w indows b ypassing kernel gs
play

W INDOWS :: B YPASSING KERNEL /GS There are two ways published in - PowerPoint PPT Presentation

Mar 04, 2023 •278 likes •970 views

P ROTECTING THE C ORE K ERNEL E XPLOITATION M ITIGATIONS Patroklos Argyroudis, Dimitris Glynos { argp, dimitris } at census-labs.com Census, Inc. Black Hat EU 2011 P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011

  1. P ROTECTING THE C ORE K ERNEL E XPLOITATION M ITIGATIONS Patroklos Argyroudis, Dimitris Glynos { argp, dimitris } at census-labs.com Census, Inc. Black Hat EU 2011 P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  2. O VERVIEW I MPORTANCE OF K ERNEL S ECURITY K ERNEL MEMORY CORRUPTION VULNERABILITIES U SERLAND MEMORY CORRUPTION MITIGATIONS K ERNEL EXPLOITATION MITIGATIONS B YPASSING K ERNEL P ROTECTIONS C ONCLUSION P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  3. I MPORTANCE OF KERNEL SECURITY ◮ Operating system kernels are an attractive target for attackers ◮ Large code bases ◮ Countless entry points (syscalls, IOCTLs, FS code, network, etc.) ◮ Complicated interactions between subsystems ◮ Experience has shown that kernels on production systems are seldom upgraded ◮ Sandbox-based security measures can easily be subverted via kernel vulnerabilities ◮ Is the requirement of local access relevant anymore? ◮ Web apps, devices (iPhone, Android), remote bugs P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  4. K ERNEL MEMORY CORRUPTION VULNERABILITIES ◮ NULL pointer dereferences ◮ Used for initialization, to signify default, returned on error, etc. ◮ Problem for systems that split the virtual address space into two, kernel and process space ◮ Kernel stack overflows ◮ Per-process or per-LWP stacks ◮ Kernel internal functions’ stacks ◮ Memory allocator overflows ◮ Corrupt adjacent objects ◮ Corrupt metadata P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  5. B UGS THAT LEAD TO MEMORY CORRUPTIONS ◮ Insufficient validation of user input ◮ Traditional insufficient bounds checking ◮ Arbitrary memory corruptions (array indexes, reference counters) ◮ Signedness func(size t user size) { int size = user size; if(size < MAX SIZE) { /* do some operation with size considered safe */ ◮ Integer overflows vmalloc(sizeof(struct kvm cpuid entry2) * cpuid → nent); ◮ Race conditions ◮ Validation time vs use time ◮ Changeable locked resources P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  6. U SERLAND MEMORY CORRUPTION MITIGATIONS ◮ Stack canaries ◮ Protect metadata stored on the stack ◮ Heap canaries ◮ Guard value ◮ Used to encode elements of important structures ◮ Heap safe unlinking ◮ Metadata sanitization ◮ ASLR ◮ Location of stack randomized ◮ Random base address for dynamic libraries ◮ Random base address for executables (e.g. PIE) ◮ Location of heap randomized (e.g. brk ASLR) P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  7. U SERLAND MEMORY CORRUPTION MITIGATIONS ◮ Mark pages as non-executable (DEP/NX/XD/software-enforced) ◮ Mandatory Access Control (MAC) – SELinux, grsecurity (RBAC), AppArmor (path-based) ◮ Process debugging protection ◮ Forbid users to debug (their own) processes that are not launched by a debugger ◮ Contain application compromises ◮ Compile-time fortification ◮ -D FORTIFY SOURCE=2 ◮ Variable reordering ◮ grsecurity/PaX is the seminal work and provides much more P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  8. K ERNEL EXPLOITATION MITIGATIONS P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  9. L INUX Focus on Linux 2.6.37 ◮ Stack overflow protection ◮ SLUB Red Zone ◮ Memory protection ◮ NULL page mappings ◮ Poison pointer values ◮ Linux Kernel Modules ◮ grsecurity patch P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  10. L INUX :: S TACK O VERFLOW P ROTECTION SSP-type protection ◮ CC STACKPROTECTOR option ◮ gcc -fstack-protector ◮ affects the compilation of both kernel and modules ◮ local variable re-ordering ◮ canary protection only for functions with local character arrays ≥ 8 bytes ◮ in a kernel image with 16604 