control flow integrity cfi in the linux kernel
play

Control Flow Integrity (CFI) in the Linux kernel Kees (Case) Cook - PowerPoint PPT Presentation

Nov 15, 2022 •179 likes •624 views

Control Flow Integrity (CFI) in the Linux kernel Kees (Case) Cook @kees_cook keescook@chromium.org Linux Conf AU 2020 https://outflux.net/slides/2020/lca/cfi.pdf Acknowledgment of Country Jingeri! We meet today on the traditional lands

  1. Control Flow Integrity (CFI) in the Linux kernel Kees (“Case”) Cook @kees_cook keescook@chromium.org Linux Conf AU 2020 https://outflux.net/slides/2020/lca/cfi.pdf

  2. Acknowledgment of Country Jingeri! We meet today on the traditional lands of the Yugambeh people, and I pay my respects to their elders past and present, and leaders emerging. https://en.wikipedia.org/wiki/Yugambeh_people https://www.yugambeh.com/

  3. Agenda ● What is kernel Control Flow Integrity (CFI)? ● Clang CFI implementations ● Pixel phones and the Android Ecosystem ● Gotchas ● Upstreaming status ● Do it yourself!

  4. What is kernel Control Flow Integrity? ● Why should anyone care about this? – Most compromises of the kernel are about gaining execution control, where the initial flaw is some kind of attacker- controlled write to system memory. What can be written to, and how can that be turned into execution control? ● Flaws come in many flavors – write only up to a certain amount, only a single zero, only a set of fixed value bytes – worst-case is a “write anything anywhere at any time” flaw

  5. Attack method: write to kernel code! ● Change the kernel code itself, by writing malicious code directly on the kernel! (e.g. ancient rootkits) ● Target must be executable and writable...

  6. What is writable and executable? From userspace ... non-canonical userspace kernel 16M TB 128 TB 128 TB (not to scale!) 0 0 0 0 x x x x 0 0 f f 0 0 f f 0 0 f f 0 0 f f 0 7 8 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f https://www.kernel.org/doc/html/latest/x86/x86_64/mm.html

  7. What is writable and executable? From kernel (ancient, simplified) ... non-canonical userspace kernel modules 16M TB text 128 TB 128 TB (not to scale!) 0 0 0 0 x x x x 0 0 f f 0 0 f f 0 0 f f 0 0 f f 0 7 8 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f https://www.kernel.org/doc/html/latest/x86/x86_64/mm.html

  8. What is writable and executable? From kernel (NX, simplified) ... non-canonical userspace kernel modules 16M TB text 128 TB 128 TB (not to scale!) 0 0 0 0 x x x x 0 0 f f 0 0 f f 0 0 f f 0 0 f f 0 7 8 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f https://www.kernel.org/doc/html/latest/x86/x86_64/mm.html

  9. What is writable and executable? From kernel (NX, RO, simplified) ... non-canonical userspace kernel modules 16M TB text 128 TB 128 TB (not to scale!) 0 0 0 0 x x x x 0 0 f f 0 0 f f 0 0 f f 0 0 f f 0 7 8 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f https://www.kernel.org/doc/html/latest/x86/x86_64/mm.html

  10. What is writable and executable? From kernel (NX, RO, SMEP/PXN, simplified) ... non-canonical userspace kernel modules 16M TB text 128 TB 128 TB (not to scale!) 0 0 0 0 x x x x 0 0 f f 0 0 f f 0 0 f f 0 0 f f 0 7 8 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f https://www.kernel.org/doc/html/latest/x86/x86_64/mm.html

  11. Attack method: call into kernel code! ● Call unexpected kernel code, or with malicious arguments, or in a malicious order, by writing to stored function pointers or arguments. ● Target must be writable and contain function pointers. Attack works by hijacking indirect function calls...

  12. direct function calls lea 0x9000(%rip),%rdi # <info> callq 1138 < do_simple> int action_launch(int idx) { ... int do_simple (struct foo *info) int rc; { ... stuff; and; things; rc = do_simple (info); As we saw, text (code) ... ... memory should never be } return 0; writable (W^X) so calls } cannot be redirected by an arbitrary write flaw...

