kernel address space layout randomization
play

Kernel Address Space Layout Randomization - PowerPoint PPT Presentation

Aug 14, 2022 •271 likes •431 views

Kernel Address Space Layout Randomization http://outflux.net/slides/2013/lss/kaslr.pdf gholzer Linux Security Summit, New Orleans 2013 Kees Cook <keescook@google.com> (pronounced Case) Overview Classic Attack Structure

  1. Kernel Address Space Layout Randomization http://outflux.net/slides/2013/lss/kaslr.pdf gholzer Linux Security Summit, New Orleans 2013 Kees Cook <keescook@google.com> (pronounced “Case”)

  2. Overview ● Classic Attack Structure ● Address Space Layout Randomization ● Benefits ● Down-sides ● Useful Scenarios ● Implementation Details ● Demonstration ● Info Leaks Kernel ASLR 2/15 Linux Security Summit 2013 May 21, 2013

  3. Classic Attack Structure ● Find arbitrary write bug – Endless stream of CVEs ● Insert malicious code into address space – Local userspace address? SMEP? Remote packet reception? ● Redirect execution flow – Return from function, close a socket, send a packet, whatever ● Run malicious code – commit_creds(prepare_creds()) ● Clean up – Reset locks, fix overwritten structures, etc Kernel ASLR 3/15 Linux Security Summit 2013 May 21, 2013

  4. Address Space Layout Randomization ● Disrupts finding where to write and execute ● Well established in userspace – Stack – Mmap (large heap, shared objects, “PIC”) – Brk (heap) – Text (“PIE”) ● Kernel ASLR has to start somewhere – Now: Text – Next: modules, kmalloc, vmalloc Kernel ASLR 4/15 Linux Security Summit 2013 May 21, 2013

  5. Benefits ● IDT masked and read-only ● Statistical defense against attack – Target addresses are no longer fixed ● What happens when an attacker “misses”? – Userspace: daemon restarts... ● Are you checking for repeated segfaults? – Kernel: entire system goes down ● Are you checking for machine uptime? Kernel ASLR 5/15 Linux Security Summit 2013 May 21, 2013

  6. Down-sides ● Hibernation ● Entropy – Source of randomness – Size of address space (2GiB in 2MiB chunks: max 1024) ● Secrecy – /proc/kallsyms (kptr_restrict) – dmesg (dmesg_restrict) – Log files (chmod) – Kernel objects exposed as API handles (e.g. INET_DIAG) Kernel ASLR 6/15 Linux Security Summit 2013 May 21, 2013

  7. Useful Scenarios ● Local isolation – seccomp-bpf – namespaces ● Remote services – Many fewer leaks Kernel ASLR 7/15 Linux Security Summit 2013 May 21, 2013

  8. Implementation Details ● git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git – Branch “kaslr-c-v6” – Rolled out in Chrome OS ● Boot steps: – Figure out lowest safe address location – Walk E820 regions, counting kernel-sized slots – Choose slot randomly using best available method ● RDRAND, RDTSC, or timer IO ports – Decompress, handle relocation, and start kernel ● Relocation support for 64-bit ● Expanded virtual memory layout of kernel image to 1GiB ● Panic message includes offset to aid debugging Kernel ASLR Linux Security Summit 2013

  9. Initial Boot Memory Layout After boot loader... Before decompression... 0x0 BIOS and things 0x0 BIOS and things 0x100000 Decompression code 0x100000 Decompression code ... Compressed kernel ... Stack, Heap ... Command line ... Command line ... Initrd ... Initrd ... ...empty... ... ...empty... 0x1000000 Target ... ... Compressed kernel + image size ...empty... Kernel ASLR Linux Security Summit 2013

