Results 1 - 10
of
17
Sok: Eternal war in memory.
- In IEEE Symposium on Security and Privacy,
, 2013
"... Abstract-Memory corruption bugs in software written in low-level languages like C or C++ are one of the oldest problems in computer security. The lack of safety in these languages allows attackers to alter the program's behavior or take full control over it by hijacking its control flow. This ..."
Abstract
-
Cited by 40 (2 self)
- Add to MetaCart
(Show Context)
Abstract-Memory corruption bugs in software written in low-level languages like C or C++ are one of the oldest problems in computer security. The lack of safety in these languages allows attackers to alter the program's behavior or take full control over it by hijacking its control flow. This problem has existed for more than 30 years and a vast number of potential solutions have been proposed, yet memory corruption attacks continue to pose a serious threat. Real world exploits show that all currently deployed protections can be defeated. This paper sheds light on the primary reasons for this by describing attacks that succeed on today's systems. We systematize the current knowledge about various protection techniques by setting up a general model for memory corruption attacks. Using this model we show what policies can stop which attacks. The model identifies weaknesses of currently deployed techniques, as well as other proposed protections enforcing stricter policies. We analyze the reasons why protection mechanisms implementing stricter polices are not deployed. To achieve wide adoption, protection mechanisms must support a multitude of features and must satisfy a host of requirements. Especially important is performance, as experience shows that only solutions whose overhead is in reasonable bounds get deployed. A comparison of different enforceable policies helps designers of new protection mechanisms in finding the balance between effectiveness (security) and efficiency. We identify some open research problems, and provide suggestions on improving the adoption of newer techniques.
KCoFI: Complete control-flow integrity for commodity operating system kernels
- IEEE S&P
, 2014
"... We present a new system, KCoFI, that is the first we know of to provide complete Control-Flow Integrity protection for commodity operating systems without using heavyweight complete memory safety. Unlike previous systems, KCoFI protects commodity operating systems from classical control-flow hijack ..."
Abstract
-
Cited by 14 (1 self)
- Add to MetaCart
(Show Context)
We present a new system, KCoFI, that is the first we know of to provide complete Control-Flow Integrity protection for commodity operating systems without using heavyweight complete memory safety. Unlike previous systems, KCoFI protects commodity operating systems from classical control-flow hijack attacks, return-to-user attacks, and code segment modification attacks. We formally verify a subset of KCoFI’s design by modeling several features in small-step semantics and providing a partial proof that the semantics maintain control-flow integrity. The model and proof account for oper-ations such as page table management, trap handlers, context switching, and signal delivery. Our evaluation shows that KCoFI prevents all the gadgets found by an open-source Return Oriented Programming (ROP) gadget-finding tool in the FreeBSD kernel from being used; it also reduces the number of indirect control-flow targets by 98.18%. Our evaluation also shows that the performance impact of KCoFI on web server bandwidth is negligible while file transfer bandwidth using OpenSSH is reduced by an average of 13%, and at worst 27%, across a wide range of file sizes. PostMark, an extremely file-system intensive benchmark, shows 2x overhead. Where comparable numbers are available, the overheads of KCoFI are far lower than heavyweight memory-safety techniques. I.
Profile-guided Automated Software Diversity
"... Code-reuse attacks are notoriously hard to defeat, and most current solutions to the problem focus on automated software diversity. This is a promising area of research, as diversity attacks the common denominator enabling code-reuse attacks—the software monoculture. Recent research in this area pro ..."
Abstract
-
Cited by 13 (3 self)
- Add to MetaCart
(Show Context)
Code-reuse attacks are notoriously hard to defeat, and most current solutions to the problem focus on automated software diversity. This is a promising area of research, as diversity attacks the common denominator enabling code-reuse attacks—the software monoculture. Recent research in this area provides security, but at an unfortunate price: performance overhead. Leveraging previously collected profiling information, compilers can substantially improve subsequent code generation. Traditionally, profile-guided optimization focuses on hot program code, where a program spends most of its execution time. Optimizing rarely executed code does not significantly impact performance, so few optimizations focus on this code. We use profile-guided optimization to reduce the performance overhead of software diversity. The primary insight is that we are free to diversify cold code, but restrict our diversification efforts in hot code. Our work investigates the impact of profiling on an expensive diversification technique: NOP insertion. By differentiating between hot cold and cold code, we optimize NOP insertion overheads from a maximum of 25 % down to a negligible 1%, while preserving the security properties of the original defense. Consequently, using our profile-guided diversification technique, even randomization techniques having a high performance overhead become practical.
