kr x comprehensive kernel protection against just in time
play

kR^X Comprehensive Kernel Protection against Just-In-Time Code - PowerPoint PPT Presentation

Dec 28, 2022 •501 likes •1.18k views

Introduction RX Fine-grained KASLR Evaluation kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos Petsios 1 Angelos D. Keromytis 1 Michalis Polychronakis 2 Vasileios P. Kemerlis 3 1 Columbia

  1. Introduction RˆX Fine-grained KASLR Evaluation kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos Petsios 1 Angelos D. Keromytis 1 Michalis Polychronakis 2 Vasileios P. Kemerlis 3 1 Columbia University 2 Stony Brook University 3 Brown University mpomonis@cs.columbia.edu kR^X 1 / 30

  2. Introduction RˆX Fine-grained KASLR Evaluation $ > whoami ◮ Ph.D. candidate @Columbia University ◮ Member of the Network Security Lab • http://nsl.cs.columbia.edu ◮ Research interests • Kernel security • Data-flow tracking • http://www.cs.columbia.edu/~mpomonis mpomonis@cs.columbia.edu kR^X 2 / 30

  3. Introduction RˆX Fine-grained KASLR Evaluation $ > whoami ◮ Ph.D. candidate @Columbia University ◮ Member of the Network Security Lab • http://nsl.cs.columbia.edu ◮ Research interests • Kernel security • Data-flow tracking • http://www.cs.columbia.edu/~mpomonis mpomonis@cs.columbia.edu kR^X 2 / 30

  4. Introduction RˆX Fine-grained KASLR Evaluation Kernel Vulnerabilties (all vendors) 700 600 500 # of vulnerabilities 400 300 200 100 0 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 Source: National Vulnerability Database ( http://nvd.nist.gov ) mpomonis@cs.columbia.edu kR^X 3 / 30

  5. Introduction RˆX Fine-grained KASLR Evaluation Linux Kernel Vulnerabilties 350 300 250 # of vulnerabilities 200 150 100 50 0 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 Source: CVE Details ( http://www.cvedetails.com ) mpomonis@cs.columbia.edu kR^X 4 / 30

  6. Introduction RˆX Fine-grained KASLR Evaluation Kernel Exploitation 101 ◮ Userland Exploitation • Code Injection • Code Reuse mpomonis@cs.columbia.edu kR^X 5 / 30

  7. Introduction RˆX Fine-grained KASLR Evaluation Kernel Exploitation 101 ◮ Userland Exploitation • Code Injection [ W^X ] • Code Reuse [ ASLR ] mpomonis@cs.columbia.edu kR^X 5 / 30

  8. Introduction RˆX Fine-grained KASLR Evaluation Kernel Exploitation 101 ◮ Userland Exploitation • Code Injection [ W^X ] • Code Reuse [ ASLR ] ◮ Kernel Exploitation mpomonis@cs.columbia.edu kR^X 5 / 30

  9. Introduction RˆX Fine-grained KASLR Evaluation Kernel Exploitation 101 ◮ Userland Exploitation • Code Injection [ W^X ] • Code Reuse [ ASLR ] ◮ Kernel Exploitation • ret2usr mpomonis@cs.columbia.edu kR^X 5 / 30

  10. Introduction RˆX Fine-grained KASLR Evaluation Kernel Exploitation 101 ◮ Userland Exploitation • Code Injection [ W^X ] • Code Reuse [ ASLR ] ◮ Kernel Exploitation • ret2usr [ SMEP , SMAP , . . . ] mpomonis@cs.columbia.edu kR^X 5 / 30

  11. Introduction RˆX Fine-grained KASLR Evaluation Kernel Exploitation 101 ◮ Userland Exploitation • Code Injection [ W^X ] • Code Reuse [ ASLR ] ◮ Kernel Exploitation • ret2usr [ SMEP , SMAP , . . . ] • Code Injection • Code Reuse mpomonis@cs.columbia.edu kR^X 5 / 30