  10. E820 Memory Regions BIOS-e820: [mem 0x0000000000000000-0x0000000000000fff] type 16 BIOS-e820: [mem 0x0000000000001000-0x000000000009ffff] usable BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved BIOS-e820: [mem 0x0000000000100000-0x0000000000efffff] usable BIOS-e820: [mem 0x0000000000f00000-0x0000000000ffffff] reserved BIOS-e820: [mem 0x0000000001000000-0x000000001fffffff] usable BIOS-e820: [mem 0x0000000020000000-0x00000000201fffff] reserved BIOS-e820: [mem 0x0000000020200000-0x000000003fffffff] usable BIOS-e820: [mem 0x0000000040000000-0x00000000401fffff] reserved BIOS-e820: [mem 0x0000000040200000-0x00000000acebffff] usable BIOS-e820: [mem 0x00000000acec0000-0x00000000acffffff] type 16 BIOS-e820: [mem 0x00000000ad000000-0x00000000af9fffff] reserved BIOS-e820: [mem 0x00000000f0000000-0x00000000f3ffffff] reserved BIOS-e820: [mem 0x0000000100000000-0x000000014f5fffff] usable Kernel ASLR Linux Security Summit 2013

  11. Stock Virtual Memory Layout 0x0 - 0xffff800000000000 Userspace ... Fun things 0xffff888000000000 - 0xffffc90000000000 kmalloc 0xffffc90000000000 - 0xffffea0000000000 vmalloc ... Other fun things 0xffffffff80000000 - 0xffffffffa0000000 512 MiB Text (-2 GiB) 0xffffffffa0000000 - 0xffffffffff000000 1532 MiB modules 0xffffffffff000000 - 0xffffffffffffffff 4 MiB Fixed-location stuff Kernel ASLR Linux Security Summit 2013

  12. kASLR Virtual Memory Layout 0x0 - 0xffff800000000000 Userspace ... Fun things 0xffff888000000000 - 0xffffc90000000000 kmalloc 0xffffc90000000000 - 0xffffea0000000000 vmalloc ... Other fun things 0xffffffff80000000 - 0xffffffffc0000000 1024 MiB Text (-2 GiB) 0xffffffffc0000000 - 0xffffffffff000000 1020 MiB modules 0xffffffffff000000 - 0xffffffffffffffff 4 MiB Fixed-location stuff Kernel ASLR Linux Security Summit 2013

  13. Demonstration ● x86_64 .config contents – # CONFIG_HIBERNATION is not set – CONFIG_RELOCATABLE=y – CONFIG_RANDOMIZE_BASE=y – CONFIG_RANDOMIZE_BASE_MAX_OFFSET=0x40000000 – CONFIG_PHYSICAL_ALIGN=0x200000 ● Compare contents of – /proc/kallsyms – /sys/kernel/debug/kernel_page_tables (CONFIG_X86_PTDUMP) Kernel ASLR Linux Security Summit 2013

  14. Info Leaks ● Kernel addresses more valuable to attackers – Always use %pK ● Contents of dmesg needs to be protected ● Cannot use addresses as handles any more Kernel ASLR Linux Security Summit 2013

  15. Questions? http://outflux.net/slides/2013/lss/kaslr.pdf keescook@{chromium.org,google.com} kees@outflux.net Kernel ASLR Linux Security Summit 2013

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Br Breaking Kern rnel Ad Address ss Space La Layout Randomization (KASLR LR) wi with th

Br Breaking Kern rnel Ad Address ss Space La Layout Randomization (KASLR LR) wi with th

Br Breaking Kern rnel Ad Address ss Space La Layout Randomization (KASLR LR) wi with th Intel TSX Yeongjin Jang , Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A

1.2k views • 102 slides
Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert

Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert

Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert May, 2006 Address Space Randomization Theory Randomize location of memory objects Libraries Heap User, kernel-space stack Foils attacks like

560 views • 15 slides
Derandomizing Kernel Address Space Layout for Memory Introspection and Forensics Yufei Gu, and

Derandomizing Kernel Address Space Layout for Memory Introspection and Forensics Yufei Gu, and

Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Derandomizing Kernel Address Space Layout for Memory Introspection and Forensics Yufei Gu, and Zhiqiang Lin The University of Texas at Dallas March 9

680 views • 67 slides
Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM x86-64 Linux Memory Layout ... ... 0x00007fffffffffff Stack not drawn to scale Caller Frame Extra Arguments

325 views • 16 slides
LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile Devices Kjell Braden , Stephen Crane, Lucas Davi , Michael Franz , Per Larsen , Christopher Liebchen , Ahmad- Reza Sadeghi