functions only 378 were protected (about 2%) ◮ if the canary is overwritten the kernel panics P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  11. L INUX :: C ANARIES ◮ A per-CPU canary is generated at boot-time boot init stack canary @ arch/x86/include/asm/stackprotector.h 61 u64 canary; 62 u64 tsc; 73 get random bytes(&canary, sizeof(canary)); 74 tsc = native read tsc(); 75 canary += tsc + (tsc << 32UL); current → stack canary = canary; 77 81 percpu write(stack canary.canary, canary); ◮ Each Lightweight Process (LWP) receives its own kernel stack canary dup task struct @ kernel/fork.c tsk → stack canary = get random int() 281 get random int @ drivers/char/random.c hash[0] += current → pid + jiffies + get cycles(); 1634 ret = half md4 transform(hash, keyptr → secret); 1635 P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  12. L INUX :: C ANARIES ◮ GCC expects to find the canary at %gs:0x14 proc fdinfo read @ fs/proc/base.c mov %gs:0x14, %edx 9 mov %edx, -0x10(%ebp) 16 ... ... mov -0x10(%ebp), %edx 81 xor %gs:0x14, %edx 84 jne <proc fdinfo read+106> 91 ... ... call < stack chk fail> 106 ◮ The canary is placed right after the local variables, thus “protecting” the saved base pointer, the saved instruction pointer and the function parameters P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  13. L INUX :: S TACK O VERFLOW E XAMPLE Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in c10e1ebf Pid: 9028, comm: canary-test Tainted: G D 2.6.37 #1 Call Trace: [<c1347887>] ? printk+0x18/0x21 [<c1347761>] panic+0x57/0x165 [<c1026339>] __stack_chk_fail+0x19/0x30 [<c10e1ebf>] ? proc_fdinfo_read+0x6f/0x70 [<c10e1ebf>] proc_fdinfo_read+0x6f/0x70 [<c10a377d>] ? rw_verify_area+0x5d/0x100 [<c10a42d9>] vfs_read+0x99/0x140 [<c10e1e50>] ? proc_fdinfo_read+0x0/0x70 [<c10a443d>] sys_read+0x3d/0x70 [<c1002b97>] sysenter_do_call+0x12/0x26 P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  14. L INUX :: SLUB R ED Z ONE ◮ The SLUB is a kernel slab allocator ◮ It allocates contiguous “slabs” of memory for object storage ◮ Each slab may contain one or more objects ◮ Objects are grouped in “caches” ◮ Each cache organizes objects of the same type ◮ New objects quickly reclaim the space of recently “deleted” objects ◮ A “Red Zone” is a word-sized canary of ’0xcc’ bytes placed right after every object in a slab ◮ It helps in identifying memory corruption bugs in kernel code (i.e. it’s not a security mechanism) ◮ If a Red Zone is overwritten, debug info is printed, Red Zone is restored and kernel continues execution ◮ Requires slub debug=FZ boot-time option and SLUB DEBUG config option P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  15. L INUX :: S LAB O VERFLOW E XAMPLE BUG kmalloc-1024: Redzone overwritten ----------------------------------------------------------------------- INFO: 0xc7ac9018-0xc7ac9018. First byte 0x33 instead of 0xcc INFO: Slab 0xc7fe5900 objects=15 used=10 fp=0xc7aca850 flags=0x400040c0 INFO: Object 0xc7ac8c18 @offset=3096 fp=0x33333333 Bytes b4 0xc7ac8c08: 00 00 00 00 00 00 00 00 cc cc cc cc 00 00 00 00 Object 0xc7ac8c18: 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 ... Redzone 0xc7ac9018: 33 cc cc cc Padding 0xc7ac901c: 00 00 00 00 Pid: Pid: 8382, comm: cat Not tainted 2.6.37 #2 Call Trace: [<c10a0e77>] print_trailer+0xe7/0x130 [<c10a152d>] check_bytes_and_report+0xed/0x150 [<c10a16e0>] check_object+0x150/0x210 [<c10a1f22>] free_debug_processing+0xd2/0x1b0 [<c10a35ae>] kfree+0xfe/0x170 [<c87f31c0>] ? sectest_exploit+0x1a0/0x1ec [sectest_overwrite_slub] ... [<c1002b97>] sysenter_do_call+0x12/0x26 FIX kmalloc-1024: Restoring 0xc7ac9018-0xc7ac9018 P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  16. L INUX :: M EMORY P ROTECTION ◮ Right after boot the kernel write protects the pages belonging to: ◮ the kernel code ◮ the read-only data (built-in firmware, kernel symbol table etc.) ◮ The non-executable bit is enabled for the pages of read-only data ◮ and only on hardware that supports it P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

