rethinking kernel isolation
play

Rethinking Kernel Isolation Vasileios P. Kemerlis Network Security - PowerPoint PPT Presentation

Dec 29, 2023 •392 likes •1.09k views

Rethinking Kernel Isolation Vasileios P. Kemerlis Network Security Lab Department of Computer Science Columbia University New York, NY, USA Georgia Institute of Technology, 09/12/2014 vpk@cs.columbia.edu (Columbia University) ret2dir GT

  1. Rethinking Kernel Isolation Vasileios P. Kemerlis Network Security Lab Department of Computer Science Columbia University New York, NY, USA Georgia Institute of Technology, 09/12/2014 vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 1 / 59

  2. Outline Introduction Kernel attacks & defenses Problem statement Attack ( ret2dir ) Background Bypassing SMEP / SMAP , PXN , PaX, kGuard Defense (XPFO) Design & implementation Performance Conclusion Recap vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 4 / 59

  3. Introduction Kernel attacks & defenses Attacking the “Core” Threats classification 1. Privilege escalation I Arbitrary code execution code-injection, ROP, ret2usr 7 Kernel stack smashing 7 User-after-free, double free, dangling pointers 7 Kernel heap overflows 7 Signedness errors, integer overflows 7 Wild writes, o ff -by- n 7 Race conditions, memory leaks 7 Poor arg. sanitization 7 Missing authorization checks 2. Persistent foothold I Kernel object hooking (KOH) control-flow hijacking 7 Kernel control data (function ptr., dispatch tbl., return addr.) 7 Kernel code ( .text ) I Direct kernel object manipulation (DKOM) cloaking 7 Kernel non-control data 3. ... vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 5 / 59

  4. Introduction Kernel attacks & defenses Attacking the “Core” Threats classification 1. Privilege escalation I Arbitrary code execution code-injection, ROP, ret2usr 7 Kernel stack smashing 7 User-after-free, double free, dangling pointers 7 Kernel heap overflows 7 Signedness errors, integer overflows 7 Wild writes, o ff -by- n 7 Race conditions, memory leaks 7 Poor arg. sanitization 7 Missing authorization checks 2. Persistent foothold I Kernel object hooking (KOH) control-flow hijacking 7 Kernel control data (function ptr., dispatch tbl., return addr.) 7 Kernel code ( .text ) I Direct kernel object manipulation (DKOM) cloaking 7 Kernel non-control data 3. ... vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 6 / 59

  5. Introduction Kernel attacks & defenses Attacking the “Core” Threats classification 1. Privilege escalation I Arbitrary code execution code-injection, ROP, ret2usr 7 Kernel stack smashing 7 User-after-free, double free, dangling pointers 7 Kernel heap overflows 7 Signedness errors, integer overflows 7 Wild writes, o ff -by- n 7 Race conditions, memory leaks 7 Poor arg. sanitization 7 Missing authorization checks 2. Persistent foothold I Kernel object hooking (KOH) control-flow hijacking 7 Kernel control data (function ptr., dispatch tbl., return addr.) 7 Kernel code ( .text ) I Direct kernel object manipulation (DKOM) cloaking 7 Kernel non-control data 3. ... vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 7 / 59

  6. Introduction Kernel attacks & defenses Return-to-user ( ret2usr ) Attacks What are they? Attacks against OS kernels with shared kernel/user address space • Overwrite kernel code (or data) pointers with user space addresses 7 return addr., dispatch tbl., function ptr., 7 data ptr. I Payload ! Shellcode, ROP payload, tampered-with data structure(s) I Placed in user space 7 Executed (referenced) in kernel context I De facto kernel exploitation technique I Facilitates privilege escalation arbitrary code execution 7 http://www.exploit-db.com/exploits/34134/ (21/07/14) 7 http://www.exploit-db.com/exploits/131/ (05/12/03) vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 8 / 59

  7. Introduction Kernel attacks & defenses ret2usr Attacks (cont’d) Why do they work? Weak address space (kernel/user) separation • Shared kernel/process model ! Performance X cost(mode switch) ⌧ cost(context switch) I The kernel is protected from userland ! Hardware-assisted isolation 7 The opposite is not true 7 Kernel ambient authority (unrestricted access to all memory and system objects) I The attacker completely controls user space memory • Contents & perms. vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 9 / 59

