enforcing kernel security invariants with data flow
play

Enforcing Kernel Security Invariants with Data Flow Integrity - PowerPoint PPT Presentation

Oct 14, 2022 •240 likes •493 views

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee, Kangjie Lu, William Harris, Taesoo Kim, Wenke Lee Institute for Information Security & Privacy Georgia Tech Kernel Memory Corruption Vulnerability

  1. Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee, Kangjie Lu, William Harris, Taesoo Kim, Wenke Lee Institute for Information Security & Privacy Georgia Tech

  2. Kernel Memory Corruption Vulnerability • Kernel is important • The de-facto trusted computing base (TCB) • Foundation of upper level security mechanisms (e.g., app sandbox) • Kernel vulnerabilities are not rare • Written in C • Emphasize on performance 2 / 24

  3. Privilege escalation attacks • One of the most powerful attacks • Most popular attack against kernel • Hard to prevent • Chrome sandbox bypass • iOS jailbreak • Android rooting 3 / 24

  4. Challenge 1: many ways to exploit 1 static int acl_permission_check Code Injection Attack ( struct inode *inode, int mask) 2 Disable the check 3 { unsigned int mode = inode->i_mode; 4 5 if (likely(uid_eq(current_fsuid(), inode->i_uid))) Control-flow hijacking 6 mode >>= 6; 7 Bypass the check else if (in_group_p(inode->i_gid)) 8 mode >>= 3; 9 10 Data-oriented attacks if ((mask & ~mode & 11 (MAY_READ | MAY_WRITE | MAY_EXEC)) == 0) 12 Manipulate the check return 0; 13 return -EACCES; 14 15 } 4 / 24

  5. Challenge 2: performance • Protecting all data is not practical • Secure Virtual Architecture (SVA) [SOSP’07] • Enforces kernel-wide memory safety • Performance overhead: 5.34x ~ 13.10x (LMBench) 5 / 24

  6. Our approach • Only protects a subset of data that is large enough to enforce access control invariants [NTIS AD-758 206] • Complete mediation • Control-data à Code Pointer Integrity [OSDI’14] • Tamper proof • Non-control-data used in security checks à this work • Correctness 6 / 24

  7. Step 1: discover all related data • Observation: OS kernels have well defined error code for security checks (when they fail) • POSIX: EPERM, EACCESS, etc. • Windows: ERROR_ACCESS_DENIED, etc. • Solution: leverage this implicit semantic to automatically infer security checks • Benefits • Soundness : capable of detecting all security related data (as long as there is no semantic errors) • Automated : no manual annotation required 7 / 24

  8. A simple example Step 1: collect return values 1 static int acl_permission_check ( struct inode *inode, int mask) 2 3 { unsigned int mode = inode->i_mode; 4 5 if (likely(uid_eq(current_fsuid(), inode->i_uid))) 6 mode >>= 6; 7 else if (in_group_p(inode->i_gid)) 8 mode >>= 3; 9 10 if ((mask & ~mode & 11 (MAY_READ | MAY_WRITE | MAY_EXEC)) == 0) 12 return 0; 13 return -EACCES; 14 15 } 8 / 24

  9. A simple example Step 2: collect conditional branches 1 static int acl_permission_check ( struct inode *inode, int mask) 2 3 { unsigned int mode = inode->i_mode; 4 5 if (likely(uid_eq(current_fsuid(), inode->i_uid))) 6 mode >>= 6; 7 else if (in_group_p(inode->i_gid)) 8 mode >>= 3; 9 10 if ((mask & ~mode & 11 (MAY_READ | MAY_WRITE | MAY_EXEC)) == 0) 12 return 0; 13 return -EACCES; 14 15 } 9 / 24

  10. A simple example Step 2: collect conditional branches Collect Dominators if (condition1 || condition2) return 0; else return -EACCESS; 10 / 24

  11. A simple example Step 2: collect conditional branches Avoid Explosion if (uid_eq) mode >> 6; else mode >> 3; if (condition) return -EINVAL; 11 / 24

  12. A simple example Step 3: collect dependencies 1 static int acl_permission_check ( struct inode *inode, int mask) 2 3 { unsigned int mode = inode->i_mode; 4 5 if (likely(uid_eq(current_fsuid(), inode->i_uid))) 6 mode >>= 6; 7 else if (in_group_p(inode->i_gid)) 8 mode >>= 3; 9 10 if ((mask & ~mode & 11 (MAY_READ | MAY_WRITE | MAY_EXEC)) == 0) 12 return 0; 13 return -EACCES; 14 15 } 12 / 24

  13. Be complete • Collects data- and control-dependencies transitively • Collects sensitive pointers recursively 13 / 24

  14. Step 2: protect the integrity of data • Data-flow integrity [OSDI’06] • Runtime data-flow should not deviate from static data-flow graph (similar to control-flow integrity) • For example, string should not flow to return address or uid • How • Check the last writer at every memory read • Challenge • Performance! (104%) 14 / 24

