Improving Application Software Security in Linux Sebastian Neubauer Technische Universität München Computer Science Department July 19, 2017 1
Improve ◮ C/C++ applications contain bugs Security ◮ Existing security mechanisms ◮ Still many ways for exploitation on Linux ◮ Close them! 2
Improve ◮ C/C++ applications contain bugs Security ◮ Existing security mechanisms ◮ Still many ways for exploitation on Linux ◮ Close them! ◮ Problem: Performance loss ◮ We need to be fast! 2
Contributions ◮ mmap randomization: Add random gaps between mmap allocations ◮ Canaries: Clear after use and random values ◮ Stack pinning: Check the address of the stack pointer
Exploit: Stack pivoting
buffer overflow Exploit frame return . . . buf Stack pointer addr Stack pivoting other Heap buf known address 5
buffer overflow Exploit frame return . . . buf Stack pointer addr Stack pivoting other Heap buf known address 5
buffer overflow Exploit frame return . . . buf Stack pointer addr Stack pivoting ROP Heap chain known address 5
Idea ◮ Check if the stack pointer points to the stack region Stack pinning 6
Idea ◮ Check if the stack pointer points to the stack region Stack pinning ◮ Almost every exploit arrives at a syscall ◮ Check the stack pointer in every sytem call ◮ Save stack bounds in the kernel task_struct (for each process/thread) 6
Pitfalls ◮ Forks, new threads Stack pinning ◮ Alternate signal stack ◮ Main stack can grow 7
Pitfalls Wine and Go ◮ Stack pivoting as a Feature Stack pinning 8
Pitfalls Wine and Go ◮ Stack pivoting as a Feature Stack pinning ⇒ Only opt-in possible ◮ Save the current memory area as stack area prctl(PR_PIN_STACK, ...) 8
Performance
Seconds, Less Is Better patched-active Performance 18.47 SE +/- 0.27 patched-inactive 18.72 Stack pinning SE +/- 0.17 unpatched 18.65 SE +/- 0.12 5 10 15 20 ◮ Microbenchmark: (1 ± 2) % difference 10
Requests Per Second, More Is Better PHOR patched-active Performance 27845.61 SE +/- 22.57 patched-inactive 26944.31 SE +/- 437.44 Stack pinning unpatched 25087.44 SE +/- 344.93 6000 12000 18000 24000 3000 ◮ Microbenchmark: (1 ± 2) % difference ◮ ApacheBench: (11 ± 2) % more requests per second 10
Demo
Problem: mmap is deterministic
Problem Deterministic mmap allocated allocated . . . . . . pages pages free space 13
Problem new allocation Deterministic mmap allocated allocated . . . . . . new pages pages free space 13
Problem new allocation Deterministic mmap allocated allocated . . . . . . new pages pages free space 13
Idea Random mmap allocated allocated . . . . . . pages pages free space 14
Idea new allocation Random mmap allocated allocated . . . . . . new pages pages free space 14
Problem: Canaries are static
Problem global Static canaries ssp 0x178a96b 0x178a96b . . . buf buf 9db46f00 9db46f00 foo main 16
local Idea . . . ret Safe stack ssp global Random canaries ssp . . . ssp Unsafe stack buf 17
local local Idea . . . ret ret ssp ssp global Random canaries ssp 0x178a96b 0x163ce511 . . . buf buf 9db46f00 85630100 foo main 18
Summary ◮ 3 fast additions, which make exploiting harder ◮ Goal: Make attacking harder with low overhead 19
Summary ◮ 3 fast additions, which make exploiting harder ◮ Goal: Make attacking harder with low overhead ◮ Propose the patches mainline 19
Seconds, Less Is Better Performance Default 8.59 SE +/- 0.02 mmap mmap-patch 8.84 SE +/- 0.02 2 4 6 8 ◮ Microbenchmark: (2 . 8 ± 0 . 5) % slower 21
Seconds, Less Is Better Performance Default 125.51 SE +/- 1.14 mmap mmap-patch 124.20 SE +/- 2.37 30 60 90 120 ◮ Microbenchmark: (2 . 8 ± 0 . 5) % slower ◮ Linux compilation: (1 ± 3) % faster 21
Recommend
More recommend