  12. Introduction RˆX Fine-grained KASLR Evaluation Kernel Exploitation 101 ◮ Userland Exploitation • Code Injection [ W^X ] • Code Reuse [ ASLR ] ◮ Kernel Exploitation • ret2usr [ SMEP , SMAP , . . . ] • Code Injection [ W^X ] • Code Reuse [ KASLR ] mpomonis@cs.columbia.edu kR^X 5 / 30

  13. Introduction RˆX Fine-grained KASLR Evaluation Kernel Exploitation 101 ◮ Userland Exploitation • Code Injection [ W^X ] • Code Reuse [ ASLR ] ◮ Kernel Exploitation • ret2usr [ SMEP , SMAP , . . . ] • Code Injection [ W^X ] • Code Reuse [ KASLR ] Hund et al. [Oakland ’13] Jang et al. [CCS ’16] Gruss et al. [CCS ’16] mpomonis@cs.columbia.edu kR^X 5 / 30

  14. Introduction RˆX Fine-grained KASLR Evaluation Code Reuse Attacks Code push %rbx ◮ “Offline” Code Reuse mov $0x5,%rbx code pointer xor %rbx,%rax pop %rbx ret mov $0x1,%rdi call *%r8 jmp 0x4003e0 cmp %rsi,%rdx jae 0x4000100 add $0x500,%rdi jmp *%rdi test %rax,%rax jb 0x400043e xor %rcx,%rcx pop %r14 ret … Data mpomonis@cs.columbia.edu kR^X 6 / 30

  15. Introduction RˆX Fine-grained KASLR Evaluation Code Reuse Attacks Code push %rbx ◮ “Offline” Code Reuse mov $0x5,%rbx code pointer xor %rbx,%rax pop %rbx • Code snippets ( gadgets ) ret mov $0x1,%rdi Ending with an indirect branch call *%r8 jmp 0x4003e0 • Stitch gadgets together cmp %rsi,%rdx jae 0x4000100 Perform arbitrary computations add $0x500,%rdi jmp *%rdi test %rax,%rax jb 0x400043e xor %rcx,%rcx pop %r14 ret … Data mpomonis@cs.columbia.edu kR^X 6 / 30

  16. Introduction RˆX Fine-grained KASLR Evaluation Code Reuse Attacks Code mov $0x1,%rdi ◮ “Offline” Code Reuse [Code Diversification] call *%r8 code pointer jmp 0x4003e0 test %rax,%rax • Code snippets ( gadgets ) jb 0x400043e xor %rcx,%rcx Ending with an indirect branch pop %r14 ret • Stitch gadgets together cmp %rsi,%rdx jae 0x4000100 Perform arbitrary computations add $0x500,%rdi jmp *%rdi push %rbx mov $0x5,%rbx xor %rbx,%rax pop %rbx ret … Data mpomonis@cs.columbia.edu kR^X 6 / 30

  17. Introduction RˆX Fine-grained KASLR Evaluation Code Reuse Attacks Code mov $0x1,%rdi ◮ “Offline” Code Reuse [Code Diversification] call *%r8 code pointer jmp 0x4003e0 test %rax,%rax • Code snippets ( gadgets ) jb 0x400043e memory xor %rcx,%rcx Ending with an indirect branch disclosure pop %r14 ret • Stitch gadgets together cmp %rsi,%rdx jae 0x4000100 Perform arbitrary computations add $0x500,%rdi jmp *%rdi ◮ “Just-In-Time” Code Reuse push %rbx mov $0x5,%rbx xor %rbx,%rax • Direct pop %rbx ret Read the (diversified) code … Construct the exploit on-the-fly Data mpomonis@cs.columbia.edu kR^X 6 / 30

