enforcing kernel security invariants with data flow
play

Enforcing Kernel Security Invariants with Data Flow Integrity - PowerPoint PPT Presentation

Oct 14, 2022 •240 likes •493 views

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee, Kangjie Lu, William Harris, Taesoo Kim, Wenke Lee Institute for Information Security & Privacy Georgia Tech Kernel Memory Corruption Vulnerability

  1. Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee, Kangjie Lu, William Harris, Taesoo Kim, Wenke Lee Institute for Information Security & Privacy Georgia Tech

  2. Kernel Memory Corruption Vulnerability • Kernel is important • The de-facto trusted computing base (TCB) • Foundation of upper level security mechanisms (e.g., app sandbox) • Kernel vulnerabilities are not rare • Written in C • Emphasize on performance 2 / 24

  3. Privilege escalation attacks • One of the most powerful attacks • Most popular attack against kernel • Hard to prevent • Chrome sandbox bypass • iOS jailbreak • Android rooting 3 / 24

  4. Challenge 1: many ways to exploit 1 static int acl_permission_check Code Injection Attack ( struct inode *inode, int mask) 2 Disable the check 3 { unsigned int mode = inode->i_mode; 4 5 if (likely(uid_eq(current_fsuid(), inode->i_uid))) Control-flow hijacking 6 mode >>= 6; 7 Bypass the check else if (in_group_p(inode->i_gid)) 8 mode >>= 3; 9 10 Data-oriented attacks if ((mask & ~mode & 11 (MAY_READ | MAY_WRITE | MAY_EXEC)) == 0) 12 Manipulate the check return 0; 13 return -EACCES; 14 15 } 4 / 24

  5. Challenge 2: performance • Protecting all data is not practical • Secure Virtual Architecture (SVA) [SOSP’07] • Enforces kernel-wide memory safety • Performance overhead: 5.34x ~ 13.10x (LMBench) 5 / 24

  6. Our approach • Only protects a subset of data that is large enough to enforce access control invariants [NTIS AD-758 206] • Complete mediation • Control-data à Code Pointer Integrity [OSDI’14] • Tamper proof • Non-control-data used in security checks à this work • Correctness 6 / 24

  7. Step 1: discover all related data • Observation: OS kernels have well defined error code for security checks (when they fail) • POSIX: EPERM, EACCESS, etc. • Windows: ERROR_ACCESS_DENIED, etc. • Solution: leverage this implicit semantic to automatically infer security checks • Benefits • Soundness : capable of detecting all security related data (as long as there is no semantic errors) • Automated : no manual annotation required 7 / 24

  8. A simple example Step 1: collect return values 1 static int acl_permission_check ( struct inode *inode, int mask) 2 3 { unsigned int mode = inode->i_mode; 4 5 if (likely(uid_eq(current_fsuid(), inode->i_uid))) 6 mode >>= 6; 7 else if (in_group_p(inode->i_gid)) 8 mode >>= 3; 9 10 if ((mask & ~mode & 11 (MAY_READ | MAY_WRITE | MAY_EXEC)) == 0) 12 return 0; 13 return -EACCES; 14 15 } 8 / 24

  9. A simple example Step 2: collect conditional branches 1 static int acl_permission_check ( struct inode *inode, int mask) 2 3 { unsigned int mode = inode->i_mode; 4 5 if (likely(uid_eq(current_fsuid(), inode->i_uid))) 6 mode >>= 6; 7 else if (in_group_p(inode->i_gid)) 8 mode >>= 3; 9 10 if ((mask & ~mode & 11 (MAY_READ | MAY_WRITE | MAY_EXEC)) == 0) 12 return 0; 13 return -EACCES; 14 15 } 9 / 24

  10. A simple example Step 2: collect conditional branches Collect Dominators if (condition1 || condition2) return 0; else return -EACCESS; 10 / 24

  11. A simple example Step 2: collect conditional branches Avoid Explosion if (uid_eq) mode >> 6; else mode >> 3; if (condition) return -EINVAL; 11 / 24

  12. A simple example Step 3: collect dependencies 1 static int acl_permission_check ( struct inode *inode, int mask) 2 3 { unsigned int mode = inode->i_mode; 4 5 if (likely(uid_eq(current_fsuid(), inode->i_uid))) 6 mode >>= 6; 7 else if (in_group_p(inode->i_gid)) 8 mode >>= 3; 9 10 if ((mask & ~mode & 11 (MAY_READ | MAY_WRITE | MAY_EXEC)) == 0) 12 return 0; 13 return -EACCES; 14 15 } 12 / 24

