rethinking kernel isolation
play

Rethinking Kernel Isolation Vasileios P. Kemerlis Network Security - PowerPoint PPT Presentation

Dec 29, 2023 •392 likes •1.09k views

Rethinking Kernel Isolation Vasileios P. Kemerlis Network Security Lab Department of Computer Science Columbia University New York, NY, USA Georgia Institute of Technology, 09/12/2014 vpk@cs.columbia.edu (Columbia University) ret2dir GT

  1. Rethinking Kernel Isolation Vasileios P. Kemerlis Network Security Lab Department of Computer Science Columbia University New York, NY, USA Georgia Institute of Technology, 09/12/2014 vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 1 / 59

  2. Outline Introduction Kernel attacks & defenses Problem statement Attack ( ret2dir ) Background Bypassing SMEP / SMAP , PXN , PaX, kGuard Defense (XPFO) Design & implementation Performance Conclusion Recap vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 4 / 59

  3. Introduction Kernel attacks & defenses Attacking the “Core” Threats classification 1. Privilege escalation I Arbitrary code execution code-injection, ROP, ret2usr 7 Kernel stack smashing 7 User-after-free, double free, dangling pointers 7 Kernel heap overflows 7 Signedness errors, integer overflows 7 Wild writes, o ff -by- n 7 Race conditions, memory leaks 7 Poor arg. sanitization 7 Missing authorization checks 2. Persistent foothold I Kernel object hooking (KOH) control-flow hijacking 7 Kernel control data (function ptr., dispatch tbl., return addr.) 7 Kernel code ( .text ) I Direct kernel object manipulation (DKOM) cloaking 7 Kernel non-control data 3. ... vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 5 / 59

  4. Introduction Kernel attacks & defenses Attacking the “Core” Threats classification 1. Privilege escalation I Arbitrary code execution code-injection, ROP, ret2usr 7 Kernel stack smashing 7 User-after-free, double free, dangling pointers 7 Kernel heap overflows 7 Signedness errors, integer overflows 7 Wild writes, o ff -by- n 7 Race conditions, memory leaks 7 Poor arg. sanitization 7 Missing authorization checks 2. Persistent foothold I Kernel object hooking (KOH) control-flow hijacking 7 Kernel control data (function ptr., dispatch tbl., return addr.) 7 Kernel code ( .text ) I Direct kernel object manipulation (DKOM) cloaking 7 Kernel non-control data 3. ... vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 6 / 59

  5. Introduction Kernel attacks & defenses Attacking the “Core” Threats classification 1. Privilege escalation I Arbitrary code execution code-injection, ROP, ret2usr 7 Kernel stack smashing 7 User-after-free, double free, dangling pointers 7 Kernel heap overflows 7 Signedness errors, integer overflows 7 Wild writes, o ff -by- n 7 Race conditions, memory leaks 7 Poor arg. sanitization 7 Missing authorization checks 2. Persistent foothold I Kernel object hooking (KOH) control-flow hijacking 7 Kernel control data (function ptr., dispatch tbl., return addr.) 7 Kernel code ( .text ) I Direct kernel object manipulation (DKOM) cloaking 7 Kernel non-control data 3. ... vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 7 / 59

  6. Introduction Kernel attacks & defenses Return-to-user ( ret2usr ) Attacks What are they? Attacks against OS kernels with shared kernel/user address space • Overwrite kernel code (or data) pointers with user space addresses 7 return addr., dispatch tbl., function ptr., 7 data ptr. I Payload ! Shellcode, ROP payload, tampered-with data structure(s) I Placed in user space 7 Executed (referenced) in kernel context I De facto kernel exploitation technique I Facilitates privilege escalation arbitrary code execution 7 http://www.exploit-db.com/exploits/34134/ (21/07/14) 7 http://www.exploit-db.com/exploits/131/ (05/12/03) vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 8 / 59

  7. Introduction Kernel attacks & defenses ret2usr Attacks (cont’d) Why do they work? Weak address space (kernel/user) separation • Shared kernel/process model ! Performance X cost(mode switch) ⌧ cost(context switch) I The kernel is protected from userland ! Hardware-assisted isolation 7 The opposite is not true 7 Kernel ambient authority (unrestricted access to all memory and system objects) I The attacker completely controls user space memory • Contents & perms. vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 9 / 59

