w indows b ypassing kernel gs
play

W INDOWS :: B YPASSING KERNEL /GS There are two ways published in - PowerPoint PPT Presentation

Mar 04, 2023 •278 likes •970 views

P ROTECTING THE C ORE K ERNEL E XPLOITATION M ITIGATIONS Patroklos Argyroudis, Dimitris Glynos { argp, dimitris } at census-labs.com Census, Inc. Black Hat EU 2011 P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011

  1. P ROTECTING THE C ORE K ERNEL E XPLOITATION M ITIGATIONS Patroklos Argyroudis, Dimitris Glynos { argp, dimitris } at census-labs.com Census, Inc. Black Hat EU 2011 P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  2. O VERVIEW I MPORTANCE OF K ERNEL S ECURITY K ERNEL MEMORY CORRUPTION VULNERABILITIES U SERLAND MEMORY CORRUPTION MITIGATIONS K ERNEL EXPLOITATION MITIGATIONS B YPASSING K ERNEL P ROTECTIONS C ONCLUSION P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  3. I MPORTANCE OF KERNEL SECURITY ◮ Operating system kernels are an attractive target for attackers ◮ Large code bases ◮ Countless entry points (syscalls, IOCTLs, FS code, network, etc.) ◮ Complicated interactions between subsystems ◮ Experience has shown that kernels on production systems are seldom upgraded ◮ Sandbox-based security measures can easily be subverted via kernel vulnerabilities ◮ Is the requirement of local access relevant anymore? ◮ Web apps, devices (iPhone, Android), remote bugs P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  4. K ERNEL MEMORY CORRUPTION VULNERABILITIES ◮ NULL pointer dereferences ◮ Used for initialization, to signify default, returned on error, etc. ◮ Problem for systems that split the virtual address space into two, kernel and process space ◮ Kernel stack overflows ◮ Per-process or per-LWP stacks ◮ Kernel internal functions’ stacks ◮ Memory allocator overflows ◮ Corrupt adjacent objects ◮ Corrupt metadata P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  5. B UGS THAT LEAD TO MEMORY CORRUPTIONS ◮ Insufficient validation of user input ◮ Traditional insufficient bounds checking ◮ Arbitrary memory corruptions (array indexes, reference counters) ◮ Signedness func(size t user size) { int size = user size; if(size < MAX SIZE) { /* do some operation with size considered safe */ ◮ Integer overflows vmalloc(sizeof(struct kvm cpuid entry2) * cpuid → nent); ◮ Race conditions ◮ Validation time vs use time ◮ Changeable locked resources P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  6. U SERLAND MEMORY CORRUPTION MITIGATIONS ◮ Stack canaries ◮ Protect metadata stored on the stack ◮ Heap canaries ◮ Guard value ◮ Used to encode elements of important structures ◮ Heap safe unlinking ◮ Metadata sanitization ◮ ASLR ◮ Location of stack randomized ◮ Random base address for dynamic libraries ◮ Random base address for executables (e.g. PIE) ◮ Location of heap randomized (e.g. brk ASLR) P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  7. U SERLAND MEMORY CORRUPTION MITIGATIONS ◮ Mark pages as non-executable (DEP/NX/XD/software-enforced) ◮ Mandatory Access Control (MAC) – SELinux, grsecurity (RBAC), AppArmor (path-based) ◮ Process debugging protection ◮ Forbid users to debug (their own) processes that are not launched by a debugger ◮ Contain application compromises ◮ Compile-time fortification ◮ -D FORTIFY SOURCE=2 ◮ Variable reordering ◮ grsecurity/PaX is the seminal work and provides much more P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  8. K ERNEL EXPLOITATION MITIGATIONS P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  9. L INUX Focus on Linux 2.6.37 ◮ Stack overflow protection ◮ SLUB Red Zone ◮ Memory protection ◮ NULL page mappings ◮ Poison pointer values ◮ Linux Kernel Modules ◮ grsecurity patch P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  10. L INUX :: S TACK O VERFLOW P ROTECTION SSP-type protection ◮ CC STACKPROTECTOR option ◮ gcc -fstack-protector ◮ affects the compilation of both kernel and modules ◮ local variable re-ordering ◮ canary protection only for functions with local character arrays ≥ 8 bytes ◮ in a kernel image with 16604 functions only 378 were protected (about 2%) ◮ if the canary is overwritten the kernel panics P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  11. L INUX :: C ANARIES ◮ A per-CPU canary is generated at boot-time boot init stack canary @ arch/x86/include/asm/stackprotector.h 61 