  13. Be complete • Collects data- and control-dependencies transitively • Collects sensitive pointers recursively 13 / 24

  14. Step 2: protect the integrity of data • Data-flow integrity [OSDI’06] • Runtime data-flow should not deviate from static data-flow graph (similar to control-flow integrity) • For example, string should not flow to return address or uid • How • Check the last writer at every memory read • Challenge • Performance! (104%) 14 / 24

  15. How to reduce performance overhead • Observation 1: reads are more frequent than writes • Check write instead of read • Observation 2: most writes are not relevant Write Integrity • Use isolation instead of inlined checks Test • Observation 3: most relevant write are safe [S&P’08] • Use static analysis to verify 15 / 24

  16. Two-layered protection • Layer one: data-flow isolation • Prevents unrelated writes from tampering sensitive data • Mechanisms: segment (x86-32), WP flag (x86-64), access domain (ARM32), virtual address space , virtualization, TrustZone, etc. • Layer two: WIT • Prevents related but unrestricted writes from tampering sensitive data 16 / 24

  17. Additional building blocks • Shadow objects • Lacks fine-grained isolation mechanisms • Sensitive data is mixed with non-sensitive data • Safe stack • Certain critical data is no visible at language level, e.g., return address, register spills • Access pattern of stack is different • Safety is easier to verify 17 / 24

  18. Prototype • ARM64 Android • For its practical importance and long updating cycle • Enough entropy for stack randomization • Data-flow isolation • Heap: virtual address space based, uses ASID to reduce overhead • Stack: randomization based • Shadow objects • Modified the SLUB allocator 18 / 24

  19. Implementation • Kernel • Nexus 9 lollipop-release + LLVMLinux patches • Our modifications: 1900 LoC • Static Analysis • Framework: KINT [OSDI’12] • Point-to analysis: J. Chen’s field-sens [GitHub] • Context sensitive from KOP [CCS’09] • Safe stack: CPI [OSDI’14] • Our analysis + modifications: 4400 LoC • Instrumentation: 500 LoC 19 / 24

  20. How many sensitive data structures • Control data: 3699 fields (783 structs), 1490 global objects • Non-control data: 1731 fields ( 855 structs), 279 global objects • False positives: 491 fields (221 structs) / 61 fields (25 structs) 180 163 Fields 160 Structs 140 119 115 120 93 100 80 60 50 60 42 40 40 37 37 36 31 30 40 20 0 net fs drivers kernel security include other 20 / 24

  21. How secure is our approach • Inference • Sound à no false negatives • Catch: no semantic errors • Data-flow (point-to) analysis • Sound but not complete à over permissive • Improve the accuracy with context and field sensitivity • Against existing attacks • All prevented 21 / 24

  22. Performance impact • Write operations • 26645 (4.30%) allowed, 2 checked • Context switch • 1700 cycles • Benchmarks • LMBench (syscalls): 1.42x ~ 3.13x (0% for null syscall) • Android benchmarks: 7% ~ 15% 22 / 24

  23. Conclusion • Data-oriented attacks are very practical, especially in kernel • Leveraging implicit semantics to avoid annotation • Combining program analysis with system design is a great way to build principled and practical security solution 23 / 24

  24. Thank you! Q & A 24 / 24

Recommend

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro,

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro,

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge Software is vulnerable use of unsafe languages is prevalent most

288 views • 25 slides
ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION

ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION

ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION FLOW Prof. R.K Shyamasundar CONTROL Todays Talk Background and Motivation. Possible attack in a system without IFC. Our solution using

381 views • 16 slides
Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

692 views • 31 slides
Data Invariants, Abstraction and Refinement Liam OConnor University of Edinburgh LFCS (and

Data Invariants, Abstraction and Refinement Liam OConnor University of Edinburgh LFCS (and

Data Invariants and ADTs Validation Data Refinement Administrivia Software System Design and Implementation Data Invariants, Abstraction and Refinement Liam OConnor University of Edinburgh LFCS (and UNSW) Term 2 2020 1 Data Invariants

1.07k views • 68 slides
1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
Regions and Permissions for Data Invariants Romain Bardou and Claude March e Septembre 2009

Regions and Permissions for Data Invariants Romain Bardou and Claude March e Septembre 2009

Regions and Permissions for Data Invariants Romain Bardou and Claude March e Septembre 2009 Regions and Permissions for Data Invariants 1 / 1 Motivation preservation of data invariants in pointer programs ownership system of Spec#

301 views • 29 slides
park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security

park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security

park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security Analysis of a Hypervisor Amit Vasudevan (CyLab-CMU), Sagar Chaki (SEI-CMU), Petros Maniatis (Google Inc.), Limin Jia, Anupam Datta (ECE/CSD-CMU)

