code integrity protection mechanisms
play

Code Integrity Protection Mechanisms Ralf Hund Thorsten - PowerPoint PPT Presentation

Sep 29, 2022 •263 likes •497 views

University of Mannheim, Germany Laboratory for Dependable Distributed Systems Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms Ralf Hund Thorsten Holz Felix C. Freiling University of Mannheim

  1. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms Ralf Hund Thorsten Holz Felix C. Freiling University of Mannheim USENIX Security Symposium ’09 August 14, 2009 Page 1

  2. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Motivation (1) • Operating systems separate system into user land and kernel land • Kernel and driver components run with elevated privileges • Compromising of such a component:  • How to protect these critical components? – Possible solution: use virtualization technologies to detect malicious activities in additional layer of privilege  Problem : how to detect malicious programs? • Alternative: try to prevent malicious programs from being executed • Focus on latter approach USENIX Security Symposium ’09 August 14, 2009 Page 2

  3. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Motivation (2) • Traditional approach followed by NICKLE and SecVisor • Lifetime kernel code integrity – No overwriting of existing code – No injection of new code • Attacker model – May own everything in user land (admin/root privileges) – Vulnerabilities in kernel components are allowed • Common assumption: an attacker must always execute own code • Can attacker carry out arbitrary computations nevertheless? – Is it possible to create a real rootkit by code-reuse? – Show how to bypass code integrity protections USENIX Security Symposium ’09 August 14, 2009 Page 3

  4. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Return-Oriented Programming • Introduced recently by Shacham et al. [CCS07, CCS08, EVT09] • Extension of infamous return- to-libc attack • Controlling the stack is sufficient to perform arbitrary control-flow modifications • Idea : find enough useful instruction sequences to allow for arbitrary computations USENIX Security Symposium ’09 August 14, 2009 Page 4

  5. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Overview  Motivation  Automating Return-Oriented Programming  Evaluation  Rootkit Example  Conclusion USENIX Security Symposium ’09 August 14, 2009 Page 5

  6. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Framework • Problems attackers face: – Varying environments : different codebase (driver & OS versions, etc.) – Complex task : how to implement return-oriented tasks in an abstract manner? • Facilitate development of complex return-oriented code • Three core components: 1. Constructor 2. Compiler 3. Loader • Currently supports 32bit Windows operating systems running IA-32 USENIX Security Symposium ’09 August 14, 2009 Page 6

  7. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Framework Overview USENIX Security Symposium ’09 August 14, 2009 Page 7

  8. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Useful Instruction Sequences • Definition : instruction sequence that ends with <instruction 1> a return … • How many instructions preceding a return <instruction n> should be considered? Ret  Must take side-effects into account  Simplifying assumption: only consider one preceding instruction • Which registers may be altered? Example :  Only eax , ecx , and edx mov eax, [ecx] • Not turned out to be problematic (see add eax, edx ret evaluation) USENIX Security Symposium ’09 August 14, 2009 Page 8

  9. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Gadgets and eax, edx ret 'And' gadget: pop ecx pop ecx | R: ntoskrnl.exe:D88B ret | L: <RightSource>-124 pop eax mov edx, [ecx+0x7c] | R: ntoskrnl.exe:C7B4C ret pop eax | R: ntoskrnl.exe:B0AE mov edx, [ecx+0x7c] | L: <LeftSource> ret mov eax, [eax] | R: ntoskrnl.exe:B13E and eax, edx | R: win32k.sys:ADAE6 mov eax, [eax] pop ecx | R: ntoskrnl.exe:D88B ret | L: <Destination> mov [ecx], eax | R: ntoskrnl.exe:45E4 mov [ecx], eax ret USENIX Security Symposium ’09 August 14, 2009 Page 9

  10. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Automated Gadget Construction • CPU is register-based  Start from working registers • Constructs lists of gadgets being bound to working registers pop eax Load constant into register mov eax, [ecx] Load memory variable mov [edx], eax Store memory variable add eax, ecx Perform addition add eax, [edx+1337h] • Gradually construct further lists by combining previous gadgets USENIX Security Symposium ’09 August 14, 2009 Page 10

  11. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Compiler • Entirely self-crafted programming language – Syntax similar to C – All standard logical, arithmetic, and bitwise operations – Conditions/looping with arbitrary nesting and subroutines – Support for integers , char arrays, and structures (variable containers) – Support for calling external , non return-oriented code • Produces position-independent stack allocation of the program • Program is contained in linear address region USENIX Security Symposium ’09 August 14, 2009 Page 11

  12. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Loader • Retrieves base addresses of the kernel and all loaded kernel modules ( EnumDeviceDrivers ) • ASLR useless • Resolves relative to absolute addresses • Implemented as library USENIX Security Symposium ’09 August 14, 2009 Page 12

