Subverting the Linux Kernel Linux Kernel Rootkits 101
|
|
- Pierce York
- 6 years ago
- Views:
Transcription
1 Subverting the Linux Kernel Linux Kernel Rootkits 101
2 Kernel Rootkits? A collection of program(s) that hide an attacker's presence and activities on a compromised system Typically allows an attacker to keep privileged access and stay unnoticed Common rootkit activities: Hide files, processes, network connections Filter logfiles Main idea: manipulate the administrator's view of the system Most often distributed in the form of a Loadable Kernel Module (LKM) There are other methods that avoid using LKMs (code injection via and )
3 Common Attack Vectors 2 Syscalls via 3 Includes modern are deprecated, although still supported for ancient 32-bit programs instruction on x86_64, SYSENTER used for 32-bit programs Diagram from Rootkits - Detection and Prevention, de Almeida, Andre Jorge Marques
4 Common Attack Vectors We'll take a closer look at in the context of modern 4.x kernels Diagram from Rootkits - Detection and Prevention, de Almeida, Andre Jorge Marques
5 Common Approaches infection Example: Knark, 1999 Function hooking/trampolines Example: Suterusu (concept rootkit), 2013 Syscall handler infection Example: SucKIT, 2001
6 More Approaches VFS layer interception (Example: Adore-ng) avoids tampering with and other central structures Code injection via: (Example: SucKIT, 2001) (Example: Phalanx and Phalanx2, ~2005)
7 Implementation Many of these approaches documented in literature dating back to early-mid 2000s... How do these approaches stack up against a modern Linux kernel today? (We'll be looking at x86_64 specifically)
8 Method #1: sys_call_table infection
9 Method #1: sys_call_table infection Most traditional and commonly cited method But easily detected, by checking the integrity of the syscall table of the running kernel The main obstacle is locating Pre-2.6 Linux kernel: was exported and not write-protected! This fact was exploited by the Knark rootkit (1999) based on Linux 2.2/2.4 Very trivial to modify the system call table back then on x86 wasn't marked read-only until , in 2006 commits
10 Method #1: sys_call_table infection Methods of locating spotted in the wild: Looking up in System.map file commonly located in [1] Mitigation: Some arches support kernel address space randomization (KASLR), introduced on x86 with 3.14 (2014) System.map addresses won't match up with the running kernel Mitigation: Alternatively, just remove the file
11 Method #1: sys_call_table infection Methods of locating spotted in the wild: Looking up in [2] Mitigation: CONFIG_KALLSYMS_ALL=n, which excludes data/non-text symbols Also prevents malicious kernel modules from abusing the using kallsyms API to lookup sys_call_table and other structures (e.g. in the VFS layer) in data sections
12 Method #1: sys_call_table infection Methods of locating spotted in the wild: Brute force search of kernel memory Find using addresses of exported syscalls (notably, sys_close) [3] (Example: Intoxonia [4]) Source: "Modern Linux Rootkits 101" by Tyler Borland Mitigation: reduce or eliminate exported syscalls Looks like some drivers still depend on sys_close
13 Method #1: sys_call_table infection Other methods of locating spotted in the wild: Scanning the arch-specific syscall handler for the address Main idea: We know that the syscall handler issues calls through, so a rootkit can scan the handler for the syscall table address
14 Method #1: sys_call_table infection Scanning the arch-specific syscall handler for the address First, we need the address of the syscall handler Older rootkits used INT 0x80 way: scan Interrupt Descriptor Table Modern x86 systems use Model-Specific Registers (MSRs) to store handlers for instructions: LSTAR - the kernel's syscall entry for 64-bit programs CSTAR - the kernel's syscall entry in 32-bit compatibility mode On x86_64, the syscall handler is called formerly named ( )
15 Method #1: sys_call_table infection Scanning the arch-specific syscall handler for the address First, we need the address of the syscall handler Model Specific Register LSTAR contains the syscall handler on x86_64 Its address can be read out with instruction (wrapped as a macro in the kernel): Must be executed with privilege level 0 (kernel mode) Thus, kernel modules can execute these instructions
16 Method #1: sys_call_table infection Scanning the arch-specific syscall handler for the address Once we have the address of the syscall handler... Scan byte-by-byte for call instr beginning with ", which is a byte sequence unique in the handler and locatable within the first 256 bytes This gives us a 32-bit absolute offset, use this to calculate the address of
17 Method #1: sys_call_table infection Scanning the arch-specific syscall handler for the address Once we have the address of... Need to modify the table, but it is in read-only memory We can write to control registers in kernel mode Specifically, we want to write to CR0 Contains control flags that modify the basic operation of the CPU Bit 16 of CR0 is the write-protect bit When CR0.WP = 1, CPU can't write to RO pages when privilege level is 0 Reads and writes to CR0 can only be done in kernel mode Thus, an LKM can clear the write-protect bit in CR0 Then sys_call_table can be modified and its pointers replaced with pointers to malicious functions
18 Method #1: sys_call_table infection Demo
19 Method #2: syscall handler infection
20 Method #2: syscall handler infection Alternative: instead of modifying sys_call_table directly, a rootkit can make a copy of the syscall table and modify that instead Patch the syscall handler to issue syscalls through the rootkit's copy of the syscall table Similar to function trampoline method (or any text patching method) (Example: Suterusu) These methods are not SMP safe commonly used to copy instructions to perform function redirection (e.g., with a )