  17. L INUX :: NULL P AGE M APPINGS ◮ Linux mmap(2) avoids NULL page mappings by mapping pages at addresses ≥ mmap min addr ◮ mmap min addr defaults to 4096 ◮ Two ways to configure mmap min addr ◮ via a Linux Security Module (LSM) ◮ via Discretionary Access Control (DAC) ◮ sysctl vm.mmap min addr ◮ /proc/sys/vm/mmap min addr ◮ DEFAULT MMAP MIN ADDR kernel config option ◮ mmap min addr = max ( LSM value , DAC value ) P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011 :: C ENSUS , I NC .

Recommend

Catch-up Cycles and Changes in the Industry Leadership : Win indows of opportunity and re

Catch-up Cycles and Changes in the Industry Leadership : Win indows of opportunity and re

Catch-up Cycles and Changes in the Industry Leadership : Win indows of opportunity and re responses in in th the evo volution of f secto toral sys yste tems ( Special Issue, Research Policy 2016) Keun Lee (with Franco Malerba)

670 views • 48 slides
Java replacement for Win indows In Interface to Sim imulation of Errors Geometric

Java replacement for Win indows In Interface to Sim imulation of Errors Geometric

Java replacement for Win indows In Interface to Sim imulation of Errors Geometric misalignments No Fernndez lvarez 27/01/2017 Su Summary ry 1. Introduction to WISE geometric 2. WISE calculations 3. WISE usage 4. WISEs output

927 views • 29 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice

1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice

Machine Learning Class Notes 9-25-12 Prof. David Sontag 1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice and which allows for highly non-linear discriminant functions is the Gaussian kernel,

241 views • 5 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Overview Preliminaries Kernel ridge regression Kernel -means clustering

476 views • 25 slides
Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many of us need to debug the Linux kernel Proprietary tools like Trace32 and DS-5 are $$$ Open source debuggers like GDB lack kernel

884 views • 40 slides
Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

3/1/20 COMP 790: OS Implementation COMP 790: OS Implementation Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

647 views • 8 slides
D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg Kroah-Hartman, David Herrmann, Daniel Mack, Lennart Poettering, Kay Sievers with help from Tejun Heo D-Bus in the Kernel Most newer OS designs started

1.35k views • 111 slides
Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda

Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda

Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda mulix@mulix.org IBM Haifa Research Lab Kernel Debugging, Haifux 2003 p.1/19 Kernel Debugging - Why? Why would we want to debug the kernel? after

308 views • 19 slides
1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
Kernel PCA for SNe Kernel PCA for SNe photometric classification photometric classification

Kernel PCA for SNe Kernel PCA for SNe photometric classification photometric classification

Kernel PCA for SNe Kernel PCA for SNe photometric classification photometric classification Emille E. O. Ishida IAG University of Sao Paulo, Brazil In collaboration with Rafael S. De Souza (KASI) astro-ph/1201.6676 IAU General Assembly,

155 views • 14 slides
The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel

The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel

The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel Asynchrony Processes Protection Kernel The software component that controls the hardware directly and implements the core privileged OS

934 views • 62 slides
D-Bus in the Kernel FOSDEM 2014, Brussels, Belgium January 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel FOSDEM 2014, Brussels, Belgium January 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel FOSDEM 2014, Brussels, Belgium January 2014 D-Bus in the Kernel Who? Greg Kroah-Hartman, Daniel Mack, Lennart Poettering, Kay Sievers with help from Tejun Heo D-Bus in the Kernel Most newer OS designs started around

1.27k views • 111 slides
Skoltech Skolkovo Institute of Science and Technology Kernel Methods Refresher Kernel trick:

Skoltech Skolkovo Institute of Science and Technology Kernel Methods Refresher Kernel trick:

