1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.

Slides:



Advertisements
Similar presentations
More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Advertisements

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
The Kernel Abstraction. Challenge: Protection How do we execute code with restricted privileges? – Either because the code is buggy or if it might be.
Kenichi Kourai (Kyushu Institute of Technology) Takeshi Azumi (Tokyo Institute of Technology) Shigeru Chiba (Tokyo University) A Self-protection Mechanism.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Precept 3 COS 461. Concurrency is Useful Multi Processor/Core Multiple Inputs Don’t wait on slow devices.
Page 1 Processes and Threads Chapter Processes 2.2 Threads 2.3 Interprocess communication 2.4 Classical IPC problems 2.5 Scheduling.
Scheduler Activations Effective Kernel Support for the User-Level Management of Parallelism.
3.5 Interprocess Communication
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.
Using Two Queues. Using Multiple Queues Suspended Processes Processor is faster than I/O so all processes could be waiting for I/O Processor is faster.
Fast and Correct Performance Recovery of Operating Systems Using a Virtual Machine Monitor Kenichi Kourai Kyushu Institute of Technology, Japan.
Processes in Unix, Linux, and Windows CS-502 Fall Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.
1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Protection and the Kernel: Mode, Space, and Context.
HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection Kenichi Kourai Shigeru Chiba Tokyo Institute of Technology.
Chapter 3 Process Description and Control Operating Systems: Internals and Design Principles, 6/E William Stallings Patricia Roy Manatee Community College,
Computer Security and Penetration Testing
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
CS 153 Design of Operating Systems Spring 2015 Lecture 17: Paging.
Chapter 3 Process Description and Control
CS533 - Concepts of Operating Systems Virtual Memory Primitives for User Programs Presentation by David Florey.
Mitigation of Buffer Overflow Attacks
Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 6 System Calls OS System.
The Structure of Processes (Chap 6 in the book “The Design of the UNIX Operating System”)
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Chapter 4 Memory Management Virtual Memory.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Operating System Support for Easy Development of Distributed File Systems Kenichi Kourai* Shigeru Chiba** Takashi Masuda* *University of Tokyo **University.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 9: Virtual Memory.
Interrupt driven I/O. MIPS RISC Exception Mechanism The processor operates in The processor operates in user mode user mode kernel mode kernel mode Access.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Operating Systems 1 K. Salah Module 1.2: Fundamental Concepts Interrupts System Calls.
Operating Systems CSE 411 CPU Management Sept Lecture 10 Instructor: Bhuvan Urgaonkar.
Department of Computer Science and Software Engineering
Processes and Virtual Memory
Buffer overflow and stack smashing attacks Principles of application software security.
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
Threads. Readings r Silberschatz et al : Chapter 4.
Interrupt driven I/O Computer Organization and Assembly Language: Module 12.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Interrupts and Exception Handling. Execution We are quite aware of the Fetch, Execute process of the control unit of the CPU –Fetch and instruction as.
1 Chapter 5: Threads Overview Multithreading Models & Issues Read Chapter 5 pages
Memory Protection: Kernel and User Address Spaces Andy Wang Operating Systems COP 4610 / CGS 5765.
Mitigation against Buffer Overflow Attacks
Introduction to Operating Systems
Protecting Memory What is there to protect in memory?
Processes and threads.
Memory Protection: Kernel and User Address Spaces
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Chapter 1: Introduction
Threads & multithreading
Memory Protection: Kernel and User Address Spaces
Introduction to Operating Systems
Memory Protection: Kernel and User Address Spaces
Memory Protection: Kernel and User Address Spaces
Light-weight Contexts: An OS Abstraction for Safety and Performance
Architectural Support for OS
Architectural Support for OS
Chapter 4: Threads.
CS703 – Advanced Operating Systems
Memory Protection: Kernel and User Address Spaces
Presentation transcript:

1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba

2 Server Hijacks by Crackers Internet servers are often “hijacked.” e.g. buffer overflow attacks A cracker sends malicious code into a server as the input and then can take the full control of the server. Preventing all types of attacks is difficult. Most attacks are caused by programming or design errors.  These errors are left in many programs. Only a part of attacks are detected by StackGuard, safe languages, etc. Internet server firewall malicious code hijack!

