Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Operating Systems Lesson B: Let’s go break something.

Published byDamian Greer Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Operating Systems Lesson B: Let’s go break something."— Presentation transcript:

1 Secure Operating Systems Lesson B: Let’s go break something

2 Where are we?  We’ve looked at hardware and software, but I have failed to really show you how to break things… which does rather make the beauty of Multics harder to see  So… let’s look at some examples of OSes breaking

3 Linux: Overview  Based on Chen et al.’s “Linux kernel vulnerabilities: State-of-the-art defenses and open problems”  They looking at a year (approx) of Linux Kernel vulnerabilities and found the following…

4 Vulns  Source: Chen et al.

5 Vulns (cntd)  Source: Chen et al.

6 What about countermeasures?  Software fault isolation  Code Integrity (such as SecVisor)  User-level drivers  Memory tagging (detect misuse of untrusted inputs)  Uninitialized memory tracking

7 Semantic Vulnerabilities  Simply not protecting something that needs to be protected  Does it happen? Yes! (See CVE-2010-1641 and many many more) Much harder to detect automatically This is a hard problem!

8 Another problem: Shatter  From: “Exploiting design flaws in the Win32 API for privilege escalation. Or... Shatter Attacks – How to break Windows”  Shatter is a classic example of how things can go wrong

9 The Setup  Shatter is a local privilege escalation attack  VirusScan runs as LocalAdministrator  I run as an unprivileged user  Can I get VirusScan to execute code on my behalf?

10 How it works  First, we get a handle to the higher privileged Window – Windows provides the APIs for this  We now have access to the controls on that window programmatically  Set up the max length for our shell code, and paste it in using Windows Messages

11 WM_TIMER  Send the window a WM_TIMER message with the location of the code we want to execute (oops)  Bingo!  Let’s discuss for a minute…

12 Complicated: IA64 sysret  Okay, this one is REALLY quite complicated… let’s take a look  Following: “A Stitch In Time Saves Nine: A Case Of Multiple OS Vulnerability”  Eek!

13 AMD  From Wojtczuk:

14 Intel  From Wojtczuk:

15 Think about it…  From Wojtczuk:

16 Exploitation  DoS is easy, but code injection is a bit harder but not impossible  What’s worse, it’s hard to fix  The basic idea is how the exception gets kicked off

17 Things to Do  Read: “Linux kernel vulnerabilities: State-of- the-art defenses and open problems”

18 Questions & Comments  What do you want to know?

Download ppt "Secure Operating Systems Lesson B: Let’s go break something."

Similar presentations

Secure Operating Systems Lesson 2: OS Fundamentals.

Secure Operating Systems Lesson 2: OS Fundamentals.
Secure Operating Systems Lesson 0x12h: Return to User.

Secure Operating Systems Lesson 0x12h: Return to User.
A 100,000 Ways to Fa Al Geist Computer Science and Mathematics Division Oak Ridge National Laboratory July 9, 2002 Fast-OS Workshop Advanced Scientific.

A 100,000 Ways to Fa Al Geist Computer Science and Mathematics Division Oak Ridge National Laboratory July 9, 2002 Fast-OS Workshop Advanced Scientific.
UNIX Chapter 01 Overview of Operating Systems Mr. Mohammad A. Smirat.

UNIX Chapter 01 Overview of Operating Systems Mr. Mohammad A. Smirat.
INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.

INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.
CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.

CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
1  1998 Morgan Kaufmann Publishers Chapter Seven Large and Fast: Exploiting Memory Hierarchy (Part II)

1  1998 Morgan Kaufmann Publishers Chapter Seven Large and Fast: Exploiting Memory Hierarchy (Part II)
© 2004, D. J. Foreman 2-1 Concurrency, Processes and Threads.

© 2004, D. J. Foreman 2-1 Concurrency, Processes and Threads.
Towards High-Assurance Hypervisors Jason Franklin Joint with Anupam Datta, Sagar Chaki, Ning Qu, Arvind Seshadri.

Towards High-Assurance Hypervisors Jason Franklin Joint with Anupam Datta, Sagar Chaki, Ning Qu, Arvind Seshadri.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Operating Systems.

Operating Systems.
Processes Part I Processes & Threads* *Referred to slides by Dr. Sanjeev Setia at George Mason University Chapter 3.

Processes Part I Processes & Threads* *Referred to slides by Dr. Sanjeev Setia at George Mason University Chapter 3.
Chapter 2 Operating System Overview Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 2 Operating System Overview Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Security in the industry H/W & S/W What is AMD’s ”enhanced virus protection” all about? What’s coming next? Presented by: Micha Moffie.

Security in the industry H/W & S/W What is AMD’s ”enhanced virus protection” all about? What’s coming next? Presented by: Micha Moffie.
Group 6 Comp 129 Chapter 4.  An operating system s a set of programs made to manage the resources of a computer.  The OS performs five basic functions:

Group 6 Comp 129 Chapter 4.  An operating system s a set of programs made to manage the resources of a computer.  The OS performs five basic functions:
Host and Application Security Lesson 4: The Win32 Boot Process.

Host and Application Security Lesson 4: The Win32 Boot Process.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Keyloggers Evan Racine-Johnson.

Keyloggers Evan Racine-Johnson.

Similar presentations

Ads by Google