Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.

Slides:

Advertisements

Similar presentations

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Advertisements

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Analyzing and Improving Linux Kernel Memory Protection A Model Checking Approach ACSAC 2010 Siarhei Liakh, North Carolina State University Michael Grace,

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.

Processes CSCI 444/544 Operating Systems Fall 2008.

Virtual Memory Primitives for User Programs Andrew W. Appel and Kai Li Presented by: Khanh Nguyen.

Operating System Support Focus on Architecture

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

Christo Wilson Project 3: Virtual Memory in Pintos

An Introduction to Device Drivers Sarah Diesburg COP 5641 / CIS 4930.

Zen and the Art of Virtualization Paul Barham, et al. University of Cambridge, Microsoft Research Cambridge Published by ACM SOSP’03 Presented by Tina.

Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人：張逸文.

Systems Security & Audit Operating Systems security.

A Survey of Dynamic Techniques for Detecting Device Driver Errors Olatunji Ruwase LBA Reading Group 18 th May 2010.

29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.

Memory Management 3 Tanenbaum Ch. 3 Silberschatz Ch. 8,9.

Chapter 9: Virtual Memory Background Demand Paging Copy-on-Write Page Replacement Allocation of Frames Thrashing Memory-Mapped Files Allocating Kernel.

Chapter 1 : The Linux System Part 1 Lecture 1 10/21/

CE Operating Systems Lecture 3 Overview of OS functions and structure.

Chapter 4 Memory Management Virtual Memory.

Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 18: Protection Goals of Protection Objects and Domains Access Matrix Implementation.

Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.

Threads G.Anuradha (Reference : William Stallings)

02/09/2010 Industrial Project Course (234313) Virtualization-aware database engine Final Presentation Industrial Project Course (234313) Virtualization-aware.

Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

1 Computer Systems II Introduction to Processes. 2 First Two Major Computer System Evolution Steps Led to the idea of multiprogramming (multiple concurrent.

UNIX Unit 1- Architecture of Unix - By Pratima.

Operating Systems Security

Operating Systems CSE 411 CPU Management Sept Lecture 10 Instructor: Bhuvan Urgaonkar.

Security Vulnerabilities in A Virtual Environment

Processes and Virtual Memory

Full and Para Virtualization

Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :

Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)

VMM Based Rootkit Detection on Android

Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.

Silberschatz, Galvin and Gagne ©2011 Operating System Concepts Essentials – 8 th Edition Chapter 2: The Linux System Part 2.

CS533 Concepts of Operating Systems Jonathan Walpole.

Kernel Structure and Infrastructure David Ferry, Chris Gill CSE 522S - Advanced Operating Systems Washington University in St. Louis St. Louis, MO

COMP091 – Operating Systems 1 Memory Management. Memory Management Terms Physical address –Actual address as seen by memory unit Logical address –Address.

4P13 Week 5 Talking Points 1. Security Provided by BSD a self-protecting Trusted Computing Base (TCB) spanning kernel and userspace; kernel isolation.

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.

Introduction to Operating Systems

Protecting Memory What is there to protect in memory?

Protecting Memory What is there to protect in memory?

Presentation by Omar Abu-Azzah

An Introduction to Device Drivers

OS Virtualization.

Introduction to Operating Systems

Chapter 9: Virtual-Memory Management

Chapter 2: The Linux System Part 2

Detecting Targeted Attacks Using Shadow Honeypots

Memory Management Tasks

Kernel Structure and Infrastructure

Lecture Topics: 11/1 General Operating System Concepts Processes

Chapter 2: Operating-System Structures

Chapter 3: Processes.

CSE 451 Autumn 2003 November 13 Section.

Chapter 2: Operating-System Structures

Understanding and Preventing Buffer Overflow Attacks in Unix

CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors

COMP755 Advanced Operating Systems

CSE 542: Operating Systems

Return-to-libc Attacks

Presentation transcript:

Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012

Outline Introduction Related Work Sentry System Implementation Evaluation Conclusion

Introduction Kernel-level malicious malware often uses DKOM(Direct Kernel Object Manipulation) to hide the process from the kernel’s process accounting list. They may also escalate a process’ privileges by overwriting the process’ credentials with those for a root or administrative user We present a system called Sentry that creates access control protections for security-critical kernel data.

Related Work Petroni et al. detect process which reachable in scheduler but not in process accounting list. Cannot detect the list of loaded kernel modules, which do not offer multiple views. XFI and BGI guarded write instructions subject to access control policy constraints. Require all kernel drivers and modules to use this system Low performance.

