Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st.

Published byHerbert Lester Modified over 8 years ago

Similar presentations

Presentation on theme: "Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st."— Presentation transcript:

1 Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st USENIX Security Symposium (August, 2012)

2 Outline  Why Return-to-user (ret2usr) ?  Threat model  Protection with kGuard  Implementation  Evaluation  Discussion and Future Work 2012/8/102A Seminar at Advanced Defense Lab

3 Compile-time protection ASLR, StackGuard, and etc. Why Return-to-user (ret2usr) ? 2012/8/10A Seminar at Advanced Defense Lab3 Administrator Process Attacker User Process System Kernel Privileged Machine Code

4 Another Reason NNULL pointer dereference errors had not received significant attention. We usually see them as vulnerabilities for DoS attacks. BBut they may be used to gain privileges. CVE-2011-1888 (Windows) CVE-2009-2908 (Linux) CVE-2009-3527 (FreeBSD) CVE-2009-2692 (Linux, Android) 2012/8/10A Seminar at Advanced Defense Lab4

5 A example (CVE-2009-2692)  [link]link  if the socket descriptor belongs to a vulnerable protocol family, the value of the sendpage pointer in line 742 is set to NULL. 2012/8/10A Seminar at Advanced Defense Lab5

6 Previous Approaches  Previous approaches to the problem are either impractical for deployment in certain environments or can be easily circumvented. Restricting mmap ○ Can be circumvented [link]link PaX ○ Platform and architecture specific ○ performance 2012/8/10A Seminar at Advanced Defense Lab6

7 In this paper  We present a lightweight solution to the problem.  kGuard is a compiler plugin that augments kernel code with control-flow assertions (CFAs) which ensure that privileged execution remains within its valid boundaries and does not cross to user space. 2012/8/10A Seminar at Advanced Defense Lab7

8 Threat Model  We ascertain that an adversary is able to completely overwrite, partially corrupt (e.g., zero out only certain bytes), or nullify control data that are stored inside the address space of the kernel. 2012/8/10A Seminar at Advanced Defense Lab8

9 Protection with kGuard  We propose a defensive mechanism that builds upon inline monitoring and code diversification.  kGuard is a cross-platform compiler plugin that enforces address space segregation, 2012/8/10A Seminar at Advanced Defense Lab9

10 CFA R (transfer by register) 2012/8/10A Seminar at Advanced Defense Lab10

11 CFA M (transfer by memory) 2012/8/10A Seminar at Advanced Defense Lab11 Can be skip for optimization

12 Bypass Trampolines  Like return-oriented programming  It is possible to find an embedded opcode sequence that translates directly to a control branch in user space. 2012/8/10A Seminar at Advanced Defense Lab12

13 Code Diversification Against Bypasses  Code inflation randomizing the starting address of the text segment inserting NOP sleds of random length at the beginning of each CFA 2012/8/10A Seminar at Advanced Defense Lab13

14 Code Diversification Against Bypasses (cont.)  CFA motion 2012/8/10A Seminar at Advanced Defense Lab14

15 Implementation  GCC 4.51 2012/8/10A Seminar at Advanced Defense Lab15

16 Evaluation  Our testbed consisted of a single host, equipped with two 2.66GHz quad-core Intel Xeon X5500 CPUs and 24GB of RAM, running Debian Linux v6 (“squeeze” with kernel v2.6.32).  NOP sled before CFA: 0 ~ 20 2012/8/10A Seminar at Advanced Defense Lab16

17 Preventing Real Attacks 2012/8/10A Seminar at Advanced Defense Lab17

18 Translation Overhead  Kernel image size increased X86: 3.5% X86-64: 5.6% 2012/8/10A Seminar at Advanced Defense Lab18

19 Performance Overhead  Macro benchmarks Building a vanilla Linux kernel MySQL v5.1.49 ○ Its own benchmark suit ( sql-bench ) Apache v2.2.16 ○ Its utility ab and static HTML files 2012/8/10A Seminar at Advanced Defense Lab19

20 Macro Benchmark Result kGuardPaX x86X86-64x86x86-64 Building Kernel1.03%0.93%1.26%2.89% sql-bench 0.93%0.85%1.16%2.67% ab 0.001% - 0.01% 0.001% – 0.01% 0.01% - 0.09% 0.01% - 0.67% 2012/8/10A Seminar at Advanced Defense Lab20

21 Micro Benchmarks 2012/8/10A Seminar at Advanced Defense Lab21

22 Discussion and Future Work  Custom violation handlers  Persistent threats  CFA motion at runtime 2012/8/10A Seminar at Advanced Defense Lab22

23 2012/8/10A Seminar at Advanced Defense Lab23

Download ppt "Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st."

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.

Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Assembler/Linker/Loader Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc11-12.html Chapter 4.3 J. Levine: Linkers & Loaders

Assembler/Linker/Loader Mooly Sagiv html:// Chapter 4.3 J. Levine: Linkers & Loaders
Practical Timing Side Channel Attacks Against Kernel Space ASLR

Practical Timing Side Channel Attacks Against Kernel Space ASLR
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
CS 153 Design of Operating Systems Spring 2015 Lecture 19: Page Replacement and Memory War.

CS 153 Design of Operating Systems Spring 2015 Lecture 19: Page Replacement and Memory War.
OmniVM Efficient and Language- Independent Mobile Programs Ali-Reza Adl-Tabatabai, Geoff Langdale, Steven Lucco and Robert Wahbe from Carnegie Mellon University.

OmniVM Efficient and Language- Independent Mobile Programs Ali-Reza Adl-Tabatabai, Geoff Langdale, Steven Lucco and Robert Wahbe from Carnegie Mellon University.
Memory Management (II)

Memory Management (II)
CE6105 Linux 作業系統 Linux Operating System 許 富 皓. Chapter 2 Memory Addressing.

CE6105 Linux 作業系統 Linux Operating System 許 富 皓. Chapter 2 Memory Addressing.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
OS Spring’03 Introduction Operating Systems Spring 2003.

OS Spring’03 Introduction Operating Systems Spring 2003.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.

CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.

Similar presentations

Ads by Google