578 views • 38 slides
Single Address Space o RW RO EX NO o Kernel vfat.o Single Address Space o RW RO EX o

Single Address Space o RW RO EX NO o Kernel vfat.o Single Address Space o RW RO EX o

Single Address Space o RW RO EX NO o Kernel vfat.o Single Address Space o RW RO EX o NO Kernel vfat.o Single Address Space RW RO mprotect o EX NO Kernel (PD-ID=0) vfat.o (PD-ID=1) o o o o o o o o o o o o o

360 views • 34 slides
Address Space Isolation in the Linux Kernel Mike Rapoport, James Bottomley

Address Space Isolation in the Linux Kernel Mike Rapoport, James Bottomley

Address Space Isolation in the Linux Kernel Mike Rapoport, James Bottomley &lt;{rppt,jejb}@linux.ibm.com&gt; This project has received funding from the European Unions Horizon 2020 research and innovation programme under grant agreement No

448 views • 30 slides
and Threads CS 4411 Spring 2020 Outline for Today Intro to EGOS and GitHub Address Space

and Threads CS 4411 Spring 2020 Outline for Today Intro to EGOS and GitHub Address Space

Project 1, Processes, and Threads CS 4411 Spring 2020 Outline for Today Intro to EGOS and GitHub Address Space Layout Processes vs. Threads Context Switching Kernel vs. User-Level Threads Project 1 Overview EGOS Grass

725 views • 23 slides
Experience with MAC Address Randomization in Windows 10 Christian Huitema Huitema@microsoft.com

Experience with MAC Address Randomization in Windows 10 Christian Huitema Huitema@microsoft.com

Experience with MAC Address Randomization in Windows 10 Christian Huitema Huitema@microsoft.com IETF 93, Prague, July 2015 MAC Randomization in WIndows 10 - 7/20/2015 1 IETF 93 MAC Address Randomization controlled from Windows 10 Wi-Fi UI

311 views • 6 slides
Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682:

Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682:

Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682: Advanced Security Topics 1 Ju Just st-in in-tim time Code Reuse On the effectiveness of Fine-Grained Address Space Layout Randomization Kevin Z.

1.82k views • 180 slides
P Starting at address 0, going to address MAX prog 0 But where do addresses come from? MOV

P Starting at address 0, going to address MAX prog 0 But where do addresses come from? MOV

Memory Management Basics 1 Basic Memory Management Concepts Address spaces MAX sys Physical address space The address space supported by the hardware Starting at address 0, going to address MAX sys MAX prog Logical/virtual address space

448 views • 22 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Last Class 1. Defenses a. Address Space Layout Randomization (ASLR)

872 views • 19 slides
1 The problem Address the problem of stopping determined attackers from exploiting our

1 The problem Address the problem of stopping determined attackers from exploiting our

1 The problem Address the problem of stopping determined attackers from exploiting our software Interest in Control Flow Integrity(CFI) Data execution prevention (DEP), stack smashing protection (SSP), address space layout

673 views • 34 slides
virtual memory 2 1 xv6 memory layout 0x80000000 (KERNBASE) page tables store this mapping (one

virtual memory 2 1 xv6 memory layout 0x80000000 (KERNBASE) page tables store this mapping (one

virtual memory 2 1 xv6 memory layout 0x80000000 (KERNBASE) page tables store this mapping (one kernel, one user) for user memory two virtual address same in every process = PA VA 0x8000000 + kernel-only memory 2 Virtual 4 Gig Device

1.7k views • 122 slides
Processs Address Space Linux Address Space 0x7fffffff Stack Data (Heap) Data (Heap)

Processs Address Space Linux Address Space 0x7fffffff Stack Data (Heap) Data (Heap)

10/21/2014 Processes, Address Spaces, and PROCESS Memory Management A running program and its associated data Jonathan Misurda jmisurda@cs.pitt.edu Processs Address Space Linux Address Space 0x7fffffff Stack Data (Heap) Data (Heap)

579 views • 3 slides
Buffer overflows (a security interlude) IA32 Linux Memory Layout ...

Buffer overflows (a security interlude) IA32 Linux Memory Layout ...