  8. Introduction Kernel attacks & defenses kGuard [USENIX Sec ’12] Versatile & lightweight protection against ret2usr I Cross-platform solution that enforces (partial) address space separation between user and kernel space • x86, x86-64, ARM, ... • Linux, Android, { Free, Net, Open } BSD, ... I Builds upon inline monitoring and code diversification I Implemented as a set of modifications to the pipeline of GCC • Non-intrusive & low overhead • Back-end plugin ! ⇠ 1KLOC in C Front − ends Middle − end *.c, *.i C GIMPLE Back − end *.cc, *.c++ C++ *.cxx, *.cpp RTL High *.m, *.mi Objective − C GIMPLE SSA *.java Java GENERIC GIMPLE kGuard ... ... Low (NOP & CFA) GIMPLE Fortran *.F, *.FOR *.s vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 10 / 59

  9. Introduction Kernel attacks & defenses kGuard Design Control-flow assertions (key technology #1) I Compact, inline guards injected at Instrumented code Original code compile time branch CFA • Two flavors ! CFA R & CFA M kernel branch I Placed before every exploitable control .text transfer branch kernel .text • call , jmp , ret in x86/x86-64 • ldm , blx , ..., in ARM CFA branch I Verify that the target address of an indirect branch is always inside kernel space I If the assertion is true, execution continues normally; otherwise, control is transfered to a runtime violation handler vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 11 / 59

  10. Introduction Kernel attacks & defenses kGuard Design (cont’d) CFA R example cmp $0xc0000000,%ebx if (reg < 0xc0000000) jae lbl reg = &<violation_handler>; mov $0xc05af8f1,%ebx call *reg lbl: call *%ebx Indirect call in drivers/cpufreq/cpufreq.c (x86 Linux) vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 12 / 59

  11. Introduction Kernel attacks & defenses kGuard Design (cont’d) CFA M examples (1/2) push %edi if (&mem < 0xc0000000) lea 0x50(%ebx),%edi call <violation_handler>; cmp $0xc0000000,%edi if (mem < 0xc0000000) jae lbl1 mem = &<violation_handler>; pop %edi call *mem ; call 0xc05af8f1 lbl1: pop %edi cmpl $0xc0000000,0x50(%ebx) jae lbl2 movl $0xc05af8f1,0x50(%ebx) lbl2: call *0x50(%ebx) Indirect call in net/socket.c (x86 Linux) vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 13 / 59

  12. Introduction Kernel attacks & defenses kGuard Design (cont’d) CFA M examples (2/2) & optimizations cmpl $0xc0000000,0xc123beef if (&mem < 0xc0000000) jae lb call <violation_handler>; movl $0xc05af8f1,0xc123beef if (mem < 0xc0000000) lb: call *0xc123beef mem = &<violation_handler>; call *mem ; Optimized CFA M guard (x86 Linux) vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 14 / 59

  13. Introduction Kernel attacks & defenses ret2usr Defenses State of the art overview X KERNEXEC / UDEREF ! PaX I 3 rd -party Linux patch(es) ! x86-64/x86/AArch32 only I HW/SW-assisted address space separation • x86 ! Seg. unit (reload %cs , %ss , %ds , %es ) • x86-64 ! Code instr. & temporary user space re-mapping • ARM (AArch32) ! ARM domains X kGuard ! Kemerlis et al. [USENIX Sec ’12] I Cross-platform solution that enforces (partial) address space separation • x86, x86-64, ARM, ... • Linux, { Free, Net, Open } BSD, ... I Builds upon inline monitoring (code intr.) & code diversification (code inflation & CFA motion) X SMEP / SMAP , PXN ! Intel, ARM I HW-assisted address space separation • Access violation if priv. code (ring 0) executes/accesses instructions/data from user pages ( U/S = 1) I Vendor and model specific (Intel x86/x86-64, ARM) vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 15 / 59

  14. Introduction Kernel attacks & defenses ret2usr Defenses (cont’d) Summary vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 16 / 59

  15. Introduction Problem statement Rethinking Kernel Isolation [USENIX Sec ’14] What is this talk about? Focus on ret2usr defenses ! SMEP / SMAP , PXN , PaX, kGuard vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 17 / 59