A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks
"... Protecting modern computer systems and complex software stacks against the growing range of possible attacks is be-coming increasingly difficult. The architecture of modern commodity systems allows attackers to subvert privileged sys-tem software often using a single exploit. Once the system is comp ..."
Abstract
-
Cited by 5 (2 self)
- Add to MetaCart
(Show Context)
Protecting modern computer systems and complex software stacks against the growing range of possible attacks is be-coming increasingly difficult. The architecture of modern commodity systems allows attackers to subvert privileged sys-tem software often using a single exploit. Once the system is compromised, inclusive permissions used by current archi-tectures and operating systems easily allow a compromised high-privileged software layer to perform arbitrary malicious activities, even on behalf of other software layers. This paper presents a hardware-supported page permission scheme for the physical pages that is based on the concept of non-inclusive sets of memory permissions for different layers of system software such as hypervisors, operating systems, and user-level applications. Instead of viewing privilege lev-els as an ordered hierarchy with each successive level being more privileged, we view them as distinct levels each with its own set of permissions. Such a permission mechanism, imple-mented as part of a processor architecture, provides a common framework for defending against a range of recent attacks. We demonstrate that such a protection can be achieved with neg-ligible performance overhead, low hardware complexity and minimal changes to the commodity OS and hypervisor code. 1.
ret2dir: Rethinking kernel isolation
- In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC’14
, 2014
"... Return-to-user (ret2usr) attacks redirect corrupted kernel pointers to data residing in user space. In response, sev-eral kernel-hardening approaches have been proposed to enforce a more strict address space separation, by pre-venting arbitrary control flow transfers and dereferences from kernel to ..."
Abstract
-
Cited by 4 (1 self)
- Add to MetaCart
(Show Context)
Return-to-user (ret2usr) attacks redirect corrupted kernel pointers to data residing in user space. In response, sev-eral kernel-hardening approaches have been proposed to enforce a more strict address space separation, by pre-venting arbitrary control flow transfers and dereferences from kernel to user space. Intel and ARM also recently introduced hardware support for this purpose in the form of the SMEP, SMAP, and PXN processor features. Un-fortunately, although mechanisms like the above prevent the explicit sharing of the virtual address space among user processes and the kernel, conditions of implicit shar-ing still exist due to fundamental design choices that trade stronger isolation for performance. In this work, we demonstrate how implicit page frame sharing can be leveraged for the complete circumven-tion of software and hardware kernel isolation protec-tions. We introduce a new kernel exploitation technique, called return-to-direct-mapped memory (ret2dir), which bypasses all existing ret2usr defenses, namely SMEP, SMAP, PXN, KERNEXEC, UDEREF, and kGuard. We also discuss techniques for constructing reliable ret2dir exploits against x86, x86-64, AArch32, and AArch64 Linux targets. Finally, to defend against ret2dir attacks, we present the design and implementation of an exclu-sive page frame ownership scheme for the Linux ker-nel that prevents the implicit sharing of physical memory pages with minimal runtime overhead. 1
The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines
, 2015
"... Return-oriented programming (ROP) has become the dominant form of vulnerability exploitation in both user and kernel space. Many defenses against ROP exploits exist, which can significantly raise the bar against attackers. Although protecting existing code, such as applications and the kernel, migh ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Return-oriented programming (ROP) has become the dominant form of vulnerability exploitation in both user and kernel space. Many defenses against ROP exploits exist, which can significantly raise the bar against attackers. Although protecting existing code, such as applications and the kernel, might be possible, taking countermeasures against dynamic code, i.e., code that is generated only at run-time, is much harder. Attackers have already started exploiting Just-in-Time (JIT) engines, available in all modern browsers, to introduce their (shell)code (either native code or re-usable gadgets) during JIT compilation, and then taking advantage of it. Recognizing this immediate threat, browser vendors started employing defenses for hardening their JIT engines. In this paper, we show that—no matter the employed defenses—JIT engines are still exploitable using solely dynamically generated gadgets. We
ASIST: Architectural Support for Instruction Set Randomization
"... Code injection attacks continue to pose a threat to today’s comput-ing systems, as they exploit software vulnerabilities to inject and execute arbitrary, malicious code. Instruction Set Randomization (ISR) is able to protect a system against remote machine code in-jection attacks by randomizing the ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