11/20/15 Buffer overflows (a security interlude) IA32 Linux Memory Layout ... FF ... How address space layout, the stack discipline, and C's lack of Stack

726 views • 4 slides
HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang,

HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang,

HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang, Heiner Litz, David R. Cheriton Stanford University DAMON14 Database Indexing Databases use precomputed indexes to speed up processing avoid

518 views • 18 slides
UNIX Commands CIS 218 Advanced UNIX Commands (UNIX) File/Directory information ls

UNIX Commands CIS 218 Advanced UNIX Commands (UNIX) File/Directory information ls

UNIX Commands CIS 218 Advanced UNIX Commands (UNIX) File/Directory information ls LiSt. Shows contents of current directory. cd Change Directory mv

264 views • 7 slides
VAST A Unified Platform for Interactive Network Forensics Matthias Vallentin 1 , 2 Vern Paxson 1 ,

VAST A Unified Platform for Interactive Network Forensics Matthias Vallentin 1 , 2 Vern Paxson 1 ,

VAST A Unified Platform for Interactive Network Forensics Matthias Vallentin 1 , 2 Vern Paxson 1 , 2 Robin Sommer 2 , 3 1 UC Berkeley 2 International Computer Science Institute (ICSI) 3 Lawrence Berkeley National Laboratory (LBNL) March 17, 2016

1.01k views • 76 slides
Unpacking tips and tricks Protector Techniques Conclusion Samuel Chevet w4kfu@lse.epita.fr

Unpacking tips and tricks Protector Techniques Conclusion Samuel Chevet w4kfu@lse.epita.fr

Unpacking tips and tricks Samuel Chevet Presentation Process Unpacking tips and tricks Protector Techniques Conclusion Samuel Chevet w4kfu@lse.epita.fr http://www.lse.epita.fr 12 February 2013 Why this talk ? Unpacking tips and tricks

439 views • 26 slides
BGP Scanner Isolario BGP-MRT Data Reader: C library &amp; tool Lorenzo Cogotti lorenzo.cogotti

BGP Scanner Isolario BGP-MRT Data Reader: C library &amp; tool Lorenzo Cogotti lorenzo.cogotti

BGP Scanner Isolario BGP-MRT Data Reader: C library &amp; tool Lorenzo Cogotti lorenzo.cogotti &lt; at &gt; alphacogs.com Luca Sani luca.sani &lt; at &gt; isolario.it Isolario Project What is a BGP route collector? Route collectors (RCs) are

1.01k views • 20 slides
MathWiki 2007 / Logiweb Klaus Grue, grue@diku.dk Senior Software Engineer, Rovsing A/S Rovsing

MathWiki 2007 / Logiweb Klaus Grue, grue@diku.dk Senior Software Engineer, Rovsing A/S Rovsing

MathWiki 2007 / Logiweb Klaus Grue, grue@diku.dk Senior Software Engineer, Rovsing A/S Rovsing does Independent Software Verification and Validation (ISVV) for space agencies and space companies (http://www.rovsing.dk) Logiweb was developed at

939 views • 48 slides
CS4617 Computer Architecture Lecture 7: Instruction Set Architectures Dr J Vaughan October 1,

CS4617 Computer Architecture Lecture 7: Instruction Set Architectures Dr J Vaughan October 1,

CS4617 Computer Architecture Lecture 7: Instruction Set Architectures Dr J Vaughan October 1, 2014 1/27 ISA Classification Stack architecture: operands on top of stack Accumulator architecture: 1 operand in ACC, implicitly

643 views • 27 slides
arXiv:1209.2137v6 [cs.IR] 15 May 2014 SUMMARY In many important applicationssuch as search

arXiv:1209.2137v6 [cs.IR] 15 May 2014 SUMMARY In many important applicationssuch as search

Decoding billions of integers per second through vectorization D. Lemire 1 , L. Boytsov 2 1 LICEF Research Center, TELUQ, Montreal, QC, Canada 2 Carnegie Mellon University, Pittsburgh, Pennsylvania, USA arXiv:1209.2137v6 [cs.IR] 15 May 2014

488 views • 30 slides

More recommend