Improving Application Software Security in Linux Sebastian Neubauer - - PowerPoint PPT Presentation
Improving Application Software Security in Linux Sebastian Neubauer Technische Universitt Mnchen Computer Science Department July 19, 2017 1 Improve C/C++ applications contain bugs Security Existing security mechanisms Still
Sebastian Neubauer
Technische Universität München
Computer Science Department
July 19, 2017
1
◮ C/C++ applications contain bugs ◮ Existing security mechanisms ◮ Still many ways for exploitation ◮ Close them!
2
◮ C/C++ applications contain bugs ◮ Existing security mechanisms ◮ Still many ways for exploitation ◮ Close them! ◮ Problem: Performance loss ◮ We need to be fast!
2
Contributions
◮ mmap randomization: Add random gaps
between mmap allocations
◮ Canaries: Clear after use and random
values
◮ Stack pinning: Check the address of the
stack pointer
Stack pivoting
Stack
buf frame pointer return addr . . . known address
Heap
buf buffer overflow
5
Stack pivoting
Stack
buf frame pointer return addr . . . known address
Heap
buf buffer overflow
5
Stack pivoting
Stack
buf frame pointer return addr . . . known address
Heap
ROP chain buffer overflow
5
Stack pinning
◮ Check if the stack pointer points to the stack
region
6
Stack pinning
◮ Check if the stack pointer points to the stack
region
◮ Almost every exploit arrives at a syscall ◮ Check the stack pointer in every sytem call ◮ Save stack bounds in the kernel task_struct
(for each process/thread)
6
Stack pinning
◮ Forks, new threads ◮ Alternate signal stack ◮ Main stack can grow
7
Stack pinning Wine and Go
◮ Stack pivoting as a Feature
8
Stack pinning Wine and Go
◮ Stack pivoting as a Feature
⇒ Only opt-in possible
◮ Save the current memory area as stack area
prctl(PR_PIN_STACK, ...)
8
Stack pinning
Seconds, Less Is Better
patched-active patched-inactive unpatched 5 10 15 20
SE +/- 0.27 SE +/- 0.17 SE +/- 0.12
18.47 18.72 18.65
◮ Microbenchmark: (1 ± 2) % difference
10
Stack pinning
PHOR Requests Per Second, More Is Better
patched-active patched-inactive unpatched 6000 12000 18000 24000 3000
SE +/- 22.57 SE +/- 437.44 SE +/- 344.93
27845.61 26944.31 25087.44
◮ Microbenchmark: (1 ± 2) % difference ◮ ApacheBench: (11 ± 2) % more requests per
second
10
Deterministic mmap
. . .
allocated pages allocated pages
. . . free space
13
Deterministic mmap
. . .
allocated pages allocated pages
. . . new free space new allocation
13
Deterministic mmap
. . .
allocated pages allocated pages
. . . new free space new allocation
13
Random mmap
. . .
allocated pages allocated pages
. . . free space
14
Random mmap
. . .
allocated pages allocated pages
. . . free space new new allocation
14
Static canaries
buf
0x178a96b 9db46f00
buf
0x178a96b 9db46f00
. . .
global ssp
foo main
16
Random canaries
Safe stack Unsafe stack
local ssp
ret . . .
global ssp
buf ssp . . .
17
Random canaries
buf
0x178a96b 9db46f00
buf
0x163ce511 85630100
. . .
local ssp
ret
local ssp
ret . . . foo main
global ssp
18
◮ 3 fast additions, which make exploiting harder ◮ Goal: Make attacking harder with low
19
◮ 3 fast additions, which make exploiting harder ◮ Goal: Make attacking harder with low
◮ Propose the patches mainline
19
mmap
Seconds, Less Is Better
Default mmap-patch 2 4 6 8
SE +/- 0.02 SE +/- 0.02
8.59 8.84
◮ Microbenchmark: (2.8 ± 0.5) % slower
21
mmap
Seconds, Less Is Better
Default mmap-patch 30 60 90 120
SE +/- 1.14 SE +/- 2.37
125.51 124.20
◮ Microbenchmark: (2.8 ± 0.5) % slower ◮ Linux compilation: (1 ± 3) % faster
21