Embed Size (px)
DESCRIPTION
Efficient Protection of Kernel Data Structures via Object Partitioning. Abhinav Srivastava , Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012. Outline. Introduction Related Work Sentry System Implementation Evaluation Conclusion. Introduction. - PowerPoint PPT Presentation
Citation preview
Efficient Protection of Kernel Data Structures via Object PartitioningAbhinav Srivastava, Jonathon GiffinAT&T Labs-Research, HP Fortify
ACSAC 2012
Outline• Introduction• Related Work• Sentry System• Implementation• Evaluation• Conclusion
Introduction• Kernel-level malicious malware often uses DKOM(Direct
Kernel Object Manipulation) to hide the process from the kernel’s process accounting list.
• They may also escalate a process’ privileges by overwriting the process’ credentials with those for a root or administrative user
• We present a system called Sentry that creates access control protections for security-critical kernel data.
Related Work• Petroni et al. detect process which reachable in scheduler
but not in process accounting list.• Cannot detect the list of loaded kernel modules, which do not offer
multiple views.
• XFI and BGI guarded write instructions subject to access control policy constraints.• Require all kernel drivers and modules to use this system• Low performance.
Sentry System• Page-level Granularity: use hardware’s page read/write
protection to enforce access control policy
• Partitioning: to separate kernel data structure into regions which have different access control policies
• Based on VM: to get full control to hardware page-fault handling and management
Sentry System
Page-level Granularity• Old methods• Applying policy checking is to check all possible write operation to
kernel data Slow performance• Protecting a single security-critical member requires whole page to be
protected Low memory utility
• Sentry use structure partitioning and page write protection to apply access control policies
Page-level Granularity (Cont.)• How page write protection protect the data?
• Simply using the write flag in page data structure• If someone tries to write to a protected page, a page fault
happen, and a function sh_page_fault in XEN hypervisor is called to handle this event
• Sentry changes the handling function to add a policy check:• If write is valid, then ignore this page fault and perform write
operation• If write is invalid, then the write operation is denied
Partitioning• Structures such as task_struct and module contains a mix
of security-critical and not-critical fields
• Structure Division• Structure Alignment
Partitioning - Structure Division• Split original Obj by creating a new data structure insecure_Obj containing non-critical fields
uid_t uid, euid, suid
gid_t gid, egid, sgid
u64 acct_rss_mem1
u64 acct_vm_mem1
struct list_head tasks
void *journal_info
unsigned long personality
struct audit_context *audit_context
char comm[16]
...
struct task_struct struct task_struct
struct insecure_task_struct
uid_t uid, euid, suid
gid_t gid, egid, sgid
struct list_head tasks
char comm[16]
u64 acct_rss_mem1
u64 acct_vm_mem1
void *journal_info
unsigned long personality
struct audit_context *audit_context
insecure_task_struct *insecure
Partitioning - Structure Alignment• Add a buffer to original Obj to separate security-critical
members and non-critical members away• This can be done by using compiler options to insert or
remove the alignment buffer
struct module
enum module_state state
struct list_head list
char name[MODULE_NAME_LEN]
const char *version
const char *srcversion
...
struct module
enum module_state state
struct list_head list
char name[MODULE_NAME_LEN]
const char *version
const char *srcversion
...
char buffer[BIG_SPACE]
Page Size
PolicyA valid write operation can be performed by:
• Trusted core kernel, such as core kernel code from symbol _text to _etext, kernel boot code from symbol __init_begin to __init_end• Trusted Upgraders: Alteration reachable from most
exported kernel functions, such as API provided by the Kernel
Page Creation & Registration• When creating a new instance of protected structure, Obj
and insecure_Obj are put into a page frame separately, and add page write protection on the page containing Obj
• The page frame number(PFN) then send to Sentry system using VMCALL, a method to pass data to hypervisor, to tell which page frame needs mediation
Implementation• Use Linux 2.6 and Xen hypervisor
• Change task_struct and module structure using division and alignment respectively
• Change Linux source code where use those structures into correct variable• current->journal_info current->insecure->journal_info• Alter 0.036%(2536/7041452) SLOC(Source Line of Code) in Linux
2.6• This can be done by source-to-source transformation techniques, such
as provided by CIL
Implementation (Cont.)• Structure Division• Apply on task_struct structure only• Categorized 28 of 122 members as critical• Change structure creation function kmem_cache_alloc into get_free_pages and kmalloc
• Structure Alignment• Apply on module structure only• Categorized 2 of 29 members as critical• Only a recompilation of the kernel
Implementation (Cont.)• APIs to communicate to hypervisor• addPFNtoDB, removePFNfromDB, checkPFNinDB
• Modify __sh_propagate to make a shadow of memory of guest operating system for monitor
• Sentry check write operation’s vaildity by the eip register when sh_page_fault is called, and traverse the stack frame using ebp to get full call trace
Evaluation• Attack Prevention and Detection
Evaluation (Cont.)• Performance on loading and unloading modules• Normal: no kernel memory protection• Protected: protection without partitioning• Sentry: both memory protection and partitioning
Evaluation (Cont.)• Performance on file system read/write
• Memory page utility• A partitioned kernel used 6502 pages as compared to 6302 pages
used by the unpartitioned kernel
Evaluation (Cont.)• Performance on real world jobs
• Performance on process data structure• 1000 µs = 1 ms
Evaluation (Cont.)• False Positive Analysis• Since benign modules don’t directly modify security-critical
kernel data, and uses exported APIs provided by kernel• For example, benign modules don’t directly modify run_list, but
using enqueue_task and dequeue_task to modify this member, and those functions are valid APIs, so the modules can still works fine
• Our system did not show any false positives and detected all attacks
Conclusion• We create protected memory regions within the unified
kernel data space.
• We show how to optimize kernel memory space layout for the protection constraints created by our system.
• We design and develop a system, Sentry, which is capable of protecting both statically and dynamically allocated data structures.