u64 canary; 62 u64 tsc; 73 get random bytes(&canary, sizeof(canary)); 74 tsc = native read tsc(); 75 canary += tsc + (tsc << 32UL); current → stack canary = canary; 77 81 percpu write(stack canary.canary, canary); ◮ Each Lightweight Process (LWP) receives its own kernel stack canary dup task struct @ kernel/fork.c tsk → stack canary = get random int() 281 get random int @ drivers/char/random.c hash[0] += current → pid + jiffies + get cycles(); 1634 ret = half md4 transform(hash, keyptr → secret); 1635 P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  12. L INUX :: C ANARIES ◮ GCC expects to find the canary at %gs:0x14 proc fdinfo read @ fs/proc/base.c mov %gs:0x14, %edx 9 mov %edx, -0x10(%ebp) 16 ... ... mov -0x10(%ebp), %edx 81 xor %gs:0x14, %edx 84 jne <proc fdinfo read+106> 91 ... ... call < stack chk fail> 106 ◮ The canary is placed right after the local variables, thus “protecting” the saved base pointer, the saved instruction pointer and the function parameters P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  13. L INUX :: S TACK O VERFLOW E XAMPLE Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in c10e1ebf Pid: 9028, comm: canary-test Tainted: G D 2.6.37 #1 Call Trace: [<c1347887>] ? printk+0x18/0x21 [<c1347761>] panic+0x57/0x165 [<c1026339>] __stack_chk_fail+0x19/0x30 [<c10e1ebf>] ? proc_fdinfo_read+0x6f/0x70 [<c10e1ebf>] proc_fdinfo_read+0x6f/0x70 [<c10a377d>] ? rw_verify_area+0x5d/0x100 [<c10a42d9>] vfs_read+0x99/0x140 [<c10e1e50>] ? proc_fdinfo_read+0x0/0x70 [<c10a443d>] sys_read+0x3d/0x70 [<c1002b97>] sysenter_do_call+0x12/0x26 P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  14. L INUX :: SLUB R ED Z ONE ◮ The SLUB is a kernel slab allocator ◮ It allocates contiguous “slabs” of memory for object storage ◮ Each slab may contain one or more objects ◮ Objects are grouped in “caches” ◮ Each cache organizes objects of the same type ◮ New objects quickly reclaim the space of recently “deleted” objects ◮ A “Red Zone” is a word-sized canary of ’0xcc’ bytes placed right after every object in a slab ◮ It helps in identifying memory corruption bugs in kernel code (i.e. it’s not a security mechanism) ◮ If a Red Zone is overwritten, debug info is printed, Red Zone is restored and kernel continues execution ◮ Requires slub debug=FZ boot-time option and SLUB DEBUG config option P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  15. L INUX :: S LAB O VERFLOW E XAMPLE BUG kmalloc-1024: Redzone overwritten ----------------------------------------------------------------------- INFO: 0xc7ac9018-0xc7ac9018. First byte 0x33 instead of 0xcc INFO: Slab 0xc7fe5900 objects=15 used=10 fp=0xc7aca850 flags=0x400040c0 INFO: Object 0xc7ac8c18 @offset=3096 fp=0x33333333 Bytes b4 0xc7ac8c08: 00 00 00 00 00 00 00 00 cc cc cc cc 00 00 00 00 Object 0xc7ac8c18: 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 ... Redzone 0xc7ac9018: 33 cc cc cc Padding 0xc7ac901c: 00 00 00 00 Pid: Pid: 8382, comm: cat Not tainted 2.6.37 #2 Call Trace: [<c10a0e77>] print_trailer+0xe7/0x130 [<c10a152d>] check_bytes_and_report+0xed/0x150 [<c10a16e0>] check_object+0x150/0x210 [<c10a1f22>] free_debug_processing+0xd2/0x1b0 [<c10a35ae>] kfree+0xfe/0x170 [<c87f31c0>] ? sectest_exploit+0x1a0/0x1ec [sectest_overwrite_slub] ... [<c1002b97>] sysenter_do_call+0x12/0x26 FIX kmalloc-1024: Restoring 0xc7ac9018-0xc7ac9018 P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  16. L INUX :: M EMORY P ROTECTION ◮ Right after boot the kernel write protects the pages belonging to: ◮ the kernel code ◮ the read-only data (built-in firmware, kernel symbol table etc.) ◮ The non-executable bit is enabled for the pages of read-only data ◮ and only on hardware that supports it P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  17. L INUX :: NULL P AGE M APPINGS ◮ Linux mmap(2) avoids NULL page mappings by mapping pages at addresses ≥ mmap min addr ◮ mmap min addr defaults to 4096 ◮ Two ways to configure mmap min addr ◮ via a Linux Security Module (LSM) ◮ via Discretionary Access Control (DAC) ◮ sysctl vm.mmap min addr ◮ /proc/sys/vm/mmap min addr ◮ DEFAULT MMAP MIN ADDR kernel config option ◮ mmap min addr = max ( LSM value , DAC value ) P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Catch-up Cycles and Changes in the Industry Leadership : Win indows of opportunity and re

