derandomizing kernel address space layout for memory
play

Derandomizing Kernel Address Space Layout for Memory Introspection - PowerPoint PPT Presentation

Oct 21, 2023 •10 likes •680 views

Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Derandomizing Kernel Address Space Layout for Memory Introspection and Forensics Yufei Gu, and Zhiqiang Lin The University of Texas at Dallas March 9

  1. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Derandomizing Kernel Address Space Layout for Memory Introspection and Forensics Yufei Gu, and Zhiqiang Lin The University of Texas at Dallas March 9 th , 2016

  2. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References What is ASLR [Tea00] 0xbfffd5d8 caller’s ebp 0xbfffd618 buf Shellcode 0xbfffd5d8

  3. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References What is ASLR [Tea00] 0xbfffd5d8 caller’s ebp 0xbfffd618 buf Shellcode ASLR ASLR 0xbfffd5d8

  4. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References What is ASLR [Tea00] 0xbfffd5d8 0xbfffd5d8 caller’s ebp caller’s ebp 0xbfffd618 0xbfffe428 buf buf Shellcode Shellcode ASLR ASLR 0xbfffd5d8 0xbfffe3f8

  5. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References What is ASLR [Tea00] 0xbfffd5d8 0xbfffd5d8 caller’s ebp caller’s ebp 0xbfffd618 0xbfffe428 buf buf Shellcode Shellcode ASLR ASLR 0xbfffd5d8 0xbfffe3f8 Oops… 0xbfffd5d8

  6. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Why Kernel ASLR Kernel exploits Kernel buffer overflow Kernel ROP [Sha07, BRSS08] Kernel rootkits Tampering with the same virtual address

  7. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Why Kernel ASLR Kernel exploits Kernel buffer overflow Kernel ROP [Sha07, BRSS08] Kernel rootkits Tampering with the same virtual address Modern OS kernels including Windows, Linux, and Mac OS all have adopted kernel ASLR

  8. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Kernel ASLR 2007

  9. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Kernel ASLR 2007 Windows Vista

  10. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Kernel ASLR OS X Mountain Lion 10.8 2007 2012 Windows Vista

  11. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Kernel ASLR OS X Mountain Lion 10.8 2014 2007 2012 Linux Kernel 3.14 Windows Vista

  12. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Consequences of Kernel ASLR It significantly decreases the success rate of kernel memory exploits as well as some kernel rootkit attacks

  13. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Consequences of Kernel ASLR It significantly decreases the success rate of kernel memory exploits as well as some kernel rootkit attacks It also hinders the applications of Kernel introspection [GR03] 1 Kernel memory forensics [Wal05] 2

  14. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Introspection [GR03] and Memory Forensics [Wal05] Linux Win ‐ 7 Introspection Product ‐ VM Product ‐ VM Virtualization Layer Hardware Layer

  15. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Introspection [GR03] and Memory Forensics [Wal05] Linux Win ‐ 7 Introspection Product ‐ VM Product ‐ VM Virtualization Layer Hardware Layer Introspection and forensic often need to know where kernel code and data is located

  16. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Knowning the specific kernel address is important For an instrospection tool: To interpret a system call event, it requires to know the 1 address of the system call tables (e.g., [FLH13]) To intercept the kernel object allocation and deallocation, 2 it requires to know the addresses of the functions that manages the kernel heaps (e.g., [ZL15]) To traverse certain dynamically allocated kernel objects, it 3 needs to know their rooted global addresses (e.g., [FLB15])

  17. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Knowning the specific kernel address is important For an instrospection tool: To interpret a system call event, it requires to know the 1 address of the system call tables (e.g., [FLH13]) To intercept the kernel object allocation and deallocation, 2 it requires to know the addresses of the functions that manages the kernel heaps (e.g., [ZL15]) To traverse certain dynamically allocated kernel objects, it 3 needs to know their rooted global addresses (e.g., [FLB15]) For virtual machine introspection and forensics to be effective, we must derandomize kernel ASLR

  18. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Derandomizing ASLR at User Space

  19. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Derandomizing ASLR at User Space Brute-force linear search [SPP + 04], which only requires 1 2 16 probes to derandomize the address space of a vulnerable program for a 32-bit ASLR implementation.

  20. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Derandomizing ASLR at User Space Brute-force linear search [SPP + 04], which only requires 1 2 16 probes to derandomize the address space of a vulnerable program for a 32-bit ASLR implementation. Information leakage [RMPB09] by exploiting information 2 about the base address of libc , also code fragments available at fixed locations to discover the address of libc functions.