  13. indirect function calls typedef int (*func_ptr)(struct foo *); func_ptr saved_actions[] = { do_simple , lea 0x2ea6(%rip),%rax # <saved_actions> do_fancy, mov (%rax,%rdi,8),%rax ... lea 0x9000(%rip),%rdi # <info> }; callq *%rax int action_launch(int idx) { func_ptr action; int do_simple (struct foo *info) int rc; ... { action = saved_actions[idx]; stuff; and; ... things; rc = action(info); ... ... } return 0; }

  14. indirect calls: “ forward-edge ” typedef int (*func_ptr)(struct foo *); func_ptr saved_actions[] = { do_simple , lea 0x2ea6(%rip),%rax # <saved_actions> do_fancy, mov (%rax,%rdi,8),%rax ... lea 0x9000(%rip),%rdi # <info> }; callq *%rax int action_launch(int idx) { func_ptr action; int do_simple (struct foo *info) int rc; e ... g { d e d r a w r o action = saved_actions[idx]; f stuff; and; ... things; rc = action(info); ... ... } return 0; }

  15. indirect calls: “ forward-edge ” typedef int (*func_ptr)(struct foo *); func_ptr saved_actions[] = { do_simple , lea 0x2ea6(%rip),%rax # <saved_actions> do_fancy, heap mov (%rax,%rdi,8),%rax ... lea 0x9000(%rip),%rdi # <info> }; callq *%rax int action_launch(int idx) { func_ptr action; stack int do_simple (struct foo *info) int rc; e ... g { d e d r a w r o action = saved_actions[idx]; f stuff; and; ... As we’ll see, the heap things; rc = action(info); and stack are writable, so ... ... function calls can be } return 0; redirected by an arbitrary } write flaw

  16. function returns: “ backward-edge ” typedef int (*func_ptr)(struct foo *); func_ptr saved_actions[] = { do_simple , retq do_fancy, ... }; ... return address int action_launch(int idx) action { rc func_ptr action; stack ... int do_simple (struct foo *info) int rc; e g ... { d e d r a w r o f action = saved_actions[idx]; stuff; and; ... things; rc = action(info); ... ... backward edge } return 0; }

  17. What contains writable func ptrs? From userspace ... non-canonical userspace kernel 16M TB 128 TB 128 TB (not to scale!) 0 0 0 0 x x x x 0 0 f f 0 0 f f 0 0 f f 0 0 f f 0 7 8 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f https://www.kernel.org/doc/html/latest/x86/x86_64/mm.html

  18. What contains writable func ptrs? From kernel (simplified) ... non-canonical userspace kernel 16M TB heap stacks 128 TB 128 TB (not to scale!) 0 0 0 0 x x x x 0 0 f f 0 0 f f 0 0 f f 0 0 f f 0 7 8 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f https://www.kernel.org/doc/html/latest/x86/x86_64/mm.html

  19. What contains writable func ptrs? From kernel (SMAP/PAN, simplified) ... non-canonical userspace kernel 16M TB heap stacks 128 TB 128 TB (not to scale!) 0 0 0 0 x x x x 0 0 f f 0 0 f f 0 0 f f 0 0 f f 0 7 8 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f 0 f https://www.kernel.org/doc/html/latest/x86/x86_64/mm.html

  20. What can attacker call? Any executable byte! executable writable memory memory evil write forward edge mov (%rax,%rdi,8),%rax heap callq *%rax text & backward edge stacks retq

  21. Control Flow Integrity typedef int (*func_ptr)(struct foo *); func_ptr saved_actions[] = { Goal of CFI: ensure that each indirect call can do_simple , only call into an “expected” subset of all kernel do_fancy, ... functions, and that the return stack pointers are }; unchanged since we made the call. int action_launch(int idx) { func_ptr action; int do_simple (struct foo *info) int rc; e g ... { d e d r a w r o f action = saved_actions[idx]; stuff; and; ... things; rc = action(info); ... ... backward edge } return 0; }

  22. CFI: forward-edge protection ● validate indirect function pointers at call time – some way to indicate “classes” of functions: current research suggests using function prototype (return type, argument types) as “uniqueness” key. For example: ● if the same prototype, call site can choose any matching function: – int do_fast_path(unsigned long, struct file *file) – int do_slow_path(unsigned long, struct file *file) ● if different prototypes, calls cannot be mixed: – void foo(unsigned long) – int bar(unsigned long) – hardware help here has poor granularity (e.g. BTI)

  23. What can attacker call? With forward-edge CFI, call sites encode a single function prototype they are allowed to call. Everything else is rejected. executable writable memory memory int do_simple(struct foo *info); int do_fancy(struct foo *info); do_simple int action_launch(int idx) evil { do_fancy write int (*action)(struct foo *); ... heap rc = action(info); text ... & } stacks

Recommend

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Code injection attacks Code

865 views • 61 slides
Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control Control Flow Flow Integrity Integrity Attacks Attacks 2 http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html CFI: Goal Provably

744 views • 41 slides
Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University -- Summarized by Navid Emamdoost University of Minnesota Outline Background Control Flow attacks Control Flow Integrity Control Flow