21 Detecting sys_call_table and handler modifications Use crash or gdb coupled with /proc/kcore to inspect memory of running kernel Requires access to unstripped vmlinux file Inspect contents of Check if addresses in the table match up to real syscall Check if addresses in the table point to module region >= MODULE_VADDR On x86_64: See Documentation/x86/x86_64/mm.txt Disassemble syscall handlers and inspect sys_call_table callsite Check that the table used corresponds to the real sys_call_table
22 Detecting sys_call_table and handler modifications Demo
23 Method #3: VFS layer interception
24 Method #3: VFS layer interception VFS is an abstraction layer that serves as the entry point for many filesystem operations and fs-related syscalls VFS-based rootkits target this layer instead of a central structure like the syscall table Example: Adore-ng (2004) manipulated procfs-related filesystem operations replaces /proc's readdir (now called iterate_shared) handler to hide certain PIDs since programs like ps and top read from /proc, these pids would not show up in output VFS is very object-oriented - contains many structs with function pointers These point to functions that implement file system operations such as open, read, write, etc. A rootkit can replace these pointers to point to malicious versions of these handlers
25 Method #3: VFS layer interception Demo
26 Detecting VFS layer infections Use crash or gdb coupled with to inspect memory of running kernel gdb doesn't handle KASLR well - but crash can! Infections are more cumbersome to detect, since this method does not manipulate central resources like the syscall table Would require checking the integrity of numerous structs General idea is to validate function pointer addresses Check if addresses in the table match up to real handlers
27 Detecting VFS layer infections Demo
28 Other Methods: /dev/mem & /dev/kmem - device file that provides access to kernel virtual memory Many distributions have turned off this device file - device file that provides access to physical memory Distributions still provide access to (as root, and up to 1MB with CONFIG_STRICT_DEVMEM)
29 Other Methods: /dev/mem & /dev/kmem Typical Approach Obtain address of syscall handler via the IDT (deprecated int 0x80 way) or reading (as root) from (new syscall/sysenter way) Scan syscall handler for the sys_call_table address Overwrite entries in to via For /dev/mem, rootkit author must do virt-to-phys addr calculations How to insert rootkit code into kernel memory? One method used by SucKIT place address of kmalloc into syscall table (either overwriting existing or finding an unused entry) kmalloc() is then executed as a syscall and kernel memory is allocated rootkit code is then written to this region address of the rootkit is then written to the syscall table, replacing kmalloc
30 Other Methods: /dev/mem & /dev/kmem Real-life example: kernel.org breach in 2011 Phalanx rootkit (plus a trojan) installed on Linux Foundation servers Phalanx/Phalanx2 both utilize to inject malicious code Phalanx2 was able to bypass restrictions (introduced in 2008) Used helper kernel modules to overwrite (which checks if access is below 1MB) to always return 1, thus granting full RW access to After performing this task, helper module's init function would return an error, so the module is never actually loaded With full access to, Phalanx is able to overwrite, perform function hooking, etc
31 Other Methods: /dev/mem A new config option CONFIG_DEVMEM introduced in 2015 makes an optional device One could disable this option to close off this attack vector Is still used today? Originally cited reason for keeping X window system uses it to access video memory But with the advent of rootless X and kernel mode setting, access may not be as relevant anymore DOSEMU is another application that uses
32 Detection and Prevention Detection: "Fingerprinting" important areas of the kernel first bytes of syscalls (detect function trampolines) system call handler (e.g. entry_syscall_64) addresses in MSRs (e.g., LSTAR for x86_64, IA32_SYSENTER_EIP for x86_32 or IA32 emulation) important function pointers in the fs layer (e.g., file_operations structs in procfs) Prevention: Disabling kernel modules (at cost of flexibility) Enforcing cryptographically signed modules (CONFIG_MODULE_SIG && CONFIG_MODULE_SIG_FORCE) (available since 3.7 (2012)) Disable CONFIG_DEVKMEM (made configurable in ) Disable CONFIG_DEVMEM (made configurable in commit 73f0718e74e (2015))
33 Questions, corrections, comments?
Malicious Code Injection via /dev/mem
Malicious Code Injection via /dev/mem Anthony Lineberry March 27, 2009 Abstract In this paper we will discuss methods for using the character device, /dev/mem, as an entry
More informationUndermining the Linux Kernel: Malicious Code Injec:on via /dev/mem
Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry anthony.lineberry@gmail.com Black Hat Europe 2009 Overview What is a rootkit? Why is protec:on difficult? Current protec:on
More informationVirtual Machine Introspection Bhushan Jain
Virtual Machine Introspection Bhushan Jain Computer Science Department Stony Brook University 1 Traditional Environment Operating System 2 Traditional Environment Process Descriptors Kernel Heap Operating
More informationKprobes Presentation Overview
Kprobes Presentation Overview This talk is about how using the Linux kprobe kernel debugging API, may be used to subvert the kernels integrity by manipulating jprobes and kretprobes to patch the kernel.
