1 / 23

kGuard : Lightweight Kernel Protection against Return-to-user Attacks

Vasileios P. Kemerlis , Georgios Portokalidis , Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA. kGuard : Lightweight Kernel Protection against Return-to-user Attacks. 21 st  USENIX Security Symposium (August, 2012). Outline.

jase
Download Presentation

kGuard : Lightweight Kernel Protection against Return-to-user Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Vasileios P. Kemerlis, GeorgiosPortokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA kGuard: Lightweight Kernel Protection against Return-to-user Attacks 21st USENIX Security Symposium(August, 2012)

  2. Outline • Why Return-to-user (ret2usr) ? • Threat model • Protection with kGuard • Implementation • Evaluation • Discussion and Future Work A Seminar at Advanced Defense Lab

  3. Why Return-to-user (ret2usr) ? Attacker ASLR, StackGuard, and etc. Administrator Process User Process Privileged Machine Code Compile-time protection System Kernel A Seminar at Advanced Defense Lab

  4. Another Reason • NULL pointer dereference errors had not received significant attention. • We usually see them as vulnerabilities for DoS attacks. • But they may be used to gain privileges. • CVE-2011-1888 (Windows) • CVE-2009-2908 (Linux) • CVE-2009-3527 (FreeBSD) • CVE-2009-2692 (Linux, Android) A Seminar at Advanced Defense Lab

  5. A example (CVE-2009-2692) • [link] • if the socket descriptor belongs to a vulnerable protocol family, the value of the sendpage pointer in line 742 is set to NULL. A Seminar at Advanced Defense Lab

  6. Previous Approaches • Previous approaches to the problem are either impractical for deployment in certain environments or can be easily circumvented. • Restricting mmap • Can be circumvented [link] • PaX • Platform and architecture specific • performance A Seminar at Advanced Defense Lab

  7. In this paper • We present a lightweight solution to the problem. • kGuard is a compiler plugin that augments kernel code with control-flow assertions (CFAs) • which ensure that privileged execution remains within its valid boundaries and does not cross to user space. A Seminar at Advanced Defense Lab

  8. Threat Model • We ascertain that an adversary is able to completely overwrite, partially corrupt (e.g., zero out only certain bytes), or nullify control data that are stored inside the address space of the kernel. A Seminar at Advanced Defense Lab

  9. Protection with kGuard • We propose a defensive mechanism that builds upon inline monitoring and code diversification. • kGuard is a cross-platform compiler plugin that enforces address space segregation, A Seminar at Advanced Defense Lab

  10. CFAR (transfer by register) A Seminar at Advanced Defense Lab

  11. CFAM (transfer by memory) Can be skip for optimization A Seminar at Advanced Defense Lab

  12. Bypass Trampolines • Like return-oriented programming • It is possible to find an embedded opcode sequence that translates directly to a control branch in user space. A Seminar at Advanced Defense Lab

  13. Code Diversification Against Bypasses • Code inflation • randomizing the starting address of the text segment • inserting NOP sleds of random length at the beginning of each CFA A Seminar at Advanced Defense Lab

  14. Code Diversification Against Bypasses (cont.) • CFA motion A Seminar at Advanced Defense Lab

  15. Implementation • GCC 4.51 A Seminar at Advanced Defense Lab

  16. Evaluation • Our testbed consisted of a single host, equipped with two 2.66GHz quad-core Intel Xeon X5500 CPUs and 24GB of RAM, running Debian Linux v6 (“squeeze” with kernel v2.6.32). • NOP sled before CFA: 0 ~ 20 A Seminar at Advanced Defense Lab

  17. Preventing Real Attacks A Seminar at Advanced Defense Lab

  18. Translation Overhead • Kernel image size increased • X86: 3.5% • X86-64: 5.6% A Seminar at Advanced Defense Lab

  19. Performance Overhead • Macro benchmarks • Building a vanilla Linux kernel • MySQL v5.1.49 • Its own benchmark suit (sql-bench) • Apache v2.2.16 • Its utility ab and static HTML files A Seminar at Advanced Defense Lab

  20. Macro Benchmark Result A Seminar at Advanced Defense Lab

  21. Micro Benchmarks A Seminar at Advanced Defense Lab

  22. Discussion and Future Work • Custom violation handlers • Persistent threats • CFA motion at runtime A Seminar at Advanced Defense Lab

  23. Q & A A Seminar at Advanced Defense Lab

More Related