Secure Operating Systems Lesson 0x12h: Return to User.

Slides:



Advertisements
Similar presentations
Secure Operating Systems Lesson 9: Multics. Where are we?  We now know all the background… so it’s time to figure out why Dr. Ford likes Multics so very.
Advertisements

Secure Operating Systems Lesson 10: SCOMP. Where are we?  Multics is busy being explored, which is kind of cool…  But Multics wasn’t the end of custom.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
1 A Real Problem  What if you wanted to run a program that needs more memory than you have?
January 2010 Boston Area Windows Server User Group Tim Mangan Kahuna, TMurgent Technologies.
Software-based Code Attestation for Wireless Sensors.
1 Pointers A pointer variable holds an address We may add or subtract an integer to get a different address. Adding an integer k to a pointer p with base.
CS 153 Design of Operating Systems Spring 2015 Lecture 19: Page Replacement and Memory War.
Starting Out with C++: Early Objects 5/e © 2006 Pearson Education. All Rights Reserved Starting Out with C++: Early Objects 5 th Edition Chapter 5 Looping.
Pointers “Absolute C++” Section 10.1
CE6105 Linux 作業系統 Linux Operating System 許 富 皓. Chapter 2 Memory Addressing.
CS 140 Lecture Notes: Virtual MemorySlide 1 Load-Time Relocation Process 1 0 ∞ Process 3 Operating System Process 6.
Process Description and Control A process is sometimes called a task, it is a program in execution.
OS Organization. OS Requirements Provide resource abstractions –Process abstraction of CPU/memory use Address space Concurrency Thread abstraction of.
CH12 CPU Structure and Function
Factorial Calculator and Debug Mode Slides: tures/Eclipse.pdf
Host and Application Security Lesson 4: The Win32 Boot Process.
Secure Operating Systems Lesson B: Let’s go break something.
Computer Security and Penetration Testing
KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:
COS 598: Advanced Operating System. Operating System Review What are the two purposes of an OS? What are the two modes of execution? Why do we have two.
Secure Operating Systems Lesson C: Linux Security Features.
Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st.
IT253: Computer Organization Lecture 3: Memory and Bit Operations Tonga Institute of Higher Education.
Virtual Memory Expanding Memory Multiple Concurrent Processes.
1 Linux Operating System 許 富 皓. 2 Memory Addressing.
Pointers in C++. 7a-2 Pointers "pointer" is a basic type like int or double value of a pointer variable contains the location, or address in memory, of.
Win32 Programming Lesson 14: Introducing Windows Memory (C Rox…)
1 Some Real Problem  What if a program needs more memory than the machine has? —even if individual programs fit in memory, how can we run multiple programs?
Secure Operating Systems Lesson 4: Access Control.
Lecture Topics: 10/29 Architectural support for operating systems –timers –kernel mode –system calls –protected instructions.
C++ crash course Class 9 flight times program, using gdb.
Operating Systems Security
Operating Systems CSE 411 CPU Management Sept Lecture 10 Instructor: Bhuvan Urgaonkar.
Bugs (part 1) CPS210 Spring Papers  Bugs as Deviant Behavior: A General Approach to Inferring Errors in System Code  Dawson Engler  Eraser: A.
Lecture 14 Page 1 CS 236 Online Variable Initialization Some languages let you declare variables without specifying their initial values And let you use.
C++ Programming: From Problem Analysis to Program Design, Third Edition Chapter 14: Pointers.
Lecture 13 Page 1 CS 236 Online Major Problem Areas for Secure Programming Certain areas of programming have proven to be particularly prone to problems.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Operating Systems Processes and Threads.
Alternate Version of STARTING OUT WITH C++ 4 th Edition Chapter 5 Looping.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
CS 140 Lecture Notes: Virtual MemorySlide 1 Load-Time Relocation Process 1 0 ∞ Process 3 Operating System Process 6.
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
Secure Operating Systems
CS 140 Lecture Notes: Virtual Memory
Module 30 (Unix/Linux Security Issues II)
Protection and OS Structure
A Real Problem What if you wanted to run a program that needs more memory than you have? September 11, 2018.
Day 08 Processes.
Day 09 Processes.
Some Real Problem What if a program needs more memory than the machine has? even if individual programs fit in memory, how can we run multiple programs?
CS 3305 System Calls Lecture 7.
Swapping Segmented paging allows us to have non-contiguous allocations
Bruhadeshwar Meltdown Bruhadeshwar
Dynamic Memory CSCE 121 J. Michael Moore.
CMSC 414 Computer and Network Security Lecture 21
CS 140 Lecture Notes: Virtual Memory
CSE 351 Section 10 The END…Almost 3/7/12
CS 140 Lecture Notes: Virtual Memory
Morgan Kaufmann Publishers Memory Hierarchy: Virtual Memory
System Calls David Ferry CSCI 3500 – Operating Systems
Pointers Lecture 1 Thu, Jan 15, 2004.
NASA Secure Coding Rules
Sai Krishna Deepak Maram, CS 6410
Data Structures and Algorithms Introduction to Pointers
Why we have Counterintuitive Memory Models
CS 140 Lecture Notes: Virtual Memory
Dynamic Memory CSCE 121.
Presentation transcript:

Secure Operating Systems Lesson 0x12h: Return to User

Where are we?  Done! Yay! Code Complete!  But there’s always more  So, let’s look at a new trend in OS exploitation: ret2usr

Exploiting the Kernel  When we exploit the kernel, it can be hard to actually gain control  In particular, NULL pointer dereference has often been thought of as unexploitable… Fortunately (?) that’s not true: return to user!!!

Underlying Vuln  Think about memory layout for a little bit…  Right… the kernel can still write to user space (any part of user space)  This means that ‘nuisance’ attacks like NULL pointer dereference can be deadly in Kernel space (i.e. deadly == not just a DoS attack)

What happens…  Imagine we can get a struct inside the kernel to be dereferenced, and this struct contains a function pointer which the kernel will use…  Boom! The pointer is now in memory which is valid in user mode (somewhere around – x000000nn, typically)  Aside: this is really confused deputy all over again

Example Exploit  Let’s look at the step-by-step vuln in the paper…  Discussion: turtles all the way down?

SMEP  Supervisor Mode Execution Prevention Prevent code execution of user-mode code page in CPL=0 Note: does not prevent modification (read and write) Does not raise a #GP but a #PF Can use kernel mode ROP to avoid this…

Questions & Comments  What do you want to know?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.