  21. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Derandomizing ASLR at User Space Brute-force linear search [SPP + 04], which only requires 1 2 16 probes to derandomize the address space of a vulnerable program for a 32-bit ASLR implementation. Information leakage [RMPB09] by exploiting information 2 about the base address of libc , also code fragments available at fixed locations to discover the address of libc functions. JIT-ROP [SMD + 13] attack, which leverages multiple 3 memory disclosures to bypass the ASLR

  22. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Derandomizing ASLR at User Space Brute-force linear search [SPP + 04], which only requires 1 2 16 probes to derandomize the address space of a vulnerable program for a 32-bit ASLR implementation. Information leakage [RMPB09] by exploiting information 2 about the base address of libc , also code fragments available at fixed locations to discover the address of libc functions. JIT-ROP [SMD + 13] attack, which leverages multiple 3 memory disclosures to bypass the ASLR These offensive approaches only have the remote access of the target machine

  23. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References VMI and Forensics Have Local Access Linux Win ‐ 7 Introspection Product ‐ VM Product ‐ VM Virtualization Layer Hardware Layer

  24. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References VMI and Forensics Have Local Access Linux Win ‐ 7 VMI and forensics applications have the Introspection physical access of the target machine Product ‐ VM Product ‐ VM CPU registers Physical memory Virtualization Layer Too many options (e.g., too many signatures ) Hardware Layer for derandomization

  25. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Derandomization Kernel ASLR by Volatility [Wal05] Kernel Version Signature (Byte Sequence) Size (Bytes) VistaSP0x86 00 00 00 00 00 00 00 00 4b 44 42 47 28 03 14 VistaSP1x86 00 00 00 00 00 00 00 00 4b 44 42 47 30 03 14 VistaSP2x86 00 00 00 00 00 00 00 00 4b 44 42 47 30 03 14 VistaSP0x64 00 f8 ff ff 4b 44 42 47 28 03 10 VistaSP1x64 00 f8 ff ff 4b 44 42 47 30 03 10 VistaSP2x64 00 f8 ff ff 4b 44 42 47 30 03 10 Win7SP1x64 00 f8 ff ff 4b 44 42 47 40 03 10 Win7SP1x86 00 00 00 00 00 00 00 00 4b 44 42 47 40 03 14 Win7SP0x86 00 00 00 00 00 00 00 00 4b 44 42 47 40 03 14 Win7SP0x64 00 f8 ff ff 4b 44 42 47 40 03 10 Win2008SP1x86 00 00 00 00 00 00 00 00 4b 44 42 47 30 03 14 Win2008SP2x86 00 00 00 00 00 00 00 00 4b 44 42 47 30 03 14 Win2008SP1x64 00 f8 ff ff 4b 44 42 47 30 03 10 Win2008SP2x64 00 f8 ff ff 4b 44 42 47 30 03 10 Win2008R2SP0x64 00 f8 ff ff 4b 44 42 47 40 03 10 Win2008R2SP1x64 00 f8 ff ff 4b 44 42 47 40 03 10 Win8SP0x86 00 00 00 00 00 00 00 00 4b 44 42 47 60 03 14 Win8SP1x86 00 00 00 00 00 00 00 00 4b 44 42 47 60 03 14 Win8SP0x64 03 f8 ff ff 4b 44 42 47 60 03 10 Win8SP1x64 03 f8 ff ff 4b 44 42 47 60 03 10 Win2012x64 03 f8 ff ff 4b 44 42 47 60 03 10 Win2012R2x64 03 f8 ff ff 4b 44 42 47 60 03 10 Table: KDBG Signatures used by Volatility to Derandomize the Kernel.

  26. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Problem Statement, Scope, Threat Model Problem Statement Investigate the optimal solutions for derandomizing the kernel address space for introspection and forensics Robust 1 Efficient 2

  27. Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Problem Statement, Scope, Threat Model Problem Statement Investigate the optimal solutions for derandomizing the kernel address space for introspection and forensics Robust 1 Efficient 2 Scope We focus on Linux kernel

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Br Breaking Kern rnel Ad Address ss Space La Layout Randomization (KASLR LR) wi with th

Br Breaking Kern rnel Ad Address ss Space La Layout Randomization (KASLR LR) wi with th