  16. Introduction Problem statement Rethinking Kernel Isolation [USENIX Sec ’14] What is this talk about? Focus on ret2usr defenses ! SMEP / SMAP , PXN , PaX, kGuard I Can we subvert them? • Force the kernel to execute/access user-controlled code/data I Conflicting design choices or optimizations? • “Features” that weaken the (strong) separation of address spaces vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 17 / 59

  17. Introduction Problem statement Rethinking Kernel Isolation [USENIX Sec ’14] What is this talk about? Focus on ret2usr defenses ! SMEP / SMAP , PXN , PaX, kGuard I Can we subvert them? • Force the kernel to execute/access user-controlled code/data I Conflicting design choices or optimizations? • “Features” that weaken the (strong) separation of address spaces Return-to-direct-mapped memory ( ret2dir ) I Attack against hardened (Linux) kernels X Bypasses all existing ret2usr schemes X 8 ret2usr exploit 9 ret2dir exploit vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 17 / 59

  18. Attack ( ret2dir ) Background Kernel Space Layout Linux x86/x86-64 vpk@cs.columbia.edu (Columbia University) ret2dir GT ’14 18 / 59

Recommend

Ret2dir: Rethinking Kernel Isolation Kermerlis et al. Columbia University Presented by Lucas Copi

Ret2dir: Rethinking Kernel Isolation Kermerlis et al. Columbia University Presented by Lucas Copi

Ret2dir: Rethinking Kernel Isolation Kermerlis et al. Columbia University Presented by Lucas Copi Introduction ! In the past attackers have focused efforts on server and client applications ! Due to lesser complexities and simpler

501 views • 26 slides
Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and

Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and

Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and Communication Jinyu Gu , Xinyue Wu, Wentai Li, Nian Liu, Zeyu Mi, Yubin Xia, Haibo Chen Monolithic Kernel and Microkernel 2 Monolithic Kernel and

336 views • 23 slides
Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation From in-guest kernel/userspace Provided by Xen Buggy emulation blurres the line From trusted computing base (TCB) Possible via Xen

286 views • 26 slides
Rethinking the Linux kernel Thomas Graf Cilium Project, Co-Founder &amp; CTO, Isovalent

Rethinking the Linux kernel Thomas Graf Cilium Project, Co-Founder &amp; CTO, Isovalent

Rethinking the Linux kernel Thomas Graf Cilium Project, Co-Founder &amp; CTO, Isovalent Remember GeoCities? 2 Cameron Askin: Camerons World What enabled this evolution? Programmable Platform Markup Only (HTML) 3 Programmability

467 views • 24 slides
Address Space Isolation in the Linux Kernel Mike Rapoport, James Bottomley

Address Space Isolation in the Linux Kernel Mike Rapoport, James Bottomley

Address Space Isolation in the Linux Kernel Mike Rapoport, James Bottomley &lt;{rppt,jejb}@linux.ibm.com&gt; This project has received funding from the European Unions Horizon 2020 research and innovation programme under grant agreement No

448 views • 30 slides
Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable Isolation Dan Ports Kevin Grittner MIT Wisconsin Court System Saturday, May 21, 2011 1 Overview Serializable isolation makes it easier to reason

922 views • 60 slides
ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating auxiliary isolation rooms (CDC) SCRUBBERS - 1 ea to serve patient room, and 1 for Airlock Typically deployed on supplied wheel platform

144 views • 3 slides
Rethinking of the Rethinking of the debian/watch debian/watch With thought experiments about

Rethinking of the Rethinking of the debian/watch debian/watch With thought experiments about

Rethinking of the Rethinking of the debian/watch debian/watch With thought experiments about uscan Kentaro Hayashi DebConf18 in T aiwan 2018-08-03 ClearCode Inc. Digest of this talk Current d/watch fi le is sometimes complicated Update

800 views • 77 slides
2 Fault Isolation &amp; Restoration Manual Fault Isolation &amp; Restoration The

2 Fault Isolation &amp; Restoration Manual Fault Isolation &amp; Restoration The

1 Self Healing Network (Centralized Restoration Gateway) IEEE PES 2015 General Meeting 2 Fault Isolation &amp; Restoration Manual Fault Isolation &amp; Restoration The operator makes switching decisions Automatic Fault Location

724 views • 22 slides
Rethinking W aste Rethinking Waste W aste w hat is it? Websters 1913 Dictionary

