Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.

Similar presentations


Presentation on theme: "Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012."— Presentation transcript:

1 Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012

2 Outline Introduction Related Work Sentry System Implementation Evaluation Conclusion

3 Introduction Kernel-level malicious malware often uses DKOM(Direct Kernel Object Manipulation) to hide the process from the kernel’s process accounting list. They may also escalate a process’ privileges by overwriting the process’ credentials with those for a root or administrative user We present a system called Sentry that creates access control protections for security-critical kernel data.

4 Related Work Petroni et al. detect process which reachable in scheduler but not in process accounting list. Cannot detect the list of loaded kernel modules, which do not offer multiple views. XFI and BGI guarded write instructions subject to access control policy constraints. Require all kernel drivers and modules to use this system Low performance.

5 Sentry System Page-level Granularity: use hardware’s page read/write protection to enforce access control policy Partitioning: to separate kernel data structure into regions which have different access control policies Based on VM: to get full control to hardware page-fault handling and management

6 Sentry System

7 Page-level Granularity Old methods Applying policy checking is to check all possible write operation to kernel data  Slow performance Protecting a single security-critical member requires whole page to be protected  Low memory utility Sentry use structure partitioning and page write protection to apply access control policies

8 Page-level Granularity (Cont.) How page write protection protect the data? Simply using the write flag in page data structure If someone tries to write to a protected page, a page fault happen, and a function sh_page_fault in XEN hypervisor is called to handle this event Sentry changes the handling function to add a policy check: If write is valid, then ignore this page fault and perform write operation If write is invalid, then the write operation is denied

9 Partitioning Structures such as task_struct and module contains a mix of security-critical and not-critical fields Structure Division Structure Alignment

10 Partitioning - Structure Division Split original Obj by creating a new data structure insecure_Obj containing non-critical fields uid_t uid, euid, suid gid_t gid, egid, sgid u64 acct_rss_mem1 u64 acct_vm_mem1 struct list_head tasks void *journal_info unsigned long personality struct audit_context *audit_context char comm[16]... struct task_struct struct insecure_task_struct uid_t uid, euid, suid gid_t gid, egid, sgid struct list_head tasks char comm[16] u64 acct_rss_mem1 u64 acct_vm_mem1 void *journal_info unsigned long personality struct audit_context *audit_context insecure_task_struct *insecure

11 Partitioning - Structure Alignment Add a buffer to original Obj to separate security-critical members and non-critical members away This can be done by using compiler options to insert or remove the alignment buffer struct module enum module_state state struct list_head list char name[MODULE_NAME_LEN] const char *version const char *srcversion... struct module enum module_state state struct list_head list char name[MODULE_NAME_LEN] const char *version const char *srcversion... char buffer[BIG_SPACE] Page Size

12 Policy A valid write operation can be performed by: Trusted core kernel, such as core kernel code from symbol _text to _etext, kernel boot code from symbol __init_begin to __init_end Trusted Upgraders: Alteration reachable from most exported kernel functions, such as API provided by the Kernel

13 Page Creation & Registration When creating a new instance of protected structure, Obj and insecure_Obj are put into a page frame separately, and add page write protection on the page containing Obj The page frame number(PFN) then send to Sentry system using VMCALL, a method to pass data to hypervisor, to tell which page frame needs mediation

14 Implementation Use Linux 2.6 and Xen hypervisor Change task_struct and module structure using division and alignment respectively Change Linux source code where use those structures into correct variable current->journal_info  current->insecure->journal_info Alter 0.036%(2536/7041452) SLOC(Source Line of Code) in Linux 2.6 This can be done by source-to-source transformation techniques, such as provided by CIL

15 Implementation (Cont.) Structure Division Apply on task_struct structure only Categorized 28 of 122 members as critical Change structure creation function kmem_cache_alloc into get_free_pages and kmalloc Structure Alignment Apply on module structure only Categorized 2 of 29 members as critical Only a recompilation of the kernel

16 Implementation (Cont.) APIs to communicate to hypervisor addPFNtoDB, removePFNfromDB, checkPFNinDB Modify __sh_propagate to make a shadow of memory of guest operating system for monitor Sentry check write operation’s vaildity by the eip register when sh_page_fault is called, and traverse the stack frame using ebp to get full call trace

17 Evaluation Attack Prevention and Detection

18 Evaluation (Cont.) Performance on loading and unloading modules Normal: no kernel memory protection Protected: protection without partitioning Sentry: both memory protection and partitioning

19 Evaluation (Cont.) Performance on file system read/write Memory page utility A partitioned kernel used 6502 pages as compared to 6302 pages used by the unpartitioned kernel

20 Evaluation (Cont.) Performance on real world jobs Performance on process data structure 1000 µs = 1 ms

21 Evaluation (Cont.) False Positive Analysis Since benign modules don’t directly modify security-critical kernel data, and uses exported APIs provided by kernel For example, benign modules don’t directly modify run_list, but using enqueue_task and dequeue_task to modify this member, and those functions are valid APIs, so the modules can still works fine Our system did not show any false positives and detected all attacks

22 Conclusion We create protected memory regions within the unified kernel data space. We show how to optimize kernel memory space layout for the protection constraints created by our system. We design and develop a system, Sentry, which is capable of protecting both statically and dynamically allocated data structures.


Download ppt "Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012."

Similar presentations


Ads by Google