Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st USENIX Security Symposium (August, 2012)
Outline Why Return-to-user (ret2usr) ? Threat model Protection with kGuard Implementation Evaluation Discussion and Future Work 2012/8/102A Seminar at Advanced Defense Lab
Compile-time protection ASLR, StackGuard, and etc. Why Return-to-user (ret2usr) ? 2012/8/10A Seminar at Advanced Defense Lab3 Administrator Process Attacker User Process System Kernel Privileged Machine Code
Another Reason NNULL pointer dereference errors had not received significant attention. We usually see them as vulnerabilities for DoS attacks. BBut they may be used to gain privileges. CVE (Windows) CVE (Linux) CVE (FreeBSD) CVE (Linux, Android) 2012/8/10A Seminar at Advanced Defense Lab4
A example (CVE ) [link]link if the socket descriptor belongs to a vulnerable protocol family, the value of the sendpage pointer in line 742 is set to NULL. 2012/8/10A Seminar at Advanced Defense Lab5
Previous Approaches Previous approaches to the problem are either impractical for deployment in certain environments or can be easily circumvented. Restricting mmap ○ Can be circumvented [link]link PaX ○ Platform and architecture specific ○ performance 2012/8/10A Seminar at Advanced Defense Lab6
In this paper We present a lightweight solution to the problem. kGuard is a compiler plugin that augments kernel code with control-flow assertions (CFAs) which ensure that privileged execution remains within its valid boundaries and does not cross to user space. 2012/8/10A Seminar at Advanced Defense Lab7
Threat Model We ascertain that an adversary is able to completely overwrite, partially corrupt (e.g., zero out only certain bytes), or nullify control data that are stored inside the address space of the kernel. 2012/8/10A Seminar at Advanced Defense Lab8
Protection with kGuard We propose a defensive mechanism that builds upon inline monitoring and code diversification. kGuard is a cross-platform compiler plugin that enforces address space segregation, 2012/8/10A Seminar at Advanced Defense Lab9
CFA R (transfer by register) 2012/8/10A Seminar at Advanced Defense Lab10
CFA M (transfer by memory) 2012/8/10A Seminar at Advanced Defense Lab11 Can be skip for optimization
Bypass Trampolines Like return-oriented programming It is possible to find an embedded opcode sequence that translates directly to a control branch in user space. 2012/8/10A Seminar at Advanced Defense Lab12
Code Diversification Against Bypasses Code inflation randomizing the starting address of the text segment inserting NOP sleds of random length at the beginning of each CFA 2012/8/10A Seminar at Advanced Defense Lab13
Code Diversification Against Bypasses (cont.) CFA motion 2012/8/10A Seminar at Advanced Defense Lab14
Implementation GCC /8/10A Seminar at Advanced Defense Lab15
Evaluation Our testbed consisted of a single host, equipped with two 2.66GHz quad-core Intel Xeon X5500 CPUs and 24GB of RAM, running Debian Linux v6 (“squeeze” with kernel v2.6.32). NOP sled before CFA: 0 ~ /8/10A Seminar at Advanced Defense Lab16
Preventing Real Attacks 2012/8/10A Seminar at Advanced Defense Lab17
Translation Overhead Kernel image size increased X86: 3.5% X86-64: 5.6% 2012/8/10A Seminar at Advanced Defense Lab18
Performance Overhead Macro benchmarks Building a vanilla Linux kernel MySQL v ○ Its own benchmark suit ( sql-bench ) Apache v ○ Its utility ab and static HTML files 2012/8/10A Seminar at Advanced Defense Lab19
Macro Benchmark Result kGuardPaX x86X86-64x86x86-64 Building Kernel1.03%0.93%1.26%2.89% sql-bench 0.93%0.85%1.16%2.67% ab 0.001% % 0.001% – 0.01% 0.01% % 0.01% % 2012/8/10A Seminar at Advanced Defense Lab20
Micro Benchmarks 2012/8/10A Seminar at Advanced Defense Lab21
Discussion and Future Work Custom violation handlers Persistent threats CFA motion at runtime 2012/8/10A Seminar at Advanced Defense Lab22
2012/8/10A Seminar at Advanced Defense Lab23