Rethinking W aste Rethinking Waste W aste w hat is it? Websters 1913 Dictionary

Rethinking W aste Rethinking Waste W aste w hat is it? Websters 1913 Dictionary definition: lying unused; unproductive; w orthless; valueless; refuse; rejected Oxford 2017 English Dictionary definition: elim inated or

582 views • 28 slides
GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA

GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA

GSure Bacterial genomic DNA isolation kit GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA Isolation Kit GSure Stool DNA Isolation Kit GSure Urine DNA Isolation Kit GSure Yeast RNA

455 views • 23 slides
Paper Reading Paper HetConv: Heterogeneous Kernel-Based Convolutions for Deep

Paper Reading Paper HetConv: Heterogeneous Kernel-Based Convolutions for Deep

Paper Reading Paper HetConv: Heterogeneous Kernel-Based Convolutions for Deep CNNs, CVPR, 2019 Drop an Octave: Reducing Spatial Redundancy in Convolutional Neural Networks with Octave Convolution EfficientNet: Rethinking

424 views • 21 slides
Introduction to pixel track isolation The purpose of track isolation algorithm is an additional

Introduction to pixel track isolation The purpose of track isolation algorithm is an additional

Introduction to pixel track isolation The purpose of track isolation algorithm is an additional improvement of level-1 pixel trigger performance. Procedure of pixel track isolation Reconstructed pixel tracks using kinematic parameters

670 views • 27 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days

#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days

#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days will be reimbursed Self isolation notes from online 111 Self isolation and pay Working from Home Everyone should be working

398 views • 12 slides
Using technology to reduce social isolation: research on dementia and social isolation Professor

Using technology to reduce social isolation: research on dementia and social isolation Professor

Using technology to reduce social isolation: research on dementia and social isolation Professor Josie Tetley Dr Emma-Reetta Koivunen Ageing and Long Term Conditions Group Faculty of Health, Psychology &amp; Social Care Manchester

338 views • 19 slides
1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice

1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice

Machine Learning Class Notes 9-25-12 Prof. David Sontag 1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice and which allows for highly non-linear discriminant functions is the Gaussian kernel,

241 views • 5 slides
456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between

456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between

In this module we would review a typical gate first, poly-Si gate CMOS process flow. 456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between individual devices in a CMSO chip. Typical process details and the

381 views • 8 slides
W E OFTEN THINK : Isolation is when others leave us alone ( and its often true) B UT WE TEND

W E OFTEN THINK : Isolation is when others leave us alone ( and its often true) B UT WE TEND

W HEN F EELINGS OF I SOLATION B ECOME A R OADBLOCK Joe &amp; Cindi Ferrini Joeferrini.com Cindiferrini.com W E OFTEN THINK : Isolation is when others leave us alone ( and its often true) B UT WE TEND TOWARD ISOLATION PULLING AWAY FROM :

723 views • 18 slides
Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and

Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and

CSE 127: Computer Security Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage Chromium security architecture Browser (&quot;kernel&quot;) Full privileges (file system,

603 views • 29 slides
ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted

ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted

ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Possibly with multiple tenants Setting OS: users / processes Browser: webpages / browser extensions Cloud: virtual machines (VMs)

272 views • 25 slides
Derandomizing Isolation in Space-Bounded Settings Dieter van Melkebeek and Gautam Prakriya

Derandomizing Isolation in Space-Bounded Settings Dieter van Melkebeek and Gautam Prakriya

Derandomizing Isolation in Space-Bounded Settings Dieter van Melkebeek and Gautam Prakriya University of Wisconsin-Madison 6 July 2017 Isolation Isolation Computational Problem : instance x set of solutions for x . Eg.:

876 views • 42 slides
Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer

Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer

Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer Science, Stanford

1.01k views • 43 slides
RETHINKING THE TOOLS OF ENGAGEMENT FLIPPING THE OUTCOMES RETHINKING THE TOOLS OF ENGAGEMENT /

RETHINKING THE TOOLS OF ENGAGEMENT FLIPPING THE OUTCOMES RETHINKING THE TOOLS OF ENGAGEMENT /

RETHINKING THE TOOLS OF ENGAGEMENT FLIPPING THE OUTCOMES RETHINKING THE TOOLS OF ENGAGEMENT / FLIPPING THE OUTCOMES RETHINKING THE TOOLS OF ENGAGEMENT / FLIPPING THE OUTCOMES 1. THE limitations of current outreach methods RETHINKING THE TOOLS

436 views • 43 slides

More recommend