on the effectiveness of kernel debloating via compile
play

On the Effectiveness of Kernel Debloating via Compile-time - PowerPoint PPT Presentation

Mar 27, 2023 •452 likes •720 views

On the Effectiveness of Kernel Debloating via Compile-time Configuration Mansour Alharthi, Hong Hu, Hyungon Moon, Taesoo Kim The problem of bloated software High complexity: more vulnerabilities Unused interfaces: an attacker can use

  1. On the Effectiveness of Kernel Debloating via Compile-time Configuration Mansour Alharthi, Hong Hu, Hyungon Moon, Taesoo Kim

  2. The problem of bloated software • High complexity: more vulnerabilities • Unused interfaces: an attacker can use • Unused code: more ROP gadget 1

  3. Linux kernel is bloated • Driving a variety of devices from servers to embedded • Server-friendly features • Embedded-only features • Keep adopting new features • Support for new hardware • Performance optimizations 2

  4. Problem of bloated kernel: avoidable bugs • Linux distributions conservatively enable many features • Just in case a user wants them • A system ends up suffering from a bug (vulnerability) in a feature that it never uses • which we should avoid 3

  5. Example: X32 ABI • Use x86_64 ISA: more registers than i386 (IA-32). • Keep pointer size 32-bit: smaller memory footprints. • Rarely used but enabled by default by popular distributions. • OpenSuse, Ubuntu, Solus. • Related to a security-critical bug: CVE-2014-0038. • Local privilege escalation. 4

  6. Example: CVE-2014-0038 • x32 ABI uses compat_sys_recvmmsg to implement recvmmsg. • Incorrect casting at line 7 enables arbitrary memory write. • Only the kernels that CONFIG_X86_X32 enabled is vulnerable. asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, unsigned int vlen , unsigned int flags , struct compat_timespec __ user * timeout ) { //... if (COMPAT_USE_64BIT_TIME) return __sys_recvmmsg(fd, ( struct mmsghdr __user *)mmsg, vlen, flags | MSG_CMSG_COMPAT, ( struct timespec *) timeout ); /* bug here !!*/ 5

  7. Background: Linux kernel config. system • Configuration options • E.g., CONFIG_NET, CONFIG_X86_X32 • Determine if each source file/line is compile or not • Configuration: a list of configuration options with the values … CONFIG_X86_X32=y CONFIG_COMPAT_32=y CONFIG_COMPAT=y CONFIG_COMPAT_FOR_U64_ALIGNMENT=y CONFIG_SYSVIPC_COMPAT=y CONFIG_X86_DEV_DMA_OPS=y CONFIG_NET=y CONFIG_COMPAT_NETLINK_MESSAGES=y … 6

  8. Research goal • The vulnerability-configuration option dependency CONFIG_X86_X32 CVE-2014-0038 • Potential effectiveness of configuration option-grained tuning # CVEs Default configuration Deloated configuration # Enabled options 7

  9. Summary of results • Dependency • ∃ options that many vulnerabilities depend on. • ∃ many options that at least one vulnerability depends on. • Tuning • Popular programs do not need many options. • Disabling inessential options make the kernel less likely to have vulnerabilites. 8

  10. Rest of this talk • Dependency • Collecting the kernel vulnerabilities. • Locating the patches. • From a patch to the dependency. • Tuning • Indirect study with existing configurations. • Direct study with hand-crafted configurations. • Conclusion 9

  11. Collecting the kernel vulnerabilities • CVE data from National Vulnerability Database (NVD). à 2046 • De facto standard, since 1999 • Vulnerabilities found 2005 or after. à 1773 • For easy access to patch: when the git was out • Only the upstream vulnerabilities. • For fair comparison between different distributions or forks • E.g., Ubuntu, Fedora or Android à 1530 vulnerabilities collected 10