  13. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Overview  Motivation  Automating Return-Oriented Programming  Evaluation  Rootkit Example  Conclusion USENIX Security Symposium ’09 August 14, 2009 Page 13

  14. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Useful Instructions / Gadget Construction • Tested Constructor on 10 different machines running different Windows versions (2003 Server, XP, and Vista) • Full codebase and kernel + Win32 subsystem only (res.) • Codebase always sufficient to construct all necessary gadgets Machine configuration # ret instr. # ret instr. (res) Native / XP SP2 118,154 22,398 Native / XP SP3 95,809 22,076 VMware / XP SP3 58,933 22,076 VMware / 2003 Server SP2 61,080 23,181 Native / Vista SP1 181,138 30,922 Bootcamp / Vista SP1 177,778 30,922 Code sizes Native VMware Restricted Vista SP1 26.33 MB 8.59 MB 4.58 MB USENIX Security Symposium ’09 August 14, 2009 Page 14

  15. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Runtime Overhead • Implementation of two identical quicksort programs • Return-oriented vs. C (no optimizations) • Sort 500,000 random integers • Average slowdown by factor of ~135 USENIX Security Symposium ’09 August 14, 2009 Page 15

  16. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Overview  Motivation  Automating Return-Oriented Programming  Evaluation  Rootkit Example  Conclusion USENIX Security Symposium ’09 August 14, 2009 Page 16

  17. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Rootkit Implementation (1) • Experimental Setup – Windows XP / Server 2003 – Custom vulnerable kernel driver ( buffer overflow ) – Exploit vulnerability from userspace program • Intricacies – Interrupt: Windows borrows current kernel stack  Backup code region – Interrupt Request Levels (IRQLs): must not access pageable memory in kernel mode  Lock from userspace & allocate non-pageable kernel memory USENIX Security Symposium ’09 August 14, 2009 Page 17

  18. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Rootkit Implementation (2) • Traverses process list and removes specific process • 6KB in size int ProcessName; int ListStartOffset = &CurrentProcess->process_list.Flink - CurrentProcess; int ListStart = &CurrentProcess->process_list.Flink; int ListCurrent = *ListStart; while (ListCurrent != ListStart) { struct EPROCESS *NextProcess = ListCurrent - ListStartOffset; if (RtlCompareMemory(NextProcess->ImageName, "Ghost.exe", 9) == 9) { break ; } ListCurrent = *ListCurrent; } struct EPROCESS *GhostProcess = ListCurrent - ListStartOffset; GhostProcess->process_list.Blink->Flink = GhostProcess->process_list.Flink; GhostProcess->process_list.Flink->Blink = GhostProcess->process_list.Blink; GhostProcess->process_list.Flink = ListCurrent; GhostProcess->process_list.Blink = ListCurrent; USENIX Security Symposium ’09 August 14, 2009 Page 18

  19. University of Mannheim, Germany Laboratory for Dependable Distributed Systems USENIX Security Symposium ’09 August 14, 2009 Page 19

  20. University of Mannheim, Germany Laboratory for Dependable Distributed Systems Conclusion / Future Work • Return-oriented attacks against the kernel are possible • Automated gadget construction • Problem is malicious computation , not malicious code • Code integrity itself is not enough • Only non-persistent rootkit – Extension already implemented • Countermeasures against the attack • Other operating systems to substantiate the claim of portability USENIX Security Symposium ’09 August 14, 2009 Page 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Data integrity protection Data integrity protection with cryptsetup tools with cryptsetup tools

Data integrity protection Data integrity protection with cryptsetup tools with cryptsetup tools

Centre for Research on Cryptography and Security research.redhat.com crocs.fi.muni.cz Data integrity protection Data integrity protection with cryptsetup tools with cryptsetup tools What is the Linux dm-integrity module and What is the

883 views • 25 slides
Survey on Security Threats and Protection Mechanisms in Embedded Automotive Networks Ivan

Survey on Security Threats and Protection Mechanisms in Embedded Automotive Networks Ivan

The Automotive Network Threats Protection mechanisms Conclusion Survey on Security Threats and Protection Mechanisms in Embedded Automotive Networks Ivan Studnia Vincent Nicomette Eric Alata Yves Deswarte Mohamed Ka aniche Renault

752 views • 40 slides
Verena: End-to-End Integrity Protection for Web Applications IEEE Security &amp; Privacy 2016

Verena: End-to-End Integrity Protection for Web Applications IEEE Security &amp; Privacy 2016