  18. Introduction RˆX Fine-grained KASLR Evaluation Code Reuse Attacks Code mov $0x1,%rdi ◮ “Offline” Code Reuse [Code Diversification] call *%r8 jmp 0x4003e0 test %rax,%rax • Code snippets ( gadgets ) jb 0x400043e memory xor %rcx,%rcx Ending with an indirect branch disclosure pop %r14 ret • Stitch gadgets together cmp %rsi,%rdx jae 0x4000100 Perform arbitrary computations add $0x500,%rdi jmp *%rdi ◮ “Just-In-Time” Code Reuse push %rbx mov $0x5,%rbx code pointer xor %rbx,%rax • Direct pop %rbx ret Read the (diversified) code … Construct the exploit on-the-fly Data mpomonis@cs.columbia.edu kR^X 6 / 30

  19. Introduction RˆX Fine-grained KASLR Evaluation Code Reuse Attacks Code mov $0x1,%rdi ◮ “Offline” Code Reuse [Code Diversification] call *%r8 jmp 0x4003e0 test %rax,%rax • Code snippets ( gadgets ) jb 0x400043e memory xor %rcx,%rcx Ending with an indirect branch disclosure pop %r14 ret • Stitch gadgets together cmp %rsi,%rdx jae 0x4000100 Perform arbitrary computations add $0x500,%rdi jmp *%rdi ◮ “Just-In-Time” Code Reuse push %rbx mov $0x5,%rbx xor %rbx,%rax • Direct pop %rbx ret Read the (diversified) code … Construct the exploit on-the-fly Data • Indirect code pointer Read code pointers from the data code pointer Infer the randomized code layout code pointer mpomonis@cs.columbia.edu kR^X 6 / 30

  20. Introduction RˆX Fine-grained KASLR Evaluation kRˆX ◮ Comprehensive kernel protection against code reuse attacks ✗ “Offline” Code Reuse ✗ JIT Code Reuse (direct/indirect) • No privileged entity (e.g., hypervisor) • Low overhead mpomonis@cs.columbia.edu kR^X 7 / 30

  21. Introduction RˆX Fine-grained KASLR Evaluation kRˆX ◮ Comprehensive kernel protection against code reuse attacks ✗ “Offline” Code Reuse ✗ JIT Code Reuse (direct/indirect) • No privileged entity (e.g., hypervisor) • Low overhead RˆX: ◮ Execute-only Memory • Separate code and data regions New kernel memory layout • Mem. read → range check (RC) SFI-inspired ✓ Data region ✗ Code region mpomonis@cs.columbia.edu kR^X 7 / 30

  22. Introduction RˆX Fine-grained KASLR Evaluation kRˆX ◮ Comprehensive kernel protection against code reuse attacks ✗ “Offline” Code Reuse ✗ JIT Code Reuse (direct/indirect) • No privileged entity (e.g., hypervisor) • Low overhead Fine-grained KASLR: RˆX: ◮ Execute-only Memory ◮ Randomized Code Layout • Separate code and data regions ✓ No gadgets at known location ✓ High entropy → no guessing New kernel memory layout • Mem. read → range check (RC) ◮ Return address protection SFI-inspired • Encryption ( XOR -based) ✓ Data region ✗ Code region • Deception (Decoys) mpomonis@cs.columbia.edu kR^X 7 / 30

  23. Introduction RˆX Fine-grained KASLR Evaluation RˆX: Memory Layout fi xmap area module1 .data module1 .text Modules module2 .data module2 .text kernel .brk kernel .bss Kernel Image kernel .data kernel .rodata kernel .text vmemmap space vmalloc arena Upper physmap Canonical Half mpomonis@cs.columbia.edu kR^X 8 / 30

  24. Introduction RˆX Fine-grained KASLR Evaluation RˆX: Memory Layout fi xmap area module1 .data module1 .text Modules module2 .data ✗ Multiple code sections → multiple RCs module2 .text • High overhead kernel .brk ◮ Interleaved code and data kernel .bss Kernel Image kernel .data kernel .rodata kernel .text vmemmap space vmalloc arena Upper physmap Canonical Half mpomonis@cs.columbia.edu kR^X 8 / 30

Recommend

1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

Memory Protection Memory Protection Paging Virtual memory provides protection by: Each process (user or OS) has different virtual memory space. Machines and Virtualization Machines and Virtualization The OS maintain the page tables