  12. Locating the patches from NVD entries • The NVD entry for CVE-2014-0038 " cve " : { " data_type" : "CVE", " data_format" : "MITRE", " data_version " : "4.0", " CVE_data_meta " : { "ID" : "CVE-2014-0038", "ASSIGNER" : "cve@mitre.org " }, … " url " : " https :// github.com / torvalds / linux / commit / 2def2ef2ae5f3990aabdbe8a755911902707d268 " } à Located patches for 1242 entries 11

  13. A patch example +++ b/net/compat.c asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, - if (COMPAT_USE_64BIT_TIME) - return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, - flags | MSG_CMSG_COMPAT, - (struct timespec *) timeout); if (timeout == NULL) return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, flags | MSG_CMSG_COMPAT, NULL); - if (get_compat_timespec(&ktspec, timeout)) + if (compat_get_timespec(&ktspec, timeout)) return -EFAULT; datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, flags | MSG_CMSG_COMPAT, &ktspec); - if (datagrams > 0 && put_compat_timespec(&ktspec, timeout)) + if (datagrams > 0 && compat_put_timespec(&ktspec, timeout)) datagrams = -EFAULT; à Gives the change set 12

  14. From a patch to the dependencies (1) • Find the options that determines if the patched lines are compiled • Assumption: no change required à no bug 13

  15. From a patch to the dependencies (2) • Kernel Makefiles determine if each file is included or not net/Makefile Linux Kernel Source Tree Patch for CVE-2014-0038 obj-y := nonet.o := socket.o core / obj-$(CONFIG_NET) net/compat.c:783 net/compat.c:792 net/ := compat.o tmp-$(CONFIG_COMPAT) += $( tmp-y ) net/compat.c:797 obj-$(CONFIG_NET) CONFIG_COMPAT # LLC has to be linked before the files in net/802/ net/compat.c net/compat.c net/compat.c += llc / obj-$(CONFIG_LLC) += ethernet / 802/ sched / netlink / obj-$(CONFIG_NET) net/compat.c:797 net/compat.c:792 net/compat.c:783 CVE-2014-0038 14

  16. From a patch to the dependencies (3) • Kernel source code has preprocessor directives using config options. Linux Kernel Source Tree net/Makefile obj-y := nonet.o net/ include/ := socket.o core / Patch for CVE-2017-7277 obj-$(CONFIG_NET) CONFIG_NET core/ net/core/skbuff.c:3870 net/core/skbuff.c net/core/skbuff.c:3872 linux/ socket.c net/core/skbuff.c:3805 if (tsonly) { skbuff.c skbuff.c net/socket.c:709 #ifdef CONFIG_INET if ((sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS) && Include/linux/errqueue.h:22 errqueue.h sk->sk_protocol == IPPROTO_TCP && sk -> sk_type == SOCK_STREAM) { CONFIG_INET skb = tcp_get_timestamping_opt_stats(sk); line 709 line 3805 opt_stats = true; } else lines 3870 & 3872 line 22 #endif CVE-2017-7277 skb = alloc_skb(0, GFP_ATOMIC); 15

  17. Observations from the graphs • Case 1 (e.g., CVE-2014-0038): • Disabling one or more option completely discards all patches line. • Case 2 (e.g. CVE-2017-7077): • There exists a patched line that is never discarded. Linux Kernel Source Tree Linux Kernel Source Tree net/ include/ CONFIG_NET net/ core/ CONFIG_COMPAT socket.c linux/ net/compat.c net/compat.c net/compat.c skbuff.c skbuff.c errqueue.h CONFIG_INET net/compat.c:797 net/compat.c:792 net/compat.c:783 line 709 line 3805 CVE-2014-0038 lines 3870 & 3872 line 22 CVE-2017-7277 16

  18. Inferring the number of active vulnerability • Optimistic: • Discarding any of the patched line deactivates the vulnerability. • “OR” operation when inferring the numbers • Conservative: • We must discard all patched lines to deactivate the vulnerability. • “AND” operation when inferring the numbers 17