Sentry System Page-level Granularity: use hardware’s page read/write protection to enforce access control policy Partitioning: to separate kernel data structure into regions which have different access control policies Based on VM: to get full control to hardware page-fault handling and management

Sentry System

Page-level Granularity Old methods Applying policy checking is to check all possible write operation to kernel data  Slow performance Protecting a single security-critical member requires whole page to be protected  Low memory utility Sentry use structure partitioning and page write protection to apply access control policies

Page-level Granularity (Cont.) How page write protection protect the data? Simply using the write flag in page data structure If someone tries to write to a protected page, a page fault happen, and a function sh_page_fault in XEN hypervisor is called to handle this event Sentry changes the handling function to add a policy check: If write is valid, then ignore this page fault and perform write operation If write is invalid, then the write operation is denied

Partitioning Structures such as task_struct and module contains a mix of security-critical and not-critical fields Structure Division Structure Alignment

Partitioning - Structure Division Split original Obj by creating a new data structure insecure_Obj containing non-critical fields uid_t uid, euid, suid gid_t gid, egid, sgid u64 acct_rss_mem1 u64 acct_vm_mem1 struct list_head tasks void *journal_info unsigned long personality struct audit_context *audit_context char comm[16]... struct task_struct struct insecure_task_struct uid_t uid, euid, suid gid_t gid, egid, sgid struct list_head tasks char comm[16] u64 acct_rss_mem1 u64 acct_vm_mem1 void *journal_info unsigned long personality struct audit_context *audit_context insecure_task_struct *insecure

Partitioning - Structure Alignment Add a buffer to original Obj to separate security-critical members and non-critical members away This can be done by using compiler options to insert or remove the alignment buffer struct module enum module_state state struct list_head list char name[MODULE_NAME_LEN] const char *version const char *srcversion... struct module enum module_state state struct list_head list char name[MODULE_NAME_LEN] const char *version const char *srcversion... char buffer[BIG_SPACE] Page Size

Policy A valid write operation can be performed by: Trusted core kernel, such as core kernel code from symbol _text to _etext, kernel boot code from symbol __init_begin to __init_end Trusted Upgraders: Alteration reachable from most exported kernel functions, such as API provided by the Kernel

Page Creation & Registration When creating a new instance of protected structure, Obj and insecure_Obj are put into a page frame separately, and add page write protection on the page containing Obj The page frame number(PFN) then send to Sentry system using VMCALL, a method to pass data to hypervisor, to tell which page frame needs mediation

Implementation Use Linux 2.6 and Xen hypervisor Change task_struct and module structure using division and alignment respectively Change Linux source code where use those structures into correct variable current->journal_info  current->insecure->journal_info Alter 0.036%(2536/ ) SLOC(Source Line of Code) in Linux 2.6 This can be done by source-to-source transformation techniques, such as provided by CIL

Implementation (Cont.) Structure Division Apply on task_struct structure only Categorized 28 of 122 members as critical Change structure creation function kmem_cache_alloc into get_free_pages and kmalloc Structure Alignment Apply on module structure only Categorized 2 of 29 members as critical Only a recompilation of the kernel

Implementation (Cont.) APIs to communicate to hypervisor addPFNtoDB, removePFNfromDB, checkPFNinDB Modify __sh_propagate to make a shadow of memory of guest operating system for monitor Sentry check write operation’s vaildity by the eip register when sh_page_fault is called, and traverse the stack frame using ebp to get full call trace

Evaluation Attack Prevention and Detection

Evaluation (Cont.) Performance on loading and unloading modules Normal: no kernel memory protection Protected: protection without partitioning Sentry: both memory protection and partitioning

Evaluation (Cont.) Performance on file system read/write Memory page utility A partitioned kernel used 6502 pages as compared to 6302 pages used by the unpartitioned kernel

Evaluation (Cont.) Performance on real world jobs Performance on process data structure 1000 µs = 1 ms

Evaluation (Cont.) False Positive Analysis Since benign modules don’t directly modify security-critical kernel data, and uses exported APIs provided by kernel For example, benign modules don’t directly modify run_list, but using enqueue_task and dequeue_task to modify this member, and those functions are valid APIs, so the modules can still works fine Our system did not show any false positives and detected all attacks

Conclusion We create protected memory regions within the unified kernel data space. We show how to optimize kernel memory space layout for the protection constraints created by our system. We design and develop a system, Sentry, which is capable of protecting both statically and dynamically allocated data structures.