517 views • 24 slides
ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich Benjamin Livshits UC Berkeley Microsoft Research Web Programmability Platform openid.net yelp.com adsense.com Google maps 2

727 views • 41 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Improving security using data flow assertions Alex Yip, Xi Wang, Nickolai Zeldovich , Frans

Improving security using data flow assertions Alex Yip, Xi Wang, Nickolai Zeldovich , Frans

Improving security using data flow assertions Alex Yip, Xi Wang, Nickolai Zeldovich , Frans Kaashoek MIT CSAIL Many security vulnerabilities caused by programming errors Attack vector Percentage SQL injection 20.4% Cross-site scripting

912 views • 57 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
Learning From Data Lecture 25 The Kernel Trick Learning with only inner products The Kernel M.

Learning From Data Lecture 25 The Kernel Trick Learning with only inner products The Kernel M.

Learning From Data Lecture 25 The Kernel Trick Learning with only inner products The Kernel M. Magdon-Ismail CSCI 4100/6100 recap: Large Margin is Better Controling Overfitting Non-Separable Data 0.08 random hyperplane 2 w t w + C N E

576 views • 18 slides
Verifying security invariants in ExpressOS Haohui Mai, Edgar Pek, Hui Xue, Samuel T. King, P .

Verifying security invariants in ExpressOS Haohui Mai, Edgar Pek, Hui Xue, Samuel T. King, P .

Verifying security invariants in ExpressOS Haohui Mai, Edgar Pek, Hui Xue, Samuel T. King, P . Madhusudan University of Illinois at Urbana-Champaign Mobiles devices are powerful Security of mobile devices is important High value

912 views • 89 slides
Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris

Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris

Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris james.l.morris@oracle.com Introduction Who am I? Kernel security subsystem maintainer Started kernel development w/ FreeS/WAN in 1999 which led to Netfilter,

798 views • 48 slides
Improving Kernel Security Kernel Summit 2015, Seoul Kees (Case) Cook keescook@chromium.org

Improving Kernel Security Kernel Summit 2015, Seoul Kees (Case) Cook keescook@chromium.org

Improving Kernel Security Kernel Summit 2015, Seoul Kees (Case) Cook keescook@chromium.org James Morris james.l.morris@oracle.com https://outflux.net/slides/2015/ks/security.pdf What I mean by Security More than access control

735 views • 27 slides
Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Information Flow 3 Many security requirements can be formulated as what information flow is allowed/disallowed E.g., confidential data should not

478 views • 27 slides
1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

Speeding Up Data-Flow Analysis Solving the Data-flow Equations Last time Algorithm Various optimizations that use data-flow analysis for each node n in CFG initialize solutions in[n] = ; out[n] = Today repeat Speeding up

418 views • 4 slides
1 CPU Events: Interrupts and Exceptions CPU Events: Interrupts and Exceptions Protecting Entry

1 CPU Events: Interrupts and Exceptions CPU Events: Interrupts and Exceptions Protecting Entry

Processes and the Kernel Processes and the Kernel The kernel sets processes up process in private data data execution Processes, Protection and the Kernel: Processes, Protection and the Kernel: virtual contexts to address

540 views • 9 slides
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program data. Focuses on simple, finite

1.04k views • 54 slides
1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

Introduction to Data-flow analysis Data-flow Analysis Last Time Idea Undergraduate compilers review Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Assem.Instr data

903 views • 4 slides
Module 5: Implementing Data Integrity Overview Types of Data Integrity Enforcing Data

Module 5: Implementing Data Integrity Overview Types of Data Integrity Enforcing Data

Module 5: Implementing Data Integrity Overview Types of Data Integrity Enforcing Data Integrity Defining Constraints Types of Constraints Disabling Constraints Using Defaults and Rules Deciding Which Enforcement Method

260 views • 23 slides
Learning From Data Lecture 26 Kernel Machines Popular Kernels The Kernel Measures Similarity

Learning From Data Lecture 26 Kernel Machines Popular Kernels The Kernel Measures Similarity

Learning From Data Lecture 26 Kernel Machines Popular Kernels The Kernel Measures Similarity Kernels in Different Applications M. Magdon-Ismail CSCI 4100/6100 recap: The Kernel Allows Us to Bypass Z -space Solve the QP 1

356 views • 12 slides
Flow Visualization Overview: Flow Visualization (1) Introduction, overview Fl Flow data d t

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Fl Flow data d t

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Fl Flow data d t Simulation vs. measurement vs. modelling 2D vs. surfaces vs. 3D Steady vs time-dependent flow St d ti d d t fl Direct vs. indirect flow

957 views • 92 slides
Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Code injection attacks Code

865 views • 61 slides

More recommend