83 views • 5 slides
1 CPU Events: Interrupts and Exceptions CPU Events: Interrupts and Exceptions Protecting Entry

1 CPU Events: Interrupts and Exceptions CPU Events: Interrupts and Exceptions Protecting Entry

Processes and the Kernel Processes and the Kernel The kernel sets processes up process in private data data execution Processes, Protection and the Kernel: Processes, Protection and the Kernel: virtual contexts to address

540 views • 9 slides
Processes, Protection and the Kernel: Processes, Protection and the Kernel: Mode, Space, and

Processes, Protection and the Kernel: Processes, Protection and the Kernel: Mode, Space, and

Processes, Protection and the Kernel: Processes, Protection and the Kernel: Mode, Space, and Context Mode, Space, and Context Processes and the Kernel Processes and the Kernel The kernel sets processes up process in private data data

614 views • 50 slides
Kernel Self Protection Kernel Summit 2016, Santa Fe Kees (Case) Cook keescook@chromium.org

Kernel Self Protection Kernel Summit 2016, Santa Fe Kees (Case) Cook keescook@chromium.org

Kernel Self Protection Kernel Summit 2016, Santa Fe Kees (Case) Cook keescook@chromium.org @kees_cook http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project http://www.openwall.com/lists/kernel-hardening/

494 views • 21 slides
Linux Kernel Networking Raoul Rivas Kernel vs Application Programming No memory protection

Linux Kernel Networking Raoul Rivas Kernel vs Application Programming No memory protection

Linux Kernel Networking Raoul Rivas Kernel vs Application Programming No memory protection Memory Protection We share memory with Segmentation Fault devices, scheduler Preemption Sometimes no preemption Scheduling

377 views • 25 slides
The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada Kees (Case) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lss/kspp.pdf Kernel Self Protection Project

431 views • 15 slides
Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case)

Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case)

Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2017/kr/kspp.pdf Agenda Background Security in the context of this presentation

800 views • 59 slides
Security While protection has been discussed throughout the class kernel vs. user mode,

Security While protection has been discussed throughout the class kernel vs. user mode,

Security While protection has been discussed throughout the class kernel vs. user mode, protected memory, file permissions these mechanisms have generally been focused on protection from accidental misuse (software bugs, novice

463 views • 13 slides
CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES &

CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES &

1 CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES & PROTECTION 3 Processes Program/Process Process 1,2,3, (def 1.) Address Space + Threads 0xffff ffff 1 or more threads Kernel

794 views • 35 slides
The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel

The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel

The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel Asynchrony Processes Protection Kernel The software component that controls the hardware directly and implements the core privileged OS

934 views • 62 slides
Protection Issues I/O protection Protection and System Calls Prevent users from

Protection Issues I/O protection Protection and System Calls Prevent users from

Protection Issues I/O protection Protection and System Calls Prevent users from performing illegal I/Os Memory protection Otto J. Anshus Prevent users from modifying kernel code and data (including slides from Kai Li,

350 views • 6 slides
Midterm Review OS Structure User mode/ kernel mode Memory protection, privileged

Midterm Review OS Structure User mode/ kernel mode Memory protection, privileged

Midterm Review OS Structure User mode/ kernel mode Memory protection, privileged instructions System call Definition, examples, how it works? Other concepts to know Monolithic kernel vs. Micro kernel 2 API - System Call -

830 views • 28 slides
DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat RMLL Montpellier, July 2014 1/36 Email: brouer@redhat.com / netoptimizer@brouer.com / hawk@kernel.org DDoS protection using Netfilter/iptables

822 views • 38 slides
2 Berkeley Socket Userspace Kernel Hardware Time 1983 2 Berkeley TCP Arrakis &

2 Berkeley Socket Userspace Kernel Hardware Time 1983 2 Berkeley TCP Arrakis &

LITE Kernel RDMA Support for Datacenter Applications Shin-Yeh Tsai , Yiying Zhang Time 2 Berkeley Socket Userspace Kernel Hardware Time 1983 2 Berkeley TCP Arrakis & Socket IX O ffl oad engine mTCP Userspace Kernel Hardware