  19. Some numbers from the dependency study • ∃ Potentially large configuration options which are related to many vulnerabilities. • CONFIG_NET: 100, CONFIG_KVM: 46, CONFIG_PCI: 39 • Many ( 701 ) configuration options are related to at least one. • Only 136 (11%) vulnerabilities have a “bypass”. • Which debloating cannot deactivate in the worst case. 18

  20. Can we then tune? • Indirect study with existing configurations • Collected 66 default configurations • Direct study with manual debloating • Created 2 minimal, application-specific configurations 19

  21. More enabled options à more vulnerabilities Embedded Mobile (Android) Servers/desktops 20

  22. Manual debloating • Minimal web server: nginx • Started from Ubuntu for x86 • Correctness: if it serves a simple web page • Minimal sensor node: mosquitto • Started from Buildroot for aarch64 • Correctness: if a client can deliver a message to a server 21

  23. Targeted debloating is effective Target Distribution # Options # Bugs Dependency OR 929 à 234 (74.8%) (Optimistic) nginx Ubuntu AND 7598 à 1038 (86.3%) 1000 à 412 (58.8%) AND with Bypasses 1006 à 472 (53.1%) (Conservative) OR 281 à 159 (43.4%) (Optimistic) mosquitto Buildroot AND 1229 à 581 (52.7%) 472 à 265 (43.9%) AND with Bypasses 526 à 347 (34.0%) (Conservative) 22

  24. Conclusion • Most (89%) of vulnerabilities can be nullified by configuration. • Application-specific debloating is effective (34-74% reduction). • Next steps • Splitting large config options (e.g., CONFIG_NET) • Automating the configuration-grained debloating 23

  25. Thank you! Questions? 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Razor: A Framework for Post-deployment Software Debloating Chenxiong Qian, Hong Hu, Mansour

Razor: A Framework for Post-deployment Software Debloating Chenxiong Qian, Hong Hu, Mansour

Razor: A Framework for Post-deployment Software Debloating Chenxiong Qian, Hong Hu, Mansour Alharthi, Pak Ho (Simon) Chung, Taesoo Kim, Wenke Lee Software Is Getting Bigger 17.5M Lines of Code 5M Linux Kernel Version 2 Software Is Bloated

900 views • 24 slides
Bintrimmer: Towards Static Binary Debloating Through Abstract Interpretation DIMVA, June 19 th

Bintrimmer: Towards Static Binary Debloating Through Abstract Interpretation DIMVA, June 19 th

Bintrimmer: Towards Static Binary Debloating Through Abstract Interpretation DIMVA, June 19 th 2019 Nilo Redini Computer Science @ UC Santa Barbara nredini@cs.ucsb.edu Motivation - Software complexity pushes developers toward component

958 views • 50 slides
TOS Arno Puder 1 Emulation TOS runs on regular PCs To try a new version of TOS:

TOS Arno Puder 1 Emulation TOS runs on regular PCs To try a new version of TOS:

TOS Arno Puder 1 Emulation TOS runs on regular PCs To try a new version of TOS: Compile a new kernel Write the kernel to a floppy Reboot the PC A couple of problems: Time consuming! We dont all have spare PCs

427 views • 32 slides
Slimium: Debloating the Chromium Browser with Feature Subsetting CHENXIONG QIAN, HYUNGJOON

Slimium: Debloating the Chromium Browser with Feature Subsetting CHENXIONG QIAN, HYUNGJOON

Slimium: Debloating the Chromium Browser with Feature Subsetting CHENXIONG QIAN, HYUNGJOON (KEVIN) KOO, CHANGSEOK OH, TAESOO KIM, WENKE LEE 1 Background Chromium dominates Web browser market share. Ever-increasing Features: 2300+

