KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:

Slides:



Advertisements
Similar presentations
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Advertisements

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Chapter 9 TRAP Routines and Subroutines. Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 9-2 Subroutines.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Practical Timing Side Channel Attacks Against Kernel Space ASLR
Review: Software Security David Brumley Carnegie Mellon University.
Chapter 6 Limited Direct Execution
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
S. Barua – CPSC 240 CHAPTER 9 TRAP ROUTINES AND SUBROUTINES The TRAP mechanism allows the user program.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Chapter 6 - Implementing Processes, Threads and Resources Kris Hansen Shelby Davis Jeffery Brass 3/7/05 & 3/9/05 Kris Hansen Shelby Davis Jeffery Brass.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Address Space Layout Permutation
G53SEC 1 Reference Monitors Enforcement of Access Control.
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Recall: Three I/O Methods Synchronous: Wait for I/O operation to complete. Asynchronous: Post I/O request and switch to other work. DMA (Direct Memory.
Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st.
Mitigation of Buffer Overflow Attacks
Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS CAP 6135 March 24, 2011.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.
Copyright © George Coulouris, Jean Dollimore, Tim Kindberg This material is made available for private study and for direct.
1 CSE 451 Section 2: Interrupts, Syscalls, Virtual Machines, and Project 1.
Exploitation possibilities of memory related vulnerabilities
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
We will focus on operating system concepts What does it do? How is it implemented? Apply to Windows, Linux, Unix, Solaris, Mac OS X. Will discuss differences.
Operating Systems Security
Operating Systems Engineering Based on MIT (2012, lec3) Recitation 2: OS Organization.
Efficient Software Based Fault Isolation Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Graham Presenter: Maitree kanungo Date:02/17/2010.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
On the Effectiveness of Address-Space Randomization Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, Dan Boneh.
Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
A Survey on Runtime Smashed Stack Detection 坂井研究室 M 豊島隆志.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
7-Nov Fall 2001: copyright ©T. Pearce, D. Hutchinson, L. Marshall Oct lecture23-24-hll-interrupts 1 High Level Language vs. Assembly.
Of Privilege, Traps, Interrupts & Exceptions Prof. Sirer CS 316 Cornell University.
Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.
Mitigation against Buffer Overflow Attacks
Remix: On-demand Live Randomization
Efficient Software-Based Fault Isolation
Kernel Code Coverage Nilofer Motiwala Computer Sciences Department
Introduction to Operating Systems
Memory Protection: Kernel and User Address Spaces
Protection and OS Structure
EnGarde: Mutually Trusted Inspection of SGX Enclaves
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Practical Rootkit Detection with RAI
Introduction to Operating Systems
Memory Protection: Kernel and User Address Spaces
Memory Protection: Kernel and User Address Spaces
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Lecture Topics: 11/1 General Operating System Concepts Processes
Hiding Malware Rootkits
Following Malware Execution in IDA
Understanding and Preventing Buffer Overflow Attacks in Unix
Memory Protection: Kernel and User Address Spaces
Format String Vulnerability
Return-to-libc Attacks
Presentation transcript:

kGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter: Behnaz Hassanshahi

Problem Statement Kernel exploitation Kernel-level memory corruption Traditionally: Code injection – (Code Reuse)ROP Recently: Run user land code (ret2user attacks)

Return to User Attacks The root problem stems from the weak separation of user and kernel spaces. – Shared process/kernel model for Performance benefits – Kernel code can do anything in user land, so if it is abused, attacker can force it to run the shell code in user space. – Over-writing kernel-level control data(e.g., return addresses, jump tables, function pointers) with user space addresses.

Return to User Attacks Example: exploiting a NULL pointer dereference error to launch a ret2user attack Vulnerable program

Return to User Attacks 1.malicious process invokes “sendfile” system call with offending arguments 2.libc wrapper traps to the OS via “sysenter” 3.system call handler of Linux (sysenter_do_call()) is executed which resolves the kernel address of sys-sendfile 4.Privileged execution continues until sock_sendpage() is invoked 5.the value of sendpage pointer is NULL 6.control is transferred to address 0 7.malicious process has mmapped page 0 and dropped a function pointer of his own at address 0, the kernel will call that function pointer in kernel mode

Existing Defense Mechanisms CFI and Program Shepherding PAX Mmap_min_addr Intel SMEP – Doesn`t prevent kernel from accessing user “data”

kGuard Inline monitoring and code diversification – Adding “Control Flow Assertions” at compile time before every indirect control transfer E.g., call, jmp and ret in x86 CFA R : compares the branch target with lower kernel address 0xC00000 CFA m : – Branch target is within the kernel address space – Memory address where the branch target is loaded from is also in kernel space

kGuard Example CFA guard

Bypassing kGuard Bypass trampolines 1. Find two computed branch instructions whose operands can be reliably overwritten 2. Overwrite the value (branch target) of the first with the address of the second 3. Overwrite the value of the second with a user-space address 4. Solution: Code inflation and CFA motion

Code Inflation Reshapes the Kernel text at at compile time

CFA Motion Relocation of protected branches at boot time

Implementation The implementation consists of a plugin for GCC. At RTL level, after most of the important optimizations

Effectiveness on Privilege Escalation Attacks

Performance Evaluation

Performance Evaluation – latency overhead and code diversification

Conclusion and Discussion In near future all memory regions will be randomized Randomization of the address at which kernel is loaded Intel SMEP vs kGuard – Performance – Side channel attacks

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.