Verena: End-to-End Integrity Protection for Web Applications IEEE Security &amp; Privacy 2016 Nikos Karapanos, Alexandros Filios, Raluca Ada Popa, Srdjan Capkun Information Integrity is Critical for Decision Making EKG, EKG, heart rate,

534 views • 15 slides
Audit Mechanisms for Privacy Protection in Healthcare Environments Anupam Datta Joint work with

Audit Mechanisms for Privacy Protection in Healthcare Environments Anupam Datta Joint work with

Audit Mechanisms for Privacy Protection in Healthcare Environments Anupam Datta Joint work with Jeremiah Blocki, Nicolas Christin and Arunesh Sinha Carnegie Mellon University Position } Audit mechanisms are essential for privacy protection

337 views • 7 slides
2016 Gail Williams Research Integrity at UQ Research Integrity at UQ Australian Code for the

2016 Gail Williams Research Integrity at UQ Research Integrity at UQ Australian Code for the

SoM Induction 2016 Gail Williams Research Integrity at UQ Research Integrity at UQ Australian Code for the Responsible Conduct of Research (NHMRC et al., 2007) http://www.nhmrc.gov.au/_files_nhmrc/file/ publications/synopses/r39.pdf

312 views • 16 slides
KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY Blockchain &amp; Security Ruth Crowell, Chief Executive Asia Pacific Precious Metals

460 views • 10 slides
KNOW THE CODE OF STUDENT ACADEMIC INTEGRITY Presented By: Amy Kelso, Office of Legal Affairs

KNOW THE CODE OF STUDENT ACADEMIC INTEGRITY Presented By: Amy Kelso, Office of Legal Affairs

KNOW THE CODE OF STUDENT ACADEMIC INTEGRITY Presented By: Amy Kelso, Office of Legal Affairs Bruce Long, Chair of the Academic Integrity Board Laura Bizzell, Student Conduct &amp; Academic Integrity Kaela Lindquist, Student Conduct &amp;

552 views • 22 slides
Rights Protection Mechanisms (RPMs) A Discussion of the Clearinghouse, Uniform Rapid

Rights Protection Mechanisms (RPMs) A Discussion of the Clearinghouse, Uniform Rapid

Rights Protection Mechanisms (RPMs) A Discussion of the Clearinghouse, Uniform Rapid Suspension and Post Delegation Dispute Resolution Procedure October2009 DevelopmentofRightsProtec4onMechanisms

450 views • 19 slides
Mechanisms in Procedures Mechanisms in Procedures CS 105 Tour of the Black Holes of

Mechanisms in Procedures Mechanisms in Procedures CS 105 Tour of the Black Holes of

Mechanisms in Procedures Mechanisms in Procedures CS 105 Tour of the Black Holes of Computing P() { Passing control To beginning of procedure code y

399 views • 13 slides
Financial Mechanisms in Support of Biodiversity Conservation and Protection in the Caribbean: An

Financial Mechanisms in Support of Biodiversity Conservation and Protection in the Caribbean: An

Financial Mechanisms in Support of Biodiversity Conservation and Protection in the Caribbean: An Overview Presented by Dr. Mark D. Griffith at the The Caribbean Workshop on Sustainable Finance and Resource Mobilization for Biodiversity,

539 views • 19 slides
Security Overview Different aspects of security User authentication Protection mechanisms

Security Overview Different aspects of security User authentication Protection mechanisms

CS399 New Beginnings Jonathan Walpole Security Overview Different aspects of security User authentication Protection mechanisms Attacks: - trojan horses, spoofing, logic bombs, trap doors, buffer overflow attacks, viruses, worms, mobile

825 views • 59 slides
Making Linux Protection Mechanisms Egalitarian with UserFS Taesoo Kim and Nickolai Zeldovich

Making Linux Protection Mechanisms Egalitarian with UserFS Taesoo Kim and Nickolai Zeldovich

Making Linux Protection Mechanisms Egalitarian with UserFS Taesoo Kim and Nickolai Zeldovich MIT CSAIL Overview: How to build secure applications? Simple in principle : - reduce privileges of application components - enforce policy at

600 views • 58 slides
Mac OS X : System Integrity Protection Nicolas RUFF - nruff(at)google(dot)com Proprietary

Mac OS X : System Integrity Protection Nicolas RUFF - nruff(at)google(dot)com Proprietary

Mac OS X : System Integrity Protection Nicolas RUFF - nruff(at)google(dot)com Proprietary Proprietary Introduction Proprietary Proprietary What is SIP? SIP: &quot;System Integrity Protection&quot;, a.k.a. &quot;rootless&quot;. SIP restricts

370 views • 15 slides
Protection Issues I/O protection Protection and System Calls Prevent users from