795 views • 33 slides
MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY Fundamentally, code injection attacks altered the target programs control flow Recall: Confidentiality, Integrity, Availability Most integrity

937 views • 30 slides
Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many of us need to debug the Linux kernel Proprietary tools like Trace32 and DS-5 are $$$ Open source debuggers like GDB lack kernel

884 views • 40 slides
Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee, Kangjie Lu, William Harris, Taesoo Kim, Wenke Lee Institute for Information Security &amp; Privacy Georgia Tech Kernel Memory Corruption Vulnerability

493 views • 24 slides
Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

692 views • 31 slides
Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module

Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module

Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module Linux is written in C, but does not include all standard libraries And some other idiosyncrasies This lecture will give you a crash

1.35k views • 22 slides
1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications 2634 2528 2690 CFI: Goal Provably correct mechanisms

540 views • 26 slides
Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for

Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for

Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for Women LinuxCon North America 2013 Agenda Introduction What Got Me Interested in OPW Project Overview Xen Block Ring Protocol

922 views • 13 slides
Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules Kernel module: code that can be dynamically loaded/unloaded into the kernel at runtime Change the kernel code without needing to reboot

545 views • 13 slides
GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The GNU userland consists of libc, the init system (SystemD) X11 GUI toolkits etc. Ask the audience Who has used

442 views • 22 slides
. Kernel The Variability Model of the Linux Extra Conclusions Linux Study Introduction .

. Kernel The Variability Model of the Linux Extra Conclusions Linux Study Introduction .

. Krzysztof Czarnecki, Andrzej Wsowski The Variability Model of the Linux Kernel . . January 26, 2010 IT University of Copenhagen University of Leipzig University of Waterloo Steven She, Rafael Lotufo, Thorsten Berger, . Kernel The

928 views • 39 slides
Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

The 19th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2016) Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory Marius Muench, Fabio Pagani, Yan Shoshitaishvili,

559 views • 25 slides
LSS 2017: linux-integrity subsystem update Mimi Zohar 1 IBM Research Linux Integrity Subsystem

LSS 2017: linux-integrity subsystem update Mimi Zohar 1 IBM Research Linux Integrity Subsystem

LSS 2017: linux-integrity subsystem update Mimi Zohar 1 IBM Research Linux Integrity Subsystem Status Update Review of IMA goals New IMA features and other changes TPM related work Possible IMA specific fixes for TPM

567 views • 17 slides
PRACTICAL CONTROL FLOW INTEGRITY &amp; RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas,

PRACTICAL CONTROL FLOW INTEGRITY &amp; RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas,

PRACTICAL CONTROL FLOW INTEGRITY &amp; RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas, AM:875 Elisjana Ymeralli, AM:801 Ioanna Ramoutsaki, AM: 812 Vasilis Glabedakis, AM: 2921 cs-457 Department: Computer Science, University of Crete

584 views • 42 slides
Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP Return-to-libc RoP (Return-oriented Programming) StackGuard (insert canaries on stack) PointGuard (encrypt the pointers) ASLR CFI

809 views • 42 slides
Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux Kernel Widespread Deployed on: powerful (high performance compute clusters) sensitive (bank, gov. systems, ..) safety critical

995 views • 29 slides
Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

3/1/20 COMP 790: OS Implementation COMP 790: OS Implementation Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

647 views • 8 slides
Software Control Flow Integrity Techniques, Proofs, &amp; Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, &amp; Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, &amp; Security Applications Jay Ligatti summer 2004 intern work with: lfar Erlingsson and Martn Abadi 1 Motivation I: Bad things happen DoS Weak authentication Insecure

465 views • 22 slides
1 Exception Tables Exceptions An exception is a transfer of control to the OS kernel in

1 Exception Tables Exceptions An exception is a transfer of control to the OS kernel in

Today Exceptional Control Flow: Exceptional Control Flow Exceptions Exceptions and Processes Processes Process Control CSci 2021: Machine Architecture and Organization December 3rd, 2018 Your instructor: Stephen McCamant Based

410 views • 6 slides
Automated combination of tolerance and control flow integrity countermeasures against multiple

Automated combination of tolerance and control flow integrity countermeasures against multiple

Automated combination of tolerance and control flow integrity countermeasures against multiple fault attacks on embedded systems Thierno Barry PhD Candidate in security of Embedded Systems at CEA ( the French Atomic Energy Commission )

681 views • 18 slides
CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z

CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z

C ON FIRM: EVALUATING COMPATIBILITY AND RELEVANCE OF CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z HIQIANG L IN W ENHAO W ANG , AND K EVIN W. H AMLEN T HE O HIO S TATE U NIVERSITY T HE U NIVERSITY

514 views • 15 slides

More recommend