1.34k views • 104 slides
Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data

Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data

Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data JIYONG YU, , MENGJIA YAN, ARTEM KHYZHA*, ADAM MORRISON*, JOSEP TORRELLAS, CHRISTOPHER W. FLETCHER UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN

1.22k views • 85 slides
Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop 2010 Austin, Texas Timothy Levin, Thuy Nguyen, Cynthia Irvine, Michael McEvilley LAW 2010 Overview Purpose Help users of SKPP understand

383 views • 17 slides
The State of Kernel Self Protection Linux Conf AU, Sydney Jan 26, 2018 Kees (Case) Cook

The State of Kernel Self Protection Linux Conf AU, Sydney Jan 26, 2018 Kees (Case) Cook

The State of Kernel Self Protection Linux Conf AU, Sydney Jan 26, 2018 Kees (Case) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lca/kspp.pdf Agenda Background Why we need to change what were doing

695 views • 57 slides
x86 Memory Protection User System Calls Kernel and Translation RCU File System Networking

x86 Memory Protection User System Calls Kernel and Translation RCU File System Networking

8/31/12 Logical Diagram Binary Memory Threads Formats Allocators x86 Memory Protection User System Calls Kernel and Translation RCU File System Networking Sync Todays Lecture Don Porter (focus on CSE 506 Memory Device

576 views • 9 slides
This Time Font hunt you down in 4 bytes! FROM KERNEL ESCAPE TO SYSTEM CALC @promised_lu

This Time Font hunt you down in 4 bytes! FROM KERNEL ESCAPE TO SYSTEM CALC @promised_lu

This Time Font hunt you down in 4 bytes! FROM KERNEL ESCAPE TO SYSTEM CALC @promised_lu @zer0mem TTF TECHNIQUE what ? data to kernel Pinging TTF bitmap wants to help! Different bit of math instead

735 views • 50 slides
Status of the Kernel Self Protection Project Linux Security Summit 2016 Aug 25-26, Toronto Kees

Status of the Kernel Self Protection Project Linux Security Summit 2016 Aug 25-26, Toronto Kees

Status of the Kernel Self Protection Project Linux Security Summit 2016 Aug 25-26, Toronto Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2016/lss/kspp.pdf Agenda Background Security in the context of this

464 views • 42 slides
Protection Disclaimer: some slides are adopted from book authors slides with permission 1

Protection Disclaimer: some slides are adopted from book authors slides with permission 1

Protection Disclaimer: some slides are adopted from book authors slides with permission 1 Today Protection Security 2 Examples of OS Protection Memory protection Between user processes Between user and kernel File

953 views • 51 slides
Protection Disclaimer: some slides are adopted from book authors slides with permission 1

Protection Disclaimer: some slides are adopted from book authors slides with permission 1

Protection Disclaimer: some slides are adopted from book authors slides with permission 1 Examples of OS Protection Memory protection Between user processes Between user and kernel File protection Prevent unauthorized

783 views • 39 slides
Myakka River Protection Zone Ordinance and Comprehensive Plan Update MRMCC Presentation Jan 9,

Myakka River Protection Zone Ordinance and Comprehensive Plan Update MRMCC Presentation Jan 9,

Myakka River Protection Zone Ordinance and Comprehensive Plan Update MRMCC Presentation Jan 9, 2009 Elizabeth Wong, PE Stormwater Manager, Planning Zoning and Engineering Dept. 941-429-7090 ewong@cityofnorthport.com Safe Clean Pretty Fun

242 views • 11 slides
Speeding up the Booting Time of a Toro Appliance Matias E. Vara Larsen www.torokernel.io

Speeding up the Booting Time of a Toro Appliance Matias E. Vara Larsen www.torokernel.io

Speeding up the Booting Time of a Toro Appliance Matias E. Vara Larsen www.torokernel.io matiasevara@gmail.com Application-oriented Kernel Toro Kernel Process Memory Devices Filesystem Networking Toro is an embedded kernel including five

442 views • 33 slides

More recommend