{ Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization...

Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization

Cristiano Giuffrida, Anton Kuijsten & Andrew S.Tanenbaum

Vrije Universiteit, Amsterdam

Presented By

Neil Parmar

Kernel Level Exploitations

Exploitations:• Kernel-level exploitation gaining a vast momentum

• Many exploitations are available for Windows, Linux, BSD, Mac OS X, iOS

Causes of Exploitations:• Plenty of memory error vulnerabilities to choose from

• Improved Kernel codebase is complex, large, and in continuous evolution

• A large number of internet-connected users running the same kernel version

• Many attack opportunities for both local and remote exploits

Existing Countermeasures

Countermeasures:• Preserving Kernel code Integrity [SecVisor, NICKLE, hvmHarvard]

• Kernel hook protection [HookSafe, HookScout, Indexed hooks]

• Control-flow Integrity [SBCFI]

Drawbacks of the particular Countermeasures:• No comprehensive memory error protection

• Virtualization Support required, high overhead

Address Space Randomization (ASR)

• Well-established defense mechanism against memory error exploits

• Application-level support in all major operating systems

• The operating system itself typically not randomized at all

• Only recent Windows releases perform basic text randomization

• No strategy has been proposed for comprehensive and fine-grained OS level ASR

• GOAL: Fine-Grained ASR for operating systems

Contributions

• Identify the challenges and the key requirements for a comprehensive OS-Level ASR Solution.

• Fine-Grained ASR: Improve existing ASR solution in terms of both performance and security.

• Introduction to Live Rerandomization Strategy

Background

• Code and data locations are unpredictable in memory

• Preventing adversary for detecting precise assumption on the memory layout

• Fine-Grained ASR permute the order of individual memory objects

Background

• Code and data locations be unpredictable in memory.

Challenges in OS-Level ASR

• Instrumentation

• Run-time constraints

• Information Leakage

• Brute Force

A Design for OS-Level ASR

• Make both location and layout of memory objects unpredictable

• LLVM-based link-time transformation for safe and efficient ASR

• Minimal amount of untrusted code exposed to the runtime

• Live randomization n to maximize observability of the system

• No changes in software distribution model

Architecture

The OS Architecture for ASR Design

Code Randomization

Original Function (LLVM IR)

Code Randomization

Randomize function location

Code Randomization

Adding Random size padding

Code Randomization

Basic Block Shifting

Static Data Randomization

Original variable and type (LLVM IR)

Random Variable Location

Add Random-sized padding

Internal Layout Randomization

Stack Randomization

Dynamic Data Randomization

• Support for malloc()/mmap()-like allocator abstractions

• Memory mapped regions are fully randomized

• Heap allocations are interleaved with random-sized padding

• Full heap randomization enforced at live randomization time

• ILR (Internal Link Randomization) for all the dynamically allocated memory objects

Live Randomization

• First stateful live randomization technique

• Periodically rerandomize the memory address space layout

• Support arbitary memory layout changes at rerandomization time

• Support all the standard C idioms with minimal manual effort

• Sandbox the rerandomization code to recover from run-time errors

ASRR Transformations

ASRR Metadata

• Types

• Global Variables

• Static Variables

• String constants

• Functions

• Dynamic memory allocation

The Randomization Process

ASR Performance

Summary

• A new fine-grained technique for operating systems

• Better performance and security than prior ASR solutions

• Live rerandomization and ILR to counter information leakage

• No heavyweight instrumentation exposed to the runtime

• Process-based isolation to recover from run-time ASRR error

{ Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization...

Documents

Statistical Randomization Tests: Issues and Applications Randomization Tests versus Permutation Tests Randomization Tests versus Permutation Tests Test

Randomization workshop

1 Randomization Algorithmic design patterns. n Greed. n Divide-and-conquer. n Dynamic programming. n Network flow. n Randomization. Randomization. Allow

Approximate Randomization tests

Delitto Alle Elezioni - Calogero Giuffrida

Methods of Randomization

Sturiale Alberto Billa Fabrizio Giuffrida Francesco

RANDOMIZATION - IASCT · Input dataset for the SAS macro: Covariate Adaptive Randomization. ... Issues in Outcomes Research: An Overview of Randomization Techniques for Clinical

“Giuseppe De Felice Giuffrida - Adriano Olivetti Piazza ... · 1 Repubblica Italiana – Regione Siciliana Istituto Tecnico Commerciale Statale “Giuseppe De Felice Giuffrida -

TANO GIUFFRIDA

Dott. V. GIUFFRIDA-BUGGERI - Isita-org.com

Stack Layout Randomization with Minimal Rewriting of ... · Stack Layout Randomization with Minimal Rewriting of ... researchers have been questioning such randomization techniques

Basics of Randomization

12 giuffrida

Randomization & Blinding

Redes de computadoras 4ta edición - andrew s.tanenbaum bye-axedrez

Prof. Antonino Giuffrida @ BookAlive Worksop

Ch 6 randomization

Enhanced Operating System Security Through Efﬁcient … · Enhanced Operating System Security Through Efﬁcient and Fine-grained Address Space Randomization Cristiano Giuffrida

Randomization & Pseudo-Randomization Part I...Randomization and Pseudo-Randomization RCM Based Methods and Avoiding Confounding The goal of sidestepping confounding by –nding such