Protection Issues I/O protection Protection and System Calls Prevent users from

Protection Issues I/O protection Protection and System Calls Prevent users from performing illegal I/Os Memory protection Otto J. Anshus Prevent users from modifying kernel code and data (including slides from Kai Li,

350 views • 6 slides
The Squared Circle: Fitting Trademark Law Principles into ICANNs Rights Protection Mechanisms

The Squared Circle: Fitting Trademark Law Principles into ICANNs Rights Protection Mechanisms

The Squared Circle: Fitting Trademark Law Principles into ICANNs Rights Protection Mechanisms G REG S HATAN M OSES &amp; S INGER LLP A PRIL 24, 2019 2 It has become apparent to all that a considerable amount of tension has unwittingly been

243 views • 22 slides
Student Code of Conduct- Academic Integrity Slides for Faculty Members &amp; Instructors to cover

Student Code of Conduct- Academic Integrity Slides for Faculty Members &amp; Instructors to cover

Student Code of Conduct- Academic Integrity Slides for Faculty Members &amp; Instructors to cover with their students Where to find the Code 1. Student Life Page 2. Policies &amp; Procedures Library Course Syllabus Statement A breach of

88 views • 7 slides
Math 5490 9/29/2014 Glacial Cycles Math 5490 September 29, 2014 The Big Picture Topics in

Math 5490 9/29/2014 Glacial Cycles Math 5490 September 29, 2014 The Big Picture Topics in

Math 5490 9/29/2014 Glacial Cycles Math 5490 September 29, 2014 The Big Picture Topics in Applied Mathematics: Introduction to the Mathematics of Climate Mondays and Wednesdays 2:30 3:45

370 views • 9 slides
The Nature of Probability The Nature of Probability y

The Nature of Probability The Nature of Probability y

Elementary Statistics Elementary Statistics A Step by Step Approach Dr. Saeed Alghamdi Sixth Edition Room 542 by by Allan G. Allan G. Bluman Bluman Statistics Department http://www.mhhe.com/math/stat/blumanbrief

525 views • 8 slides
RF Developments Erk Jensen for BE-RF The global context From European Strategy update: From P5

RF Developments Erk Jensen for BE-RF The global context From European Strategy update: From P5

RF Developments Erk Jensen for BE-RF The global context From European Strategy update: From P5 report: d) T o stay at the forefront of particle physics, Europe needs to be in a position to propose an ambitious post-LHC accelerator project

735 views • 36 slides
Commission Br Commission Briefing on iefing on Equa Equal l Employmen Employment t Opportu

Commission Br Commission Briefing on iefing on Equa Equal l Employmen Employment t Opportu

Commission Br Commission Briefing on iefing on Equa Equal l Employmen Employment t Opportu Opportunity, nity, Diversity Diversity and and Small Business Small Business December 18, 2014 Advancing the Field James C. Corbett Acting

621 views • 41 slides
eKimono: Detecting Rootkits inside Virtual Machines DeepSec 2009, 19th-20th/11/2009 Nguyen Anh

eKimono: Detecting Rootkits inside Virtual Machines DeepSec 2009, 19th-20th/11/2009 Nguyen Anh

eKimono: Detecting Rootkits inside Virtual Machines DeepSec 2009, 19th-20th/11/2009 Nguyen Anh Quynh, Kuniyasu Suzaki, Ruo Ando The National institute of Advanced Industrial Science &amp; Technology (AIST), Japan 1 Who am I? NGUYEN Anh

639 views • 59 slides
Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion &amp;

Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion &amp;

Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion &amp; Hypervisor Technologies and Consulting Ltd Muli Ben-Yehuda (Technion &amp; Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 1 /

553 views • 21 slides
When E.T. comes into Windows Mobile 6 a.k.a. PoC(k)ET Cedric Halbronn Sogeti / ESEC R&amp;D

When E.T. comes into Windows Mobile 6 a.k.a. PoC(k)ET Cedric Halbronn Sogeti / ESEC R&amp;D

When E.T. comes into Windows Mobile 6 a.k.a. PoC(k)ET Cedric Halbronn Sogeti / ESEC R&amp;D cedric(at)security-labs.org Hack.lu 2009 Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Context / Objectives 1

859 views • 59 slides
Guest-Transparent Instruction Authentication Dannie M. Stanley for Self-Patching Kernels Purdue

Guest-Transparent Instruction Authentication Dannie M. Stanley for Self-Patching Kernels Purdue

Guest-Transparent Instruction Authentication Dannie M. Stanley for Self-Patching Kernels Purdue University / CERIAS 09/20/12 Dannie Stanley Rick Porter Shane Snyder Zhui Deng Systems &amp; Security Research CERDEC Applied Communication

434 views • 39 slides

More recommend