meng , Ying Liu, Shenglin Zhang, Dan Pei Hui Dong, Lei

Device-Agnostic Log Anomaly Classification with Partial Labels Weibin Meng , Ying Liu, Shenglin Zhang, Dan Pei Hui Dong, Lei Song, Xulong Luo 2018/6/23 weibin 1 Motivation Architecture of Datacenter Networks Inter-DC Network Core Core

192 views • 15 slides
When 3 Memory Models Arent Enough October 23, 2019 Porting VMS to x86 using LLVM Began

When 3 Memory Models Arent Enough October 23, 2019 Porting VMS to x86 using LLVM Began

When 3 Memory Models Arent Enough October 23, 2019 Porting VMS to x86 using LLVM Began two years ago Host LLVM on OpenVMS Itanium Using older 3.4.2 due to Itanium C++ Convert our backends IR to LLVM IR Reuse existing

112 views • 8 slides
Static instrumentation based on executable file formats About Romain Thomas - Security

Static instrumentation based on executable file formats About Romain Thomas - Security

Romain Thomas - rthomas@quarkslab.com Static instrumentation based on executable file formats About Romain Thomas - Security engineer at Quarkslab Working on various topics: Android, (de)obfuscation, software protection and reverse

1.04k views • 77 slides
Lecture 04: Understanding System Calls System calls are functions that user programs use to

Lecture 04: Understanding System Calls System calls are functions that user programs use to

Lecture 04: Understanding System Calls System calls are functions that user programs use to interact with the OS and request some core service be executed on their behalf. Examples of system calls we've already seen this quarter: open ,

108 views • 8 slides
7. What Is Joint Action Shared Agency? butterfillS@ceu.hu butterfillS@ceu.hu Outline 1. The

7. What Is Joint Action Shared Agency? butterfillS@ceu.hu butterfillS@ceu.hu Outline 1. The

7. What Is Joint Action Shared Agency? butterfillS@ceu.hu butterfillS@ceu.hu Outline 1. The leading philosophical approach to shared agency 2. Limits of this approach 3. (Building blocks for) an alternative approach 4. Motor representation

1.15k views • 73 slides

More recommend