Br Breaking Kern rnel Ad Address ss Space La Layout Randomization (KASLR LR) wi with th Intel TSX Yeongjin Jang , Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A

1.2k views • 102 slides
Kernel Address Space Layout Randomization http://outflux.net/slides/2013/lss/kaslr.pdf gholzer

Kernel Address Space Layout Randomization http://outflux.net/slides/2013/lss/kaslr.pdf gholzer

Kernel Address Space Layout Randomization http://outflux.net/slides/2013/lss/kaslr.pdf gholzer Linux Security Summit, New Orleans 2013 Kees Cook <keescook@google.com> (pronounced Case) Overview Classic Attack Structure

431 views • 15 slides
Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert

Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert

Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert May, 2006 Address Space Randomization Theory Randomize location of memory objects Libraries Heap User, kernel-space stack Foils attacks like

560 views • 15 slides
virtual memory 2 1 xv6 memory layout 0x80000000 (KERNBASE) page tables store this mapping (one

virtual memory 2 1 xv6 memory layout 0x80000000 (KERNBASE) page tables store this mapping (one

virtual memory 2 1 xv6 memory layout 0x80000000 (KERNBASE) page tables store this mapping (one kernel, one user) for user memory two virtual address same in every process = PA VA 0x8000000 + kernel-only memory 2 Virtual 4 Gig Device

1.7k views • 122 slides
UMBC M A L F T U M B C I O M Y O T R 1 (April 10, 2000 12:36 pm) I E S R C

UMBC M A L F T U M B C I O M Y O T R 1 (April 10, 2000 12:36 pm) I E S R C

Systems Programming 8086/88 Memory Interface II CMPE 310 Memory Address Decoding The processor can usually address a memory space that is much larger than the memory space covered by an individual memory chip. In order to splice a memory device

713 views • 21 slides
Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM x86-64 Linux Memory Layout ... ... 0x00007fffffffffff Stack not drawn to scale Caller Frame Extra Arguments

325 views • 16 slides
P Starting at address 0, going to address MAX prog 0 But where do addresses come from? MOV

P Starting at address 0, going to address MAX prog 0 But where do addresses come from? MOV

Memory Management Basics 1 Basic Memory Management Concepts Address spaces MAX sys Physical address space The address space supported by the hardware Starting at address 0, going to address MAX sys MAX prog Logical/virtual address space

448 views • 22 slides
Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory

Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory

Dynamic Memory Management Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory Layout (1) Each Linux process runs within its own virtual address space tables and the MMU (if available) security due to

1.25k views • 68 slides
Virtual Memory Separate the concept of: address space (name) from physical memory address

Virtual Memory Separate the concept of: address space (name) from physical memory address

Virtual Memory Separate the concept of: address space (name) from physical memory address (location) Most common example today: wireless (cell) phones Phone number is your id or name Location varies as you move Maintain a Map between name

208 views • 20 slides
Memory Systems Design & Programming CMPE 310 Memory Address Decoding The processor can

Memory Systems Design & Programming CMPE 310 Memory Address Decoding The processor can

Memory Systems Design & Programming CMPE 310 Memory Address Decoding The processor can usually address a memory space that is much larger than the memory space covered by an individual memory chip. In order to splice a memory device into

363 views • 21 slides
Buffer overflows (a security interlude) IA32 Linux Memory Layout ...

Buffer overflows (a security interlude) IA32 Linux Memory Layout ...

11/20/15 Buffer overflows (a security interlude) IA32 Linux Memory Layout ... FF ... How address space layout, the stack discipline, and C's lack of Stack

726 views • 4 slides
1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

Memory Protection Memory Protection Paging Virtual memory provides protection by: Each process (user or OS) has different virtual memory space. Machines and Virtualization Machines and Virtualization The OS maintain the page tables

83 views • 5 slides
Operating Systems Virtual Memory Lecture 11 Michael OBoyle 1 Paged virtual memory Allows a

Operating Systems Virtual Memory Lecture 11 Michael OBoyle 1 Paged virtual memory Allows a

Operating Systems Virtual Memory Lecture 11 Michael OBoyle 1 Paged virtual memory Allows a larger logical address space than physical memory All pages of address space do not need to be in memory the full (used) address space on disk

919 views • 29 slides
Process Layout and Function Calls CS 161 Spring 2017 1 / 8 Process Layout in Memory

Process Layout and Function Calls CS 161 Spring 2017 1 / 8 Process Layout in Memory

