Subverting Operating System Properties through Evolutionary DKOM - - PowerPoint PPT Presentation

▶

Nov 01, 2023 474 likes •708 views

Subverting Operating System Properties through Evolutionary DKOM Attacks Mariano Graziano, Lorenzo Flore, Andrea Lanzi, Davide Balzarotti Cisco Systems, Inc. Universita degli Studi di

SLIDE 1

Subverting Operating System Properties through Evolutionary DKOM Attacks

Mariano ¡Graziano, ¡Lorenzo ¡Flore, ¡Andrea ¡Lanzi, ¡Davide ¡Balzarotti ¡ Cisco ¡Systems, ¡Inc. ¡ Universita’ ¡degli ¡Studi ¡di ¡Milano ¡ Eurecom ¡ DIMVA ¡2016 ¡-‑ ¡San ¡Sebastian, ¡Spain ¡

SLIDE 2

TRADITIONAL DKOM ATTACKS

EPROCESS EPROCESS EPROCESS

SLIDE 3

TRADITIONAL DKOM ATTACKS

EPROCESS EPROCESS EPROCESS

SLIDE 4

TRADITIONAL DKOM DEFENSES

Kernel data integrity solutions:
invariants
external systems
memory analysis
data partitioning

SLIDE 5

EVOLUTIONARY DKOM ATTACKS

Time

data structure of interest

SLIDE 6

EVOLUTIONARY DKOM ATTACKS

Violation of a temporal property

SLIDE 7

EVOLUTIONARY DKOM ATTACKS

Violation of a temporal property the attack cannot b e d e t e c t e d looking at a single snapshot

SLIDE 8

STATE VS PROPERTY

Traditional DKOM affects the state and are

discrete

Evolutionary DKOM (E-DKOM) affects the

evolution in time of a given property and are continuous

SLIDE 9

THREAT MODEL

Attacker has access to ring0
Malicious code not detectable by current solutions
Attacker cannot modify kernel code and attack the

VMM

SLIDE 10

EXAMPLE: LINUX CFS SCHEDULER

SLIDE 11

SUBVERTING THE SCHEDULER

target

SLIDE 12

SUBVERTING THE SCHEDULER

target right most

SLIDE 13

SUBVERTING THE SCHEDULER

target right most

Set ¡targetvruntime ¡> ¡rightmostvruntime ¡

SLIDE 14

SUBVERTING THE SCHEDULER

target target

We affected the evolution of the data structure over time. We altered the scheduler property (fair execution).

SLIDE 15

ATTACK EVALUATION

Temporarily block an IDS or Antivirus
Temporarily block Inotify

SLIDE 16

DEFENSES?

Reference monitor that mimics the OS property:
OS specific
Difficult to generalize

SLIDE 17

DEFENSE FRAMEWORK

SLIDE 18

DEFENSE FRAMEWORK

SLIDE 19

DEFENSE FRAMEWORK

SLIDE 20

OVERHEAD

Normal ¡operations Stress ¡test

SLIDE 21

CONCLUSIONS

New DKOM attack based on data structures evolution
Experiment on the Linux CFS scheduler
Defense solution based on hypervisor
General mitigation/solution very hard

SLIDE 22

Subverting Operating System Properties through Evolutionary DKOM Attacks

Mariano ¡Graziano, ¡Lorenzo ¡Flore, ¡Andrea ¡Lanzi, ¡Davide ¡Balzarotti ¡ Cisco ¡Systems, ¡Inc. ¡ Universita’ ¡degli ¡Studi ¡di ¡Milano ¡ Eurecom ¡ DIMVA ¡2016 ¡-­‑ ¡San ¡Sebastian, ¡Spain ¡

TRADITIONAL DKOM ATTACKS

EPROCESS EPROCESS EPROCESS

TRADITIONAL DKOM ATTACKS

EPROCESS EPROCESS EPROCESS

TRADITIONAL DKOM DEFENSES

EVOLUTIONARY DKOM ATTACKS

Time

data structure of interest

EVOLUTIONARY DKOM ATTACKS

Violation of a temporal property

EVOLUTIONARY DKOM ATTACKS

Violation of a temporal property the attack cannot b e d e t e c t e d looking at a single snapshot

STATE VS PROPERTY

discrete

evolution in time of a given property and are continuous

THREAT MODEL

VMM

EXAMPLE: LINUX CFS SCHEDULER

SUBVERTING THE SCHEDULER

target

SUBVERTING THE SCHEDULER

target right most

SUBVERTING THE SCHEDULER

target right most

Set ¡targetvruntime ¡> ¡rightmostvruntime ¡

SUBVERTING THE SCHEDULER

target target

We affected the evolution of the data structure over time. We altered the scheduler property (fair execution).

ATTACK EVALUATION

DEFENSES?

DEFENSE FRAMEWORK

DEFENSE FRAMEWORK

DEFENSE FRAMEWORK

OVERHEAD

Normal ¡operations Stress ¡test

CONCLUSIONS

Mariano Graziano magrazia@cisco.com @emd3l

QUESTIONS?

Mariano ¡Graziano, ¡Lorenzo ¡Flore, ¡Andrea ¡Lanzi, ¡Davide ¡Balzarotti ¡ Cisco ¡Systems, ¡Inc. ¡ Universita’ ¡degli ¡Studi ¡di ¡Milano ¡ Eurecom ¡ DIMVA ¡2016 ¡-‑ ¡San ¡Sebastian, ¡Spain ¡