Download presentation
Presentation is loading. Please wait.
Published byHerbert Lester Modified over 8 years ago
1
Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st USENIX Security Symposium (August, 2012)
2
Outline Why Return-to-user (ret2usr) ? Threat model Protection with kGuard Implementation Evaluation Discussion and Future Work 2012/8/102A Seminar at Advanced Defense Lab
3
Compile-time protection ASLR, StackGuard, and etc. Why Return-to-user (ret2usr) ? 2012/8/10A Seminar at Advanced Defense Lab3 Administrator Process Attacker User Process System Kernel Privileged Machine Code
4
Another Reason NNULL pointer dereference errors had not received significant attention. We usually see them as vulnerabilities for DoS attacks. BBut they may be used to gain privileges. CVE-2011-1888 (Windows) CVE-2009-2908 (Linux) CVE-2009-3527 (FreeBSD) CVE-2009-2692 (Linux, Android) 2012/8/10A Seminar at Advanced Defense Lab4
5
A example (CVE-2009-2692) [link]link if the socket descriptor belongs to a vulnerable protocol family, the value of the sendpage pointer in line 742 is set to NULL. 2012/8/10A Seminar at Advanced Defense Lab5
6
Previous Approaches Previous approaches to the problem are either impractical for deployment in certain environments or can be easily circumvented. Restricting mmap ○ Can be circumvented [link]link PaX ○ Platform and architecture specific ○ performance 2012/8/10A Seminar at Advanced Defense Lab6
7
In this paper We present a lightweight solution to the problem. kGuard is a compiler plugin that augments kernel code with control-flow assertions (CFAs) which ensure that privileged execution remains within its valid boundaries and does not cross to user space. 2012/8/10A Seminar at Advanced Defense Lab7
8
Threat Model We ascertain that an adversary is able to completely overwrite, partially corrupt (e.g., zero out only certain bytes), or nullify control data that are stored inside the address space of the kernel. 2012/8/10A Seminar at Advanced Defense Lab8
9
Protection with kGuard We propose a defensive mechanism that builds upon inline monitoring and code diversification. kGuard is a cross-platform compiler plugin that enforces address space segregation, 2012/8/10A Seminar at Advanced Defense Lab9
10
CFA R (transfer by register) 2012/8/10A Seminar at Advanced Defense Lab10
11
CFA M (transfer by memory) 2012/8/10A Seminar at Advanced Defense Lab11 Can be skip for optimization
12
Bypass Trampolines Like return-oriented programming It is possible to find an embedded opcode sequence that translates directly to a control branch in user space. 2012/8/10A Seminar at Advanced Defense Lab12
13
Code Diversification Against Bypasses Code inflation randomizing the starting address of the text segment inserting NOP sleds of random length at the beginning of each CFA 2012/8/10A Seminar at Advanced Defense Lab13
14
Code Diversification Against Bypasses (cont.) CFA motion 2012/8/10A Seminar at Advanced Defense Lab14
15
Implementation GCC 4.51 2012/8/10A Seminar at Advanced Defense Lab15
16
Evaluation Our testbed consisted of a single host, equipped with two 2.66GHz quad-core Intel Xeon X5500 CPUs and 24GB of RAM, running Debian Linux v6 (“squeeze” with kernel v2.6.32). NOP sled before CFA: 0 ~ 20 2012/8/10A Seminar at Advanced Defense Lab16
17
Preventing Real Attacks 2012/8/10A Seminar at Advanced Defense Lab17
18
Translation Overhead Kernel image size increased X86: 3.5% X86-64: 5.6% 2012/8/10A Seminar at Advanced Defense Lab18
19
Performance Overhead Macro benchmarks Building a vanilla Linux kernel MySQL v5.1.49 ○ Its own benchmark suit ( sql-bench ) Apache v2.2.16 ○ Its utility ab and static HTML files 2012/8/10A Seminar at Advanced Defense Lab19
20
Macro Benchmark Result kGuardPaX x86X86-64x86x86-64 Building Kernel1.03%0.93%1.26%2.89% sql-bench 0.93%0.85%1.16%2.67% ab 0.001% - 0.01% 0.001% – 0.01% 0.01% - 0.09% 0.01% - 0.67% 2012/8/10A Seminar at Advanced Defense Lab20
21
Micro Benchmarks 2012/8/10A Seminar at Advanced Defense Lab21
22
Discussion and Future Work Custom violation handlers Persistent threats CFA motion at runtime 2012/8/10A Seminar at Advanced Defense Lab22
23
2012/8/10A Seminar at Advanced Defense Lab23
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.