  8. Introduction Kernel attacks & defenses kGuard [USENIX Sec ’12] Versatile & lightweight protection against ret2usr I Cross-platform solution that enforces (partial) address space separation between user and kernel space • x86, x86-64, ARM, ... • Linux, Android, { Free, Net, Open } BSD, ... I Builds upon inline monitoring and code diversification I Implemented as a set of modifications to the pipeline of GCC • Non-intrusive & low overhead • Back-end plugin ! ⇠ 1KLOC in C Front − ends Middle − end *.c, *.i C GIMPLE Back − end *.cc, *.c++ C++ *.cxx, *.cpp RTL High *.m, *.mi Objective − C GIMPLE SSA *.java Java GENERIC GIMPLE kGuard ... ... Low (NOP & CFA) GIMPLE Fortran *.F, *.FOR *.s vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 10 / 59

  9. Introduction Kernel attacks & defenses kGuard Design Control-flow assertions (key technology #1) I Compact, inline guards injected at Instrumented code Original code compile time branch CFA • Two flavors ! CFA R & CFA M kernel branch I Placed before every exploitable control .text transfer branch kernel .text • call , jmp , ret in x86/x86-64 • ldm , blx , ..., in ARM CFA branch I Verify that the target address of an indirect branch is always inside kernel space I If the assertion is true, execution continues normally; otherwise, control is transfered to a runtime violation handler vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 11 / 59

  10. Introduction Kernel attacks & defenses kGuard Design (cont’d) CFA R example cmp $0xc0000000,%ebx if (reg < 0xc0000000) jae lbl reg = &<violation_handler>; mov $0xc05af8f1,%ebx call *reg lbl: call *%ebx Indirect call in drivers/cpufreq/cpufreq.c (x86 Linux) vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 12 / 59

  11. Introduction Kernel attacks & defenses kGuard Design (cont’d) CFA M examples (1/2) push %edi if (&mem < 0xc0000000) lea 0x50(%ebx),%edi call <violation_handler>; cmp $0xc0000000,%edi if (mem < 0xc0000000) jae lbl1 mem = &<violation_handler>; pop %edi call *mem ; call 0xc05af8f1 lbl1: pop %edi cmpl $0xc0000000,0x50(%ebx) jae lbl2 movl $0xc05af8f1,0x50(%ebx) lbl2: call *0x50(%ebx) Indirect call in net/socket.c (x86 Linux) vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 13 / 59

  12. Introduction Kernel attacks & defenses kGuard Design (cont’d) CFA M examples (2/2) & optimizations cmpl $0xc0000000,0xc123beef if (&mem < 0xc0000000) jae lb call <violation_handler>; movl $0xc05af8f1,0xc123beef if (mem < 0xc0000000) lb: call *0xc123beef mem = &<violation_handler>; call *mem ; Optimized CFA M guard (x86 Linux) vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 14 / 59

  13. Introduction Kernel attacks & defenses ret2usr Defenses State of the art overview X KERNEXEC / UDEREF ! PaX I 3 rd -party Linux patch(es) ! x86-64/x86/AArch32 only I HW/SW-assisted address space separation • x86 ! Seg. unit (reload %cs , %ss , %ds , %es ) • x86-64 ! Code instr. & temporary user space re-mapping • ARM (AArch32) ! ARM domains X kGuard ! Kemerlis et al. [USENIX Sec ’12] I Cross-platform solution that enforces (partial) address space separation • x86, x86-64, ARM, ... • Linux, { Free, Net, Open } BSD, ... I Builds upon inline monitoring (code intr.) & code diversification (code inflation & CFA motion) X SMEP / SMAP , PXN ! Intel, ARM I HW-assisted address space separation • Access violation if priv. code (ring 0) executes/accesses instructions/data from user pages ( U/S = 1) I Vendor and model specific (Intel x86/x86-64, ARM) vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 15 / 59

  14. Introduction Kernel attacks & defenses ret2usr Defenses (cont’d) Summary vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 16 / 59

  15. Introduction Problem statement Rethinking Kernel Isolation [USENIX Sec ’14] What is this talk about? Focus on ret2usr defenses ! SMEP / SMAP , PXN , PaX, kGuard vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 17 / 59

  16. Introduction Problem statement Rethinking Kernel Isolation [USENIX Sec ’14] What is this talk about? Focus on ret2usr defenses ! SMEP / SMAP , PXN , PaX, kGuard I Can we subvert them? • Force the kernel to execute/access user-controlled code/data I Conflicting design choices or optimizations? • “Features” that weaken the (strong) separation of address spaces vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 17 / 59

  17. Introduction Problem statement Rethinking Kernel Isolation [USENIX Sec ’14] What is this talk about? Focus on ret2usr defenses ! SMEP / SMAP , PXN , PaX, kGuard I Can we subvert them? • Force the kernel to execute/access user-controlled code/data I Conflicting design choices or optimizations? • “Features” that weaken the (strong) separation of address spaces Return-to-direct-mapped memory ( ret2dir ) I Attack against hardened (Linux) kernels X Bypasses all existing ret2usr schemes X 8 ret2usr exploit 9 ret2dir exploit vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 17 / 59

