vasileios p. kemerlis, georgios portokalidis, angelos d. keromytis network security lab, department...
TRANSCRIPT
![Page 1: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/1.jpg)
kGuard: Lightweight Kernel Protection
against Return-to-user Attacks
Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis
Network Security Lab,
Department of Computer Science,
Columbia University, USA
21st USENIX Security Symposium (August, 2012)
![Page 2: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/2.jpg)
A Seminar at Advanced Defense Lab 2
Outline
Why Return-to-user (ret2usr) ? Threat model Protection with kGuard Implementation Evaluation Discussion and Future Work
2012/8/10
![Page 3: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/3.jpg)
A Seminar at Advanced Defense Lab 3
Compile-time protection
ASLR, StackGuard, and etc.
Why Return-to-user (ret2usr) ?
2012/8/10
Administrator Process
Attacker
User Process
System Kernel
Privileged Machine Code
![Page 4: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/4.jpg)
A Seminar at Advanced Defense Lab 4
Another Reason
NULL pointer dereference errors had not received significant attention.We usually see them as vulnerabilities for
DoS attacks. But they may be used to gain privileges.
CVE-2011-1888 (Windows)CVE-2009-2908 (Linux)CVE-2009-3527 (FreeBSD)CVE-2009-2692 (Linux, Android)
2012/8/10
![Page 5: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/5.jpg)
A Seminar at Advanced Defense Lab 5
A example (CVE-2009-2692)
[link]
if the socket descriptor belongs to a vulnerable protocol family, the value of the sendpage pointer in line 742 is set to NULL.
2012/8/10
![Page 6: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/6.jpg)
A Seminar at Advanced Defense Lab 6
Previous Approaches
Previous approaches to the problem are either impractical for deployment in certain environments or can be easily circumvented.Restricting mmap
○ Can be circumvented [link]PaX
○ Platform and architecture specific○ performance
2012/8/10
![Page 7: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/7.jpg)
A Seminar at Advanced Defense Lab 7
In this paper
We present a lightweight solution to the problem.
kGuard is a compiler plugin that augments kernel code with control-flow assertions (CFAs)which ensure that privileged execution
remains within its valid boundaries and does not cross to user space.
2012/8/10
![Page 8: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/8.jpg)
A Seminar at Advanced Defense Lab 8
Threat Model
We ascertain that an adversary is able to completely overwrite, partially corrupt (e.g., zero out only certain bytes), or nullify control data that are stored inside the address space of the kernel.
2012/8/10
![Page 9: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/9.jpg)
A Seminar at Advanced Defense Lab 9
Protection with kGuard
We propose a defensive mechanism that builds upon inline monitoring and code diversification.
kGuard is a cross-platform compiler plugin that enforces address space segregation,
2012/8/10
![Page 10: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/10.jpg)
A Seminar at Advanced Defense Lab 10
CFAR (transfer by register)
2012/8/10
![Page 11: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/11.jpg)
A Seminar at Advanced Defense Lab 11
CFAM (transfer by memory)
2012/8/10
Can be skip for optimization
![Page 12: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/12.jpg)
A Seminar at Advanced Defense Lab 12
Bypass Trampolines
Like return-oriented programming
It is possible to find an embedded opcode sequence that translates directly to a control branch in user space.
2012/8/10
![Page 13: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/13.jpg)
A Seminar at Advanced Defense Lab 13
Code Diversification Against Bypasses Code inflation
randomizing the starting address of the text segment
inserting NOP sleds of random length at the beginning of each CFA
2012/8/10
![Page 14: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/14.jpg)
A Seminar at Advanced Defense Lab 14
Code Diversification Against Bypasses (cont.) CFA motion
2012/8/10
![Page 15: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/15.jpg)
A Seminar at Advanced Defense Lab 15
Implementation
GCC 4.51
2012/8/10
![Page 16: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/16.jpg)
A Seminar at Advanced Defense Lab 16
Evaluation
Our testbed consisted of a single host, equipped with two 2.66GHz quad-core Intel Xeon X5500 CPUs and 24GB of RAM, running Debian Linux v6 (“squeeze” with kernel v2.6.32).
NOP sled before CFA: 0 ~ 20
2012/8/10
![Page 17: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/17.jpg)
A Seminar at Advanced Defense Lab 17
Preventing Real Attacks
2012/8/10
![Page 18: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/18.jpg)
A Seminar at Advanced Defense Lab 18
Translation Overhead
Kernel image size increasedX86: 3.5%X86-64: 5.6%
2012/8/10
![Page 19: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/19.jpg)
A Seminar at Advanced Defense Lab 19
Performance Overhead
Macro benchmarksBuilding a vanilla Linux kernelMySQL v5.1.49
○ Its own benchmark suit (sql-bench)Apache v2.2.16
○ Its utility ab and static HTML files
2012/8/10
![Page 20: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/20.jpg)
A Seminar at Advanced Defense Lab 20
Macro Benchmark Result
kGuard PaX
x86 X86-64 x86 x86-64
Building Kernel 1.03% 0.93% 1.26% 2.89%
sql-bench 0.93% 0.85% 1.16% 2.67%
ab 0.001% - 0.01%
0.001% – 0.01%
0.01% - 0.09%
0.01% - 0.67%
2012/8/10
![Page 21: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/21.jpg)
A Seminar at Advanced Defense Lab 21
Micro Benchmarks
2012/8/10
![Page 22: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/22.jpg)
A Seminar at Advanced Defense Lab 22
Discussion and Future Work
Custom violation handlers
Persistent threats
CFA motion at runtime
2012/8/10
![Page 23: Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st](https://reader035.vdocument.in/reader035/viewer/2022081516/56649ebc5503460f94bc4d1a/html5/thumbnails/23.jpg)
A Seminar at Advanced Defense Lab 23
Q & A
2012/8/10