Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st

kGuard: Lightweight Kernel Protection

against Return-to-user Attacks

Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis

Network Security Lab,

Department of Computer Science,

Columbia University, USA

21st USENIX Security Symposium (August, 2012)

A Seminar at Advanced Defense Lab 2

Outline

Why Return-to-user (ret2usr) ? Threat model Protection with kGuard Implementation Evaluation Discussion and Future Work

2012/8/10


Compile-time protection

ASLR, StackGuard, and etc.

Why Return-to-user (ret2usr) ?

2012/8/10

Administrator Process

Attacker

User Process

System Kernel

Privileged Machine Code


Another Reason

NULL pointer dereference errors had not received significant attention.We usually see them as vulnerabilities for

DoS attacks. But they may be used to gain privileges.

CVE-2011-1888 (Windows)CVE-2009-2908 (Linux)CVE-2009-3527 (FreeBSD)CVE-2009-2692 (Linux, Android)

2012/8/10


A example (CVE-2009-2692)

[link]

if the socket descriptor belongs to a vulnerable protocol family, the value of the sendpage pointer in line 742 is set to NULL.

2012/8/10

http://lxr.linux.no/linux+v2.6.30.4/net/socket.c


Previous Approaches

Previous approaches to the problem are either impractical for deployment in certain environments or can be easily circumvented.Restricting mmap

○ Can be circumvented [link]PaX

○ Platform and architecture specific○ performance

2012/8/10

http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html


In this paper

We present a lightweight solution to the problem.

kGuard is a compiler plugin that augments kernel code with control-flow assertions (CFAs)which ensure that privileged execution

remains within its valid boundaries and does not cross to user space.

2012/8/10


Threat Model

We ascertain that an adversary is able to completely overwrite, partially corrupt (e.g., zero out only certain bytes), or nullify control data that are stored inside the address space of the kernel.

2012/8/10


Protection with kGuard

We propose a defensive mechanism that builds upon inline monitoring and code diversification.

kGuard is a cross-platform compiler plugin that enforces address space segregation,

2012/8/10


CFAR (transfer by register)

2012/8/10


CFAM (transfer by memory)

2012/8/10

Can be skip for optimization


Bypass Trampolines

Like return-oriented programming

It is possible to find an embedded opcode sequence that translates directly to a control branch in user space.

2012/8/10


Code Diversification Against Bypasses Code inflation

randomizing the starting address of the text segment

inserting NOP sleds of random length at the beginning of each CFA

2012/8/10


Code Diversification Against Bypasses (cont.) CFA motion

2012/8/10


Implementation

GCC 4.51

2012/8/10


Evaluation

Our testbed consisted of a single host, equipped with two 2.66GHz quad-core Intel Xeon X5500 CPUs and 24GB of RAM, running Debian Linux v6 (“squeeze” with kernel v2.6.32).

NOP sled before CFA: 0 ~ 20

2012/8/10


Preventing Real Attacks

2012/8/10


Translation Overhead

Kernel image size increasedX86: 3.5%X86-64: 5.6%

2012/8/10


Performance Overhead

Macro benchmarksBuilding a vanilla Linux kernelMySQL v5.1.49

○ Its own benchmark suit (sql-bench)Apache v2.2.16

○ Its utility ab and static HTML files

2012/8/10


Macro Benchmark Result

kGuard PaX

x86 X86-64 x86 x86-64

Building Kernel 1.03% 0.93% 1.26% 2.89%

sql-bench 0.93% 0.85% 1.16% 2.67%

ab 0.001% - 0.01%

0.001% – 0.01%

0.01% - 0.09%

0.01% - 0.67%

2012/8/10


Micro Benchmarks

2012/8/10


Discussion and Future Work

Custom violation handlers

Persistent threats

CFA motion at runtime

2012/8/10


Q & A

2012/8/10

Documents

Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st