  15. How to reduce performance overhead • Observation 1: reads are more frequent than writes • Check write instead of read • Observation 2: most writes are not relevant Write Integrity • Use isolation instead of inlined checks Test • Observation 3: most relevant write are safe [S&P’08] • Use static analysis to verify 15 / 24

  16. Two-layered protection • Layer one: data-flow isolation • Prevents unrelated writes from tampering sensitive data • Mechanisms: segment (x86-32), WP flag (x86-64), access domain (ARM32), virtual address space , virtualization, TrustZone, etc. • Layer two: WIT • Prevents related but unrestricted writes from tampering sensitive data 16 / 24

  17. Additional building blocks • Shadow objects • Lacks fine-grained isolation mechanisms • Sensitive data is mixed with non-sensitive data • Safe stack • Certain critical data is no visible at language level, e.g., return address, register spills • Access pattern of stack is different • Safety is easier to verify 17 / 24

  18. Prototype • ARM64 Android • For its practical importance and long updating cycle • Enough entropy for stack randomization • Data-flow isolation • Heap: virtual address space based, uses ASID to reduce overhead • Stack: randomization based • Shadow objects • Modified the SLUB allocator 18 / 24

  19. Implementation • Kernel • Nexus 9 lollipop-release + LLVMLinux patches • Our modifications: 1900 LoC • Static Analysis • Framework: KINT [OSDI’12] • Point-to analysis: J. Chen’s field-sens [GitHub] • Context sensitive from KOP [CCS’09] • Safe stack: CPI [OSDI’14] • Our analysis + modifications: 4400 LoC • Instrumentation: 500 LoC 19 / 24

  20. How many sensitive data structures • Control data: 3699 fields (783 structs), 1490 global objects • Non-control data: 1731 fields ( 855 structs), 279 global objects • False positives: 491 fields (221 structs) / 61 fields (25 structs) 180 163 Fields 160 Structs 140 119 115 120 93 100 80 60 50 60 42 40 40 37 37 36 31 30 40 20 0 net fs drivers kernel security include other 20 / 24

  21. How secure is our approach • Inference • Sound à no false negatives • Catch: no semantic errors • Data-flow (point-to) analysis • Sound but not complete à over permissive • Improve the accuracy with context and field sensitivity • Against existing attacks • All prevented 21 / 24

  22. Performance impact • Write operations • 26645 (4.30%) allowed, 2 checked • Context switch • 1700 cycles • Benchmarks • LMBench (syscalls): 1.42x ~ 3.13x (0% for null syscall) • Android benchmarks: 7% ~ 15% 22 / 24

  23. Conclusion • Data-oriented attacks are very practical, especially in kernel • Leveraging implicit semantics to avoid annotation • Combining program analysis with system design is a great way to build principled and practical security solution 23 / 24

  24. Thank you! Q & A 24 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro,

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro,

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge Software is vulnerable use of unsafe languages is prevalent most

288 views • 25 slides
ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION

ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION

ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION FLOW Prof. R.K Shyamasundar CONTROL Todays Talk Background and Motivation. Possible attack in a system without IFC. Our solution using

381 views • 16 slides
Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

692 views • 31 slides
Data Invariants, Abstraction and Refinement Liam OConnor University of Edinburgh LFCS (and

Data Invariants, Abstraction and Refinement Liam OConnor University of Edinburgh LFCS (and

Data Invariants and ADTs Validation Data Refinement Administrivia Software System Design and Implementation Data Invariants, Abstraction and Refinement Liam OConnor University of Edinburgh LFCS (and UNSW) Term 2 2020 1 Data Invariants

1.07k views • 68 slides
1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
Regions and Permissions for Data Invariants Romain Bardou and Claude March e Septembre 2009

Regions and Permissions for Data Invariants Romain Bardou and Claude March e Septembre 2009

Regions and Permissions for Data Invariants Romain Bardou and Claude March e Septembre 2009 Regions and Permissions for Data Invariants 1 / 1 Motivation preservation of data invariants in pointer programs ownership system of Spec#

301 views • 29 slides
park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security

park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security

park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security Analysis of a Hypervisor Amit Vasudevan (CyLab-CMU), Sagar Chaki (SEI-CMU), Petros Maniatis (Google Inc.), Limin Jia, Anupam Datta (ECE/CSD-CMU)

517 views • 24 slides
ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich Benjamin Livshits UC Berkeley Microsoft Research Web Programmability Platform openid.net yelp.com adsense.com Google maps 2

727 views • 41 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Improving security using data flow assertions Alex Yip, Xi Wang, Nickolai Zeldovich , Frans

Improving security using data flow assertions Alex Yip, Xi Wang, Nickolai Zeldovich , Frans

Improving security using data flow assertions Alex Yip, Xi Wang, Nickolai Zeldovich , Frans Kaashoek MIT CSAIL Many security vulnerabilities caused by programming errors Attack vector Percentage SQL injection 20.4% Cross-site scripting

912 views • 57 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
Learning From Data Lecture 25 The Kernel Trick Learning with only inner products The Kernel M.

Learning From Data Lecture 25 The Kernel Trick Learning with only inner products The Kernel M.