3 The Compacto Operating System Access restrictions can protect servers from attacks. We have developed the Compacto operating system (OS), which provides: Fine-grained access control at the system call level  Issues of system calls are limited by the type or arguments. Access control with user/group ID ( setuid / setgid ) Limited access to directories ( chroot ) Compacto can impose access restrictions on a various range. Application (some processes) Process Code fragment in a process

4 Danger of Removing Access Restrictions Servers need different access restrictions for each request. It is necessary to impose/remove access restrictions. Removing access restrictions is dangerous. Crackers can gain higher privileges after removing access restrictions from hijacked servers. But, detecting whether a server is hijacked or not is difficult. server Interne t User A User B request

5 Traditional Approach: “Spawn” Spawns a new child process for every request and gives it different access restrictions. The child process just terminates after handling a request. Removing access restrictions is not necessary. Drawbacks Slow Too many processes are spawned. Not compatible with the process pool technique Today’s servers often use a process pool for efficiency.

6 Our Approach: Process Cleaning Allows a process to remove access restrictions. But, the process image is cleaned up back to the image stored by checkpointing. Process cleaning achieves the same security as the “Spawn” approach. Benefits Faster than the “Spawn” approach Compatible with the process pool technique current process image stored image (snapshot) overwrite new process image

7 Save_state System Call Save_state takes a snapshot of a process at a safe point. Where is considered as a safe point? Before a server communicates with any clients. The snapshot includes the whole state of a process. registers, a memory image, signal handlers, open/close status of files/sockets, etc. The snapshot cannot be compromised. Because it is saved in the kernel address space. pc, sp,… stack, heap … process imagesnapshot image pc, sp,… stack, heap … save

8 Restore_state System Call Restore_state restores a safe state of a process saved by save_state. Restoring an instruction pointer Recovers the thread of control Restoring the whole memory image Eliminates malicious code from the memory After restoration, Compacto removes access restrictions from the process. pc’, sp’,… stack’, heap’ … process imagesnapshot image pc, sp,… stack, heap … restore

9 How to Use Process Cleaning Request-handling code in typical servers on Compacto looks like the following: save_state(); accept(); if (source == Internet) impose strong access restrictions else if (source == Intranet) impose weak access restrictions handle a request restore_state(); save_state(); accept(); if (source == Internet) impose strong access restrictions else if (source == Intranet) impose weak access restrictions handle a request restore_state(); process cleaning & removing access restrictions

10 Implementation Saving/restoring a memory image become a performance bottleneck. Naïve implementation is slow. Our implementation techniques Efficient save of a memory image Compacto saves only modified pages by copy-on-write. Selectable strategy for restoring memory Compacto allows users to select the restoration strategy according to the behavior of a server.

11 Page Save by Copy-on-Write Compacto allocates a shadow page at a page fault. All writable pages are write-protected in the save_state system call. The contents of an original page are copied to the shadow page. The shadow page is modified and the original page is left unmodified. kernel move shadow page original page address space page fault map

12 Remap/copy Strategies Remap strategy Discards a shadow page and moves the original page back Restores memory fast but may cause extra page faults Copy strategy Copies the contents of an original page back to the shadow page May reduce page faults but may cause extra page copies move original page discard shadow page copy original page shadow page

13 Experiment We measured the performance of the Apache web server for 4 types of server constructs. Environments Server: PentiumIII 933MHz, Compacto OS Clients: Celeron 300MHz, FreeBSD 3.4 WebStone benchmark

14 Experimental Results Process cleaning is 40% faster than the “Spawn” approach. The overhead of process cleaning is low - 40%. The copy strategy is 8% faster than the remap strategy.

15 Concluding Remarks We proposed process cleaning. It prevents hijacked servers from illegally removing access restrictions. It achieves the same security as the traditional “Spawn” approach. Process cleaning achieves great performance improvement against the “Spawn” approach. 40% faster

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.