Quadrature-based Features for Kernel Approximation Marina Munkhoeva , Yermek Kapushev, Evgeny Burnaev, Ivan Oseledets Skoltech Skolkovo Institute of Science and Technology Kernel Methods Refresher Kernel trick: compute

1.01k views • 17 slides
TOS Arno Puder 1 Demo Kernel /* tos/kernel/main.c */ #include &lt;kernel.h&gt; WINDOW

TOS Arno Puder 1 Demo Kernel /* tos/kernel/main.c */ #include &lt;kernel.h&gt; WINDOW

TOS Arno Puder 1 Demo Kernel /* tos/kernel/main.c */ #include &lt;kernel.h&gt; WINDOW window_top = {0, 0, 80, 12, 0, 0, ' '}; WINDOW window_bottom = {0, 12, 80, 13, 0, 0, ' '}; void kernel_main() { for (int x = 0; x &lt; 80 * 25 * 2; x++)

830 views • 7 slides
Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules Kernel module: code that can be dynamically loaded/unloaded into the kernel at runtime Change the kernel code without needing to reboot

545 views • 13 slides
1 CPU Events: Interrupts and Exceptions CPU Events: Interrupts and Exceptions Protecting Entry

1 CPU Events: Interrupts and Exceptions CPU Events: Interrupts and Exceptions Protecting Entry

Processes and the Kernel Processes and the Kernel The kernel sets processes up process in private data data execution Processes, Protection and the Kernel: Processes, Protection and the Kernel: virtual contexts to address

540 views • 9 slides
A kernel in a library Genodes custom kernel approach Martin Stein &lt;

A kernel in a library Genodes custom kernel approach Martin Stein &lt;

A kernel in a library Genodes custom kernel approach Martin Stein &lt; martin.stein@genode-labs.com &gt; Outline 1. Motivation 2. Overview 3. Scheduling 4. Capabilities 5. Communication A kernel in a library Genodes custom kernel

798 views • 45 slides
Optimization for Kernel Methods S. Sathiya Keerthi Yahoo! Research, Burbank, CA, USA Kernel

Optimization for Kernel Methods S. Sathiya Keerthi Yahoo! Research, Burbank, CA, USA Kernel

Optimization for Kernel Methods S. Sathiya Keerthi Yahoo! Research, Burbank, CA, USA Kernel methods: Support Vector Machines (SVMs) Kernel Logistic Regression (KLR) Aim: To introduce a variety of optimization problems that arise in the

738 views • 59 slides
Learning From Data Lecture 26 Kernel Machines Popular Kernels The Kernel Measures Similarity

Learning From Data Lecture 26 Kernel Machines Popular Kernels The Kernel Measures Similarity

Learning From Data Lecture 26 Kernel Machines Popular Kernels The Kernel Measures Similarity Kernels in Different Applications M. Magdon-Ismail CSCI 4100/6100 recap: The Kernel Allows Us to Bypass Z -space Solve the QP 1

356 views • 12 slides
. . : =L distance functions Possible Euclidean . Manhattan - other .

. . : =L distance functions Possible Euclidean . Manhattan - other .

Midterm the Since Topics based Instance and classification ] learning NN . regression Kernel . mgohssien ... ] ' , margin than Peru &quot; learning , . .dyu, online approaches trick kernel kernel based ^ ,

345 views • 11 slides
Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege

Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege

Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation Nathan Dautenhahn, Theodoros Kasampalis, Will Dietz, John Criswell, and Vikram Adve Nested Kernel - Motivation Monoliths have single

398 views • 17 slides
Kernel Learning with a Million Kernels Ashesh Jain SVN Vishwanathan IIT Delhi Purdue

Kernel Learning with a Million Kernels Ashesh Jain SVN Vishwanathan IIT Delhi Purdue

Kernel Learning with a Million Kernels Ashesh Jain SVN Vishwanathan IIT Delhi Purdue University Manik Varma Microsoft Research India Kernel Learning The objective in kernel learning is to jointly learn both SVM and kernel parameters

1.34k views • 38 slides
Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel

Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel

September 2016 BalCCon 2k16 Kernel Exploitation and Hardening Why we could have nice things! (using Split Kernel) Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel Vulnerabilities Kernel

1.07k views • 39 slides

More recommend