Catch-up Cycles and Changes in the Industry Leadership : Win indows of opportunity and re

Catch-up Cycles and Changes in the Industry Leadership : Win indows of opportunity and re responses in in th the evo volution of f secto toral sys yste tems ( Special Issue, Research Policy 2016) Keun Lee (with Franco Malerba)

670 views • 48 slides
Java replacement for Win indows In Interface to Sim imulation of Errors Geometric

Java replacement for Win indows In Interface to Sim imulation of Errors Geometric

Java replacement for Win indows In Interface to Sim imulation of Errors Geometric misalignments No Fernndez lvarez 27/01/2017 Su Summary ry 1. Introduction to WISE geometric 2. WISE calculations 3. WISE usage 4. WISEs output

927 views • 29 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice

1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice

Machine Learning Class Notes 9-25-12 Prof. David Sontag 1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice and which allows for highly non-linear discriminant functions is the Gaussian kernel,

240 views • 5 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Overview Preliminaries Kernel ridge regression Kernel -means clustering

476 views • 25 slides
Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many of us need to debug the Linux kernel Proprietary tools like Trace32 and DS-5 are $$$ Open source debuggers like GDB lack kernel

884 views • 40 slides
Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

3/1/20 COMP 790: OS Implementation COMP 790: OS Implementation Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

647 views • 8 slides
D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg Kroah-Hartman, David Herrmann, Daniel Mack, Lennart Poettering, Kay Sievers with help from Tejun Heo D-Bus in the Kernel Most newer OS designs started

1.35k views • 111 slides
Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda

Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda

Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda mulix@mulix.org IBM Haifa Research Lab Kernel Debugging, Haifux 2003 p.1/19 Kernel Debugging - Why? Why would we want to debug the kernel? after

308 views • 19 slides
1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
Kernel PCA for SNe Kernel PCA for SNe photometric classification photometric classification

Kernel PCA for SNe Kernel PCA for SNe photometric classification photometric classification

Kernel PCA for SNe Kernel PCA for SNe photometric classification photometric classification Emille E. O. Ishida IAG University of Sao Paulo, Brazil In collaboration with Rafael S. De Souza (KASI) astro-ph/1201.6676 IAU General Assembly,

155 views • 14 slides
The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel

The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel

The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel Asynchrony Processes Protection Kernel The software component that controls the hardware directly and implements the core privileged OS

934 views • 62 slides
D-Bus in the Kernel FOSDEM 2014, Brussels, Belgium January 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel FOSDEM 2014, Brussels, Belgium January 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel FOSDEM 2014, Brussels, Belgium January 2014 D-Bus in the Kernel Who? Greg Kroah-Hartman, Daniel Mack, Lennart Poettering, Kay Sievers with help from Tejun Heo D-Bus in the Kernel Most newer OS designs started around

1.27k views • 111 slides
Skoltech Skolkovo Institute of Science and Technology Kernel Methods Refresher Kernel trick:

Skoltech Skolkovo Institute of Science and Technology Kernel Methods Refresher Kernel trick:

Quadrature-based Features for Kernel Approximation Marina Munkhoeva , Yermek Kapushev, Evgeny Burnaev, Ivan Oseledets Skoltech Skolkovo Institute of Science and Technology Kernel Methods Refresher Kernel trick: compute