438 views • 16 slides
LLVMLinux: The Linux Kernel with Dragon Wings Presented by: Jan-Simon Mller (LLVMLinux

LLVMLinux: The Linux Kernel with Dragon Wings Presented by: Jan-Simon Mller (LLVMLinux

LLVMLinux: The Linux Kernel with Dragon Wings Presented by: Jan-Simon Mller (LLVMLinux Maintainer for x86) Presentation Date: 2014.02.02 LLVMLinux Project Why Would I Want to Use Clang/LLVM to Compile the Linux Kernel? LLVMLinux Project

767 views • 72 slides
A New Architecture for Building Software Daniel Dunbar Overview Compile time How

A New Architecture for Building Software Daniel Dunbar Overview Compile time How

A New Architecture for Building Software Daniel Dunbar Overview Compile time How software is built llbuild A new architecture Compile Time Clang & Compile Times Designed to be a fast compiler Tuned lex & parse

917 views • 44 slides
LLVM Compile Time. Challenges. Improvements. Outlook. Michael Zolotukhin, Apple Agenda

LLVM Compile Time. Challenges. Improvements. Outlook. Michael Zolotukhin, Apple Agenda

LLVM Compile Time. Challenges. Improvements. Outlook. Michael Zolotukhin, Apple Agenda Benchmarking and tracking Historical findings Future work Tools and tricks Compile Time Trend O0-g Os O3 1.5x Compile Time

702 views • 52 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
1 Kernel methods & optimization One example of a kernel that is frequently used in practice

1 Kernel methods & optimization One example of a kernel that is frequently used in practice

Machine Learning Class Notes 9-25-12 Prof. David Sontag 1 Kernel methods & optimization One example of a kernel that is frequently used in practice and which allows for highly non-linear discriminant functions is the Gaussian kernel,

240 views • 5 slides
Photo Credit: WSDOT Catch Basin Effectiveness Study Jene Colton, King County Stormwater Work

Photo Credit: WSDOT Catch Basin Effectiveness Study Jene Colton, King County Stormwater Work

Photo Credit: WSDOT Catch Basin Effectiveness Study Jene Colton, King County Stormwater Work Group meeting November 14, 2018 How can we use WW catch basin I&M records to inform inspection frequency needs? Steps Compile Info Analysis

1.25k views • 35 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Overview Preliminaries Kernel ridge regression Kernel -means clustering

476 views • 25 slides
Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many of us need to debug the Linux kernel Proprietary tools like Trace32 and DS-5 are $$$ Open source debuggers like GDB lack kernel

884 views • 40 slides
Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

3/1/20 COMP 790: OS Implementation COMP 790: OS Implementation Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

647 views • 8 slides
D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg Kroah-Hartman, David Herrmann, Daniel Mack, Lennart Poettering, Kay Sievers with help from Tejun Heo D-Bus in the Kernel Most newer OS designs started

1.35k views • 111 slides
Determining the Determining the Effectiveness & ROI Effectiveness & ROI of Your GRC

Determining the Determining the Effectiveness & ROI Effectiveness & ROI of Your GRC

6/18/2012 Effectiveness & ROI of GRC June 22, 2012 1 Determining the Determining the Effectiveness & ROI Effectiveness & ROI of Your GRC Program of Your GRC Program Bob Conlin, Chief Products Officer SCCE Regional Conference June

503 views • 9 slides
The Four Steps 1 Solve the problem. 2 Write the app. 3 Compile the app. 4 Run the app. CSE 1020

The Four Steps 1 Solve the problem. 2 Write the app. 3 Compile the app. 4 Run the app. CSE 1020

The Four Steps 1 Solve the problem. 2 Write the app. 3 Compile the app. 4 Run the app. CSE 1020 moodle.yorku.ca Phases 1 Analysis (define the problem) 2 Design (solve the problem) 3 Implementation (write and compile the app) 4 Testing (run the