  18. Attack ( ret2dir ) Background Kernel Space Layout Linux x86/x86-64 vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 18 / 59

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ret2dir: Rethinking Kernel Isolation Kermerlis et al. Columbia University Presented by Lucas Copi

Ret2dir: Rethinking Kernel Isolation Kermerlis et al. Columbia University Presented by Lucas Copi

Ret2dir: Rethinking Kernel Isolation Kermerlis et al. Columbia University Presented by Lucas Copi Introduction ! In the past attackers have focused efforts on server and client applications ! Due to lesser complexities and simpler

501 views • 26 slides
Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and

Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and

Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and Communication Jinyu Gu , Xinyue Wu, Wentai Li, Nian Liu, Zeyu Mi, Yubin Xia, Haibo Chen Monolithic Kernel and Microkernel 2 Monolithic Kernel and

336 views • 23 slides
Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation From in-guest kernel/userspace Provided by Xen Buggy emulation blurres the line From trusted computing base (TCB) Possible via Xen

286 views • 26 slides
Rethinking the Linux kernel Thomas Graf Cilium Project, Co-Founder &amp; CTO, Isovalent

Rethinking the Linux kernel Thomas Graf Cilium Project, Co-Founder &amp; CTO, Isovalent

Rethinking the Linux kernel Thomas Graf Cilium Project, Co-Founder &amp; CTO, Isovalent Remember GeoCities? 2 Cameron Askin: Camerons World What enabled this evolution? Programmable Platform Markup Only (HTML) 3 Programmability

467 views • 24 slides
Address Space Isolation in the Linux Kernel Mike Rapoport, James Bottomley

Address Space Isolation in the Linux Kernel Mike Rapoport, James Bottomley

Address Space Isolation in the Linux Kernel Mike Rapoport, James Bottomley &lt;{rppt,jejb}@linux.ibm.com&gt; This project has received funding from the European Unions Horizon 2020 research and innovation programme under grant agreement No

448 views • 30 slides
Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable Isolation Dan Ports Kevin Grittner MIT Wisconsin Court System Saturday, May 21, 2011 1 Overview Serializable isolation makes it easier to reason

922 views • 60 slides
ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating auxiliary isolation rooms (CDC) SCRUBBERS - 1 ea to serve patient room, and 1 for Airlock Typically deployed on supplied wheel platform

144 views • 3 slides
Rethinking of the Rethinking of the debian/watch debian/watch With thought experiments about

Rethinking of the Rethinking of the debian/watch debian/watch With thought experiments about

Rethinking of the Rethinking of the debian/watch debian/watch With thought experiments about uscan Kentaro Hayashi DebConf18 in T aiwan 2018-08-03 ClearCode Inc. Digest of this talk Current d/watch fi le is sometimes complicated Update

800 views • 77 slides
2 Fault Isolation &amp; Restoration Manual Fault Isolation &amp; Restoration The

2 Fault Isolation &amp; Restoration Manual Fault Isolation &amp; Restoration The

1 Self Healing Network (Centralized Restoration Gateway) IEEE PES 2015 General Meeting 2 Fault Isolation &amp; Restoration Manual Fault Isolation &amp; Restoration The operator makes switching decisions Automatic Fault Location

724 views • 22 slides
Rethinking W aste Rethinking Waste W aste w hat is it? Websters 1913 Dictionary

Rethinking W aste Rethinking Waste W aste w hat is it? Websters 1913 Dictionary

Rethinking W aste Rethinking Waste W aste w hat is it? Websters 1913 Dictionary definition: lying unused; unproductive; w orthless; valueless; refuse; rejected Oxford 2017 English Dictionary definition: elim inated or

582 views • 28 slides
GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA

GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA

GSure Bacterial genomic DNA isolation kit GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA Isolation Kit GSure Stool DNA Isolation Kit GSure Urine DNA Isolation Kit GSure Yeast RNA

455 views • 23 slides
Paper Reading Paper HetConv: Heterogeneous Kernel-Based Convolutions for Deep

Paper Reading Paper HetConv: Heterogeneous Kernel-Based Convolutions for Deep

Paper Reading Paper HetConv: Heterogeneous Kernel-Based Convolutions for Deep CNNs, CVPR, 2019 Drop an Octave: Reducing Spatial Redundancy in Convolutional Neural Networks with Octave Convolution EfficientNet: Rethinking

424 views • 21 slides
Introduction to pixel track isolation The purpose of track isolation algorithm is an additional