Learning From Data Lecture 25 The Kernel Trick Learning with only inner products The Kernel M. Magdon-Ismail CSCI 4100/6100 recap: Large Margin is Better Controling Overfitting Non-Separable Data 0.08 random hyperplane 2 w t w + C N E

576 views • 18 slides
Verifying security invariants in ExpressOS Haohui Mai, Edgar Pek, Hui Xue, Samuel T. King, P .

Verifying security invariants in ExpressOS Haohui Mai, Edgar Pek, Hui Xue, Samuel T. King, P .

Verifying security invariants in ExpressOS Haohui Mai, Edgar Pek, Hui Xue, Samuel T. King, P . Madhusudan University of Illinois at Urbana-Champaign Mobiles devices are powerful Security of mobile devices is important High value

912 views • 89 slides
Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris

Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris

Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris james.l.morris@oracle.com Introduction Who am I? Kernel security subsystem maintainer Started kernel development w/ FreeS/WAN in 1999 which led to Netfilter,

798 views • 48 slides
Improving Kernel Security Kernel Summit 2015, Seoul Kees (Case) Cook keescook@chromium.org

Improving Kernel Security Kernel Summit 2015, Seoul Kees (Case) Cook keescook@chromium.org

Improving Kernel Security Kernel Summit 2015, Seoul Kees (Case) Cook keescook@chromium.org James Morris james.l.morris@oracle.com https://outflux.net/slides/2015/ks/security.pdf What I mean by Security More than access control

735 views • 27 slides
Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Information Flow 3 Many security requirements can be formulated as what information flow is allowed/disallowed E.g., confidential data should not

478 views • 27 slides
Industrial Management & Data Systems Customer relationship management: key components for IT

Industrial Management & Data Systems Customer relationship management: key components for IT

Industrial Management & Data Systems Customer relationship management: key components for IT success Ranjit Bose, Article information: To cite this document: Ranjit Bose, (2002) "Customer relationship management: key components for IT

302 views • 15 slides
MPAGS AS1 An introduction to scientific computing with

MPAGS AS1 An introduction to scientific computing with

MPAGS AS1 An introduction to scientific computing with http://stevenbamford.com/python_mpags_2018/ Steven Bamford Course prerequisites To make the most of this course, you should have: Some programming experience (in any language)

1.05k views • 48 slides
Scientific Programming in mpags-python.github.io Steven Bamford An introduction to scientific

Scientific Programming in mpags-python.github.io Steven Bamford An introduction to scientific

PHYS4038/MLiS and AS1/MPAGS Scientific Programming in mpags-python.github.io Steven Bamford An introduction to scientific programming with Session 2 : Introduction to Python, continued Python 2.x versus 3.x The 3.x branch was released in

540 views • 31 slides
Luoghi di Prevenzione: the holistic approach in training on strategies for bringing about change

Luoghi di Prevenzione: the holistic approach in training on strategies for bringing about change

Luoghi di Prevenzione: the holistic approach in training on strategies for bringing about change in high- risk lifestyles Paola Angelini Public Health Service of the Emilia-Romagna Region Sandra Bosi Luoghi di prevenzione Reggio Emilia

497 views • 14 slides
Back To The Future Going Back In Time To Abuse Androids JIT 1 $ whoami Benjamin

Back To The Future Going Back In Time To Abuse Androids JIT 1 $ whoami Benjamin

Back To The Future Going Back In Time To Abuse Androids JIT 1 $ whoami Benjamin Watson Director of Security Research @VerSprite Security Android @rotlogix 2 Agenda Inspiration and Overview Android 4.4.4 JIT

751 views • 72 slides
Getting started with Android Part 1 1/12/18 Presented by: Cassiano Monteiro Contents Android

Getting started with Android Part 1 1/12/18 Presented by: Cassiano Monteiro Contents Android

Getting started with Android Part 1 1/12/18 Presented by: Cassiano Monteiro Contents Android Studio Hello World API levels Project structure and files Dealing with UI components App lifecycle PAGE 2 Installing Android Studio

228 views • 18 slides
A Probabilistic Pointer Analysis A Probabilistic Pointer Analysis for Speculative Optimization

A Probabilistic Pointer Analysis A Probabilistic Pointer Analysis for Speculative Optimization

A Probabilistic Pointer Analysis A Probabilistic Pointer Analysis for Speculative Optimization for Speculative Optimization Jeff DaSilva Jeff DaSilva Greg Steffan Greg Steffan Electrical and Computer Engineering Electrical and Computer

890 views • 38 slides
Blackphone Jon Callas CTO and co-founder, Silent Circle The Device Blackphone 2 Android

Blackphone Jon Callas CTO and co-founder, Silent Circle The Device Blackphone 2 Android

Blackphone Jon Callas CTO and co-founder, Silent Circle The Device Blackphone 2 Android Lollipop (5.1.1) Qualcomm hardware Medium-to-high end hardware specs 64-bit, 8-core, 3GB RAM Spaces virtualization, based on SE

407 views • 25 slides

More recommend