Code injection attacks continue to pose a threat to today’s comput-ing systems, as they exploit software vulnerabilities to inject and execute arbitrary, malicious code. Instruction Set Randomization (ISR) is able to protect a system against remote machine code in-jection attacks by randomizing the instruction set of each process. This way, the attacker will inject invalid code that will fail to exe-cute on the randomized processor. However, all the existing imple-mentations of ISR are based on emulators and binary instrumen-tation tools that (i) incur a significant runtime performance over-head, (ii) limit the ease of deployment of ISR, (iii) cannot protect the underlying operating system kernel, and (iv) are vulnerable to evasion attempts trying to bypass ISR protection. To address these issues we propose ASIST: an architecture with hardware and operating system support for ISR. We present the de-sign and implementation of ASIST by modifying and mapping a SPARC processor onto an FPGA board and running our modified Linux kernel to support the new features. The operating system loads the randomization key of each running process into a newly defined register, and the modified processor decodes the process’s instructions with this key before execution. Moreover, ASIST pro-tects the system against attacks that exploit kernel vulnerabilities to run arbitrary code with elevated privileges, by using a separate randomization key for the operating system. We show that ASIST transparently protects all applications and the operating system ker-nel from machine code injection attacks with less than 1.5 % run-time overhead, while only requiring 0.7 % additional hardware.
SecPod: A Framework for Virtualization-based Security Systems
"... abstract The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thu ..."
Abstract
- Add to MetaCart
(Show Context)
abstract The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.
Own your Android! Yet Another Universal Root
"... Abstract In recent years, to find a universal root solution for Android becomes harder and harder due to rare vulnerabilities in the Linux kernel base and also the exploit mitigations applied on the devices by various vendors. In this paper, we will present our universal root solution. The related ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract In recent years, to find a universal root solution for Android becomes harder and harder due to rare vulnerabilities in the Linux kernel base and also the exploit mitigations applied on the devices by various vendors. In this paper, we will present our universal root solution. The related vulnerability CVE-2015-3636, a typical use-after-free bug in Linux kernel is discussed in detail. Exploiting such a use-after-free in Linux kernel is truly difficult due to the separated allocation from the kernel allocator. We will show how we leverage this kernel use-after-free bug to achieve privilege promotion on most popular Android devices on market which have a version not less than 4.3, including the first 64bit root case in the world. In short, we will present a generic way to exploit use-after-free vulnerabilities in Linux kernel, which means one exploit applies to devices of all brands. All the current mitigations in the kernel like PXN are circumvented by this approach. And most importantly our unique and undocumented exploitation technique targeting kernel use-after-free bugs features stability and accuracy.
2013 IEEE Symposium on Security and Privacy Practical Timing Side Channel Attacks Against Kernel Space ASLR
"... Abstract—Due to the prevalence of control-flow hijacking attacks, a wide variety of defense methods to protect both user space and kernel space code have been developed in the past years. A few examples that have received widespread adoption include stack canaries, non-executable memory, and Address ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract—Due to the prevalence of control-flow hijacking attacks, a wide variety of defense methods to protect both user space and kernel space code have been developed in the past years. A few examples that have received widespread adoption include stack canaries, non-executable memory, and Address Space Layout Randomization (ASLR). When implemented correctly (i.e., a given system fully supports these protection methods and no information leak exists), the attack surface is significantly reduced and typical exploitation strategies are severely thwarted. All modern desktop and server operating systems support these techniques and ASLR has also been added to different mobile operating systems recently. In this paper, we study the limitations of kernel space ASLR against a local attacker with restricted privileges. We show that an adversary can implement a generic side channel attack against the memory management system to deduce information about the privileged address space layout. Our approach is based on the intrinsic property that the different caches are shared resources on computer systems. We introduce three implementations of our methodology and show that our attacks are feasible on four different x86-based CPUs (both 32- and 64-bit architectures) and also applicable to virtual machines. As a result, we can successfully circumvent kernel space ASLR on current operating systems. Furthermore, we also discuss mitigation strategies against our attacks, and propose and implement a defense solution with negligible performance overhead.