444 views • 22 slides
KLone An SDK for Embedded Web Applications Steven Dorigotti KoanLogic (http://koanlogic.com)

KLone An SDK for Embedded Web Applications Steven Dorigotti KoanLogic (http://koanlogic.com)

KLone An SDK for Embedded Web Applications Steven Dorigotti KoanLogic (http://koanlogic.com) August 11, 2006 Outline KLone Development Applications Wrap-Up KLone What is it? Use Cases Features Libraries Workings Development

1.16k views • 92 slides
CPSC 531: System Modeling and Simulation Carey Williamson Department of Computer Science

CPSC 531: System Modeling and Simulation Carey Williamson Department of Computer Science

CPSC 531: System Modeling and Simulation Carey Williamson Department of Computer Science University of Calgary Fall 2017 Agenda Welcome! Course Overview Learning Outcomes Administrative Details Expectations Q&A

559 views • 21 slides
A theory of closure operators Alva L. Couch Marc A. Chiarini Tufts University Convergent

A theory of closure operators Alva L. Couch Marc A. Chiarini Tufts University Convergent

A theory of closure operators Alva L. Couch Marc A. Chiarini Tufts University Convergent operators A convergent operator assures a specific network state and is idempotent if that state exists already. Example 1: set a parameter to a

707 views • 21 slides
Bro 2.0 and Beyond Network Attack Detection and Defense Early Warning Systems Schloss Dagstuhl,

Bro 2.0 and Beyond Network Attack Detection and Defense Early Warning Systems Schloss Dagstuhl,

The Bro Network Security Monitor Bro 2.0 and Beyond Network Attack Detection and Defense Early Warning Systems Schloss Dagstuhl, 2012 Dagstuhl 2012 2 Outline Bro Introduction Much different from the typical IDS you may know Hot off

742 views • 63 slides
Amortised Optimisation as a Means to Achieve Genetic Improvement Hyeongjun Cho, Sungwon Cho,

Amortised Optimisation as a Means to Achieve Genetic Improvement Hyeongjun Cho, Sungwon Cho,

Amortised Optimisation as a Means to Achieve Genetic Improvement Hyeongjun Cho, Sungwon Cho, Seongmin Lee, Jeongju Sohn, and Shin Yoo Date 2017.01.30, The 50th CREST Open Workshop Offline Improvement Expensive Fig. 1. GP improvement of MiniSAT.

391 views • 28 slides
Accessing and Manipulating Ontologies using Web Services Olivier Dameron, Natalya F. Noy, Holger

Accessing and Manipulating Ontologies using Web Services Olivier Dameron, Natalya F. Noy, Holger

Accessing and Manipulating Ontologies using Web Services Olivier Dameron, Natalya F. Noy, Holger Knublauch, Mark A. Musen SMI - Stanford University Semantic Web Services Workshop - ISWC 2004 Context Semantic Web Ontology scope Web Services

540 views • 20 slides
Lecture 12: Web Service Lisa (Ling) Liu Web service? An XML web service is a unit of code

Lecture 12: Web Service Lisa (Ling) Liu Web service? An XML web service is a unit of code

Chair of Softw are Engineering C# Programming in Depth Prof. Dr. Bertrand Meyer March 2007 May 2007 Lecture 12: Web Service Lisa (Ling) Liu Web service? An XML web service is a unit of code hosted by a web server that can be accessed

528 views • 27 slides
Web Services with ASP .NET Asst. Prof. Dr. Kanda Saikaew (krunapon@kku.ac.th) Department of

Web Services with ASP .NET Asst. Prof. Dr. Kanda Saikaew (krunapon@kku.ac.th) Department of

Web Services with ASP .NET Asst. Prof. Dr. Kanda Saikaew (krunapon@kku.ac.th) Department of Computer Engineering Khon Kaen University 1 Agenda Introduction to Programming Web Services in Managed Code Programming the Web with Web

1.02k views • 34 slides

More recommend