Introduction to pixel track isolation The purpose of track isolation algorithm is an additional

Introduction to pixel track isolation The purpose of track isolation algorithm is an additional improvement of level-1 pixel trigger performance. Procedure of pixel track isolation Reconstructed pixel tracks using kinematic parameters

669 views • 27 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days

#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days

#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days will be reimbursed Self isolation notes from online 111 Self isolation and pay Working from Home Everyone should be working

398 views • 12 slides
Using technology to reduce social isolation: research on dementia and social isolation Professor

Using technology to reduce social isolation: research on dementia and social isolation Professor

Using technology to reduce social isolation: research on dementia and social isolation Professor Josie Tetley Dr Emma-Reetta Koivunen Ageing and Long Term Conditions Group Faculty of Health, Psychology &amp; Social Care Manchester

338 views • 19 slides
Dynamic Memory Dependence Predication Zhaoxiang Jin and Soner nder ISCA-2018, Los Angeles

Dynamic Memory Dependence Predication Zhaoxiang Jin and Soner nder ISCA-2018, Los Angeles

Dynamic Memory Dependence Predication Zhaoxiang Jin and Soner nder ISCA-2018, Los Angeles 6/19/2018 Background 1. Store instructions do not update the cache until they are retired (too late). 2. Store queue is implemented to keep the

607 views • 25 slides
Location Privacy CompSci 590.03 Instructor: Ashwin Machanavajjhala Some slides are from a

Location Privacy CompSci 590.03 Instructor: Ashwin Machanavajjhala Some slides are from a

news.consumerreports.org Location Privacy CompSci 590.03 Instructor: Ashwin Machanavajjhala Some slides are from a tutorial by Mohamed Mokbel (ICDM 2008) Lecture 19: 590.03 Fall 12 1 Outline Location based services Location Privacy

920 views • 46 slides
CS573 Data Privacy and Security Location Privacy Location Privacy Yonghui (Yohu) Xiao htt //

CS573 Data Privacy and Security Location Privacy Location Privacy Yonghui (Yohu) Xiao htt //

CS573 Data Privacy and Security Location Privacy Location Privacy Yonghui (Yohu) Xiao htt // http://yxiao.info i i f Outline Outline What is Location Privacy Basic Techniques Private Information Retrieval Probabilistic

415 views • 24 slides
Trusted Platform Module Alan Dunn , Owen Hofmann, Brent Waters, Emmett Witchel University of

Trusted Platform Module Alan Dunn , Owen Hofmann, Brent Waters, Emmett Witchel University of

Cloaking Malware with the Trusted Platform Module Alan Dunn , Owen Hofmann, Brent Waters, Emmett Witchel University of Texas at Austin USENIX Security August 12, 2011 Trusted Computing Goal: Secure environment for computation Trust

331 views • 19 slides
Presentation Outline Introduction Related Work System Architecture Privacy

Presentation Outline Introduction Related Work System Architecture Privacy

Privacy Protected Query Processing Privacy Protected Query Processing Privacy Protected Query Processing on Spatial Networks on Spatial Networks on Spatial Networks Wei-Shinn Ku Roger Zimmermann Wen-Chih Peng Sushama Shroff Third

557 views • 12 slides
11/24/2009 Privacy in Location Based Services Where's the Blind Evaluation of Nearest Blind

11/24/2009 Privacy in Location Based Services Where's the Blind Evaluation of Nearest Blind

11/24/2009 Privacy in Location Based Services Where's the Blind Evaluation of Nearest Blind Evaluation of Nearest nearest ? Neighbor Queries Using Space Neighbor Queries Using Space Transformation to Preserve Location Privacy

531 views • 7 slides
Dawn Song dawnsong@cs.berkeley.edu 1 TightLip False Negative Analysis (I) Doppleganger

Dawn Song dawnsong@cs.berkeley.edu 1 TightLip False Negative Analysis (I) Doppleganger

Analysis and Defense against Stealth Malware Dawn Song dawnsong@cs.berkeley.edu 1 TightLip False Negative Analysis (I) Doppleganger processes Doppelganger &amp; original run in parallel As long as outputs are same, output does not

650 views • 6 slides
Private Information Retrieval over ICN Christian Tschudin University of Basel ,

Private Information Retrieval over ICN Christian Tschudin University of Basel ,

Private Information Retrieval over ICN Christian Tschudin University of Basel , Switzerland and Symphony.com , Palo Alto, USA /edu/ucla/cs/nom16/PIRoverICN/ndx sha256 MPHF PIR Overview How to lookup secrets over public NDN?

585 views • 12 slides

More recommend