Process Layout and Function Calls CS 161 Spring 2017 1 / 8 Process Layout in Memory 0xc0000000 Stack Stack high address grows towards decreasing addresses. dynamic is initialized at run-time . growth Heap grow

440 views • 30 slides
Virtual Memory Logical address space can therefore be much larger than physical address

Virtual Memory Logical address space can therefore be much larger than physical address

CSC 4103 - Operating Systems Background Spring 2007 Virtual memory separation of user logical memory from physical memory. Only part of the program needs to be in memory for Lecture - XIII execution. Virtual Memory Logical

309 views • 7 slides
Memory Management Address binding Linking, loading Logical vs. physical address

Memory Management Address binding Linking, loading Logical vs. physical address

CPSC 410 / 611 : Operating Systems Memory Management Address binding Linking, loading Logical vs. physical address space Memory partitioning Paging Segmentation Reading: Silberschatz, Chapter 8 Memory

469 views • 12 slides
A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning

A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning

A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning Hu University of Alabama Tuscaloosa, AL 35487 ACSAC Dec. 5-9, 2005 Insider threats Definition Menaces to computer security as a result of

131 views • 11 slides
Counseling By: Sarah Blackburn, M.A., LMHCA & Ismael Concepcion Poo, MA., LMHCA Introductions

Counseling By: Sarah Blackburn, M.A., LMHCA & Ismael Concepcion Poo, MA., LMHCA Introductions

Forensic Mental Health Counseling By: Sarah Blackburn, M.A., LMHCA & Ismael Concepcion Poo, MA., LMHCA Introductions Sarah Blackburn, M.A., Ismael Concepcion Poo, M.A., LMHCA LMHCA Title: CMHC2 Title: CMHUS Correctional Mental Health

406 views • 36 slides
Beyond files forensic OWADE cloud based forensic Elie Bursztein Stanford University Ivan

Beyond files forensic OWADE cloud based forensic Elie Bursztein Stanford University Ivan

Beyond files forensic OWADE cloud based forensic Elie Bursztein Stanford University Ivan Fontarensky Cassidian Matthieu Martin Stanford University Jean Michel Picod Cassidian Wednesday, August 3, 2011 The world is moving to the cloud E.

1.84k views • 171 slides
Brendan Saltaformaggio, ZhongshuGu, Xiangyu Zhang, and Dongyan Xu Presented By Sharani Sankaran

Brendan Saltaformaggio, ZhongshuGu, Xiangyu Zhang, and Dongyan Xu Presented By Sharani Sankaran

Brendan Saltaformaggio, ZhongshuGu, Xiangyu Zhang, and Dongyan Xu Presented By Sharani Sankaran ! Digital investigation based on analysis of non-volatile storage . ! Loss of live evidence stored in system RAM ! Information stored in RAM:

502 views • 23 slides
START FROM THE BEGINNING Incorporating Narrative AND TELL ME EVERYTHING YOU Practice in

START FROM THE BEGINNING Incorporating Narrative AND TELL ME EVERYTHING YOU Practice in

3/28/18 START FROM THE BEGINNING Incorporating Narrative AND TELL ME EVERYTHING YOU Practice in Child Forensic REMEMBER Interviews WHERE ARE WE HEADED TODAY? Understanding Narrative Practice: What, Why, & How Practice

437 views • 12 slides
Feminist Forensics: How Germaine Greer drove digital preservation at University of Melbourne

Feminist Forensics: How Germaine Greer drove digital preservation at University of Melbourne

Feminist Forensics: How Germaine Greer drove digital preservation at University of Melbourne Archives Lachlan Glanville Digital Archivist, University of Melbourne Archives @transmissionary Greers media 591 items of removable media 7

114 views • 9 slides
Detecting Facial Manipulation Deepfakes Evan Kravitz, Huazhe Xu April 21, 2020 1 2

Detecting Facial Manipulation Deepfakes Evan Kravitz, Huazhe Xu April 21, 2020 1 2

Detecting Facial Manipulation Deepfakes Evan Kravitz, Huazhe Xu April 21, 2020 1 2 https://www.instagram.com/p/ByaVigGFP2U/ 3 https://www.instagram.com/p/ByaVigGFP2U/ What is a deepfake? Synthetic image/video of a person that looks

1.23k views • 34 slides
ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* *

ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* *

ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* * Preliminary programme, subject to revision/update status 16 December 2014 4 February 2015 Day 1: Cyber Security Readiness Registration KU

306 views • 4 slides

More recommend