1.01k views • 17 slides
TOS Arno Puder 1 Demo Kernel /* tos/kernel/main.c */ #include &lt;kernel.h&gt; WINDOW

TOS Arno Puder 1 Demo Kernel /* tos/kernel/main.c */ #include &lt;kernel.h&gt; WINDOW

TOS Arno Puder 1 Demo Kernel /* tos/kernel/main.c */ #include &lt;kernel.h&gt; WINDOW window_top = {0, 0, 80, 12, 0, 0, ' '}; WINDOW window_bottom = {0, 12, 80, 13, 0, 0, ' '}; void kernel_main() { for (int x = 0; x &lt; 80 * 25 * 2; x++)

830 views • 7 slides
Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules Kernel module: code that can be dynamically loaded/unloaded into the kernel at runtime Change the kernel code without needing to reboot

545 views • 13 slides
Research project Socioprofessional Dynamics The work presented in this seminar is part of the FNS

Research project Socioprofessional Dynamics The work presented in this seminar is part of the FNS

Introduction From structure to dynamics Synthetic analysis Conclusion References Introduction From structure to dynamics Synthetic analysis Conclusion References Research project Socioprofessional Dynamics The work presented in this

283 views • 7 slides
Survival of the Weakest: Why the West Rules with Salvatore Modica 1 Introduction Why did the

Survival of the Weakest: Why the West Rules with Salvatore Modica 1 Introduction Why did the

Survival of the Weakest: Why the West Rules with Salvatore Modica 1 Introduction Why did the industrial revolution take place in the West and not, say, China? As many theories as there are authors The consensus if there is one

498 views • 21 slides
The Power of Collaboration Among CCAs Presented by: Chris Sentieri Center for Climate

The Power of Collaboration Among CCAs Presented by: Chris Sentieri Center for Climate

The Power of Collaboration Among CCAs Presented by: Chris Sentieri Center for Climate Protection Webinar February 13, 2019 a division of Blue Strike Environmental Chris Sentieri Senior Manager- EcoShift Consulting, a division of Blue

65 views • 6 slides
Secure Programming with Static Analysis Brian Chess brian@fortify.com Software Systems that

Secure Programming with Static Analysis Brian Chess brian@fortify.com Software Systems that

Secure Programming with Static Analysis Brian Chess brian@fortify.com Software Systems that are Ubiquitous Connected Dependable Complexity Unforeseen Consequences Software Security Today The line between secure/insecure is

624 views • 48 slides
Secure Coding in C/C++ Dr. Kamil Sarac 2012 REU (Research Experiences for Undergraduates)

Secure Coding in C/C++ Dr. Kamil Sarac 2012 REU (Research Experiences for Undergraduates)

Secure Coding in C/C++ Dr. Kamil Sarac 2012 REU (Research Experiences for Undergraduates) Department of Computer Science University of Texas at Dallas Slides prepared by Mitch Adair and Kamil Sarac at UT Dallas Outline Objective What

380 views • 35 slides
AMF Testing Made Easy! DeepSec 2012 Luca Carettoni Agenda AMF specification,

AMF Testing Made Easy! DeepSec 2012 Luca Carettoni Agenda AMF specification,

AMF Testing Made Easy! DeepSec 2012 Luca Carettoni Agenda AMF specification, BlazeDS, current techniques and tools Blazer architecture, core techniques, heuristics Testing with Blazer Objects generation and fuzzing *DEMO*

526 views • 36 slides
Introduction and lists Jason Myers Instructor DataCamp Data Types for Data Science Data types

Introduction and lists Jason Myers Instructor DataCamp Data Types for Data Science Data types

DataCamp Data Types for Data Science DATA TYPES FOR DATA SCIENCE Introduction and lists Jason Myers Instructor DataCamp Data Types for Data Science Data types Data type system sets the stage for the capabilities of the language

270 views • 23 slides
Functional Programming Pete Graham @petexgraham My Functional Programming Timeline Learned

Functional Programming Pete Graham @petexgraham My Functional Programming Timeline Learned

Functional Programming Pete Graham @petexgraham My Functional Programming Timeline Learned Haskell at University. Forgot it. Something strange happened... Functional Programming Renaissance 1. What is it? 2. Why learn Functional

559 views • 17 slides

More recommend