More informationDetecting Kernel-Level Rootkits Through Binary Analysis
Detecting Kernel-Level Rootkits Through Binary Analysis Christopher Kruegel Technical University Vienna chris@auto.tuwien.ac.at William Robertson and Giovanni Vigna Reliable Software Group University of
More informationA Hardware-Assisted Virtualization Based Approach on How to Protect the Kernel Space from Malicious Actions
A Hardware-Assisted Virtualization Based Approach on How to Protect the Kernel Space from Malicious Actions Eric Lacombe 1 Ph.D Supervisors: Yves Deswarte and Vincent Nicomette 1 eric.lacombe@security-labs.org
More informationDetecting Kernel-Level Rootkits Through Binary Analysis
Detecting Kernel-Level Rootkits Through Binary Analysis Christopher Kruegel Technical University Vienna chris@auto.tuwien.ac.at William Robertson and Giovanni Vigna Reliable Software Group University of
More informationStealth Measurements for Cheat Detection in On-line Games. Ed Kaiser Wu-chang Feng Travis Schluessler
Stealth Measurements for Cheat Detection in On-line Games Ed Kaiser Wu-chang Feng Travis Schluessler Cheating Affects On-line Games Frustrates legitimate players not fun to play against cheaters can't
More informationDefeating Return-Oriented Rootkits with Return-less Kernels
5 th ACM SIGOPS EuroSys Conference, Paris, France April 15 th, 2010 Defeating Return-Oriented Rootkits with Return-less Kernels Jinku Li, Zhi Wang, Xuxian Jiang, Mike Grace, Sina Bahram Department of Computer
More informationATRA: Address Translation Redirection Attack against Hardware-based External Monitors
ATRA: Address Translation Redirection Attack against Hardware-based External Monitors Daehee Jang 1, Hojoon Lee 1, Minsu Kim 1, Daehyeok Kim 2, Daegyeong Kim 1, Brent Byunghoon Kang 1 1 Graduate School
More informationFirst order of Business
First order of Business First order of Business You probably feel like this MBE TA s Hardware Enforced Model 0: Privileged, Kernelspace 3: Restricted, Userspace Hardware Enforced Model 0: Privileged,
More informationDo as I Say not as I Do Stealth Modification of Programmable Logic Controllers I/O by Pin Control Attack
Do as I Say not as I Do Stealth Modification of Programmable Logic Controllers I/O by Pin Control Attack ALI ABBASI SYSSEC GROUP, RUHR UNIVERSITY BOCHUM, GERMANY & SCS GROUP UNIVERSITY OF TWENTE, NETHERLANDS
More informationOperating System Security
Operating System Security Operating Systems Defined Hardware: I/o...Memory.CPU Operating Systems: Windows or Android, etc Applications run on operating system Operating Systems Makes it easier to use resources.
More informationDKOM (Direct Kernel Object Manipulation)
DKOM (Direct Kernel Object Manipulation) Jamie Butler Director of Engineering HBGary, LLC http://www.hbgary.com Operating System Design User Land Operating system provides common API for developers to
More informationMarch 10, Linux Live Patching. Adrien schischi Schildknecht. Why? Who? How? When? (consistency model) Conclusion
March 10, 2015 Section 1 Why Goal: apply a binary patch to kernel on-line. is done without shutdown quick response to a small but critical issue the goal is not to avoid downtime Limitations: simple changes
More informationDistribution Kernel Security Hardening with ftrace
Distribution Kernel Security Hardening with ftrace Because sometimes your OS vendor just doesn't have the security features that you want. Written by: Corey Henderson Exploit Attack Surface Hardening system
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationIntel Analysis of Speculative Execution Side Channels
Intel Analysis of Speculative Execution Side Channels White Paper Revision 1.0 January 2018 Document Number: 336983-001 Intel technologies features and benefits depend on system configuration and may require
More informationBuffer Overflow and Protection Technology. Department of Computer Science,
Buffer Overflow and Protection Technology Department of Computer Science, Lorenzo Cavallaro Andrea Lanzi Table of Contents Introduction
More informationAdvances in Linux process forensics with ECFS
Advances in Linux process forensics with ECFS Quick history Wanted to design a process snapshot format native to VMA Vudu http://www.bitlackeys.org/#vmavudu ECFS proved useful for other projects as well
More informationTolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich
XXX Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory,...
More informationPractical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions
Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions Xi Xiong The Pennsylvania State University xixiong@cse.psu.edu Donghai Tian The Pennsylvania State University Beijing
More informationCSC369 Lecture 2. Larry Zhang
CSC369 Lecture 2 Larry Zhang 1 Announcements Lecture slides Midterm timing issue Assignment 1 will be out soon! Start early, and ask questions. We will have bonus for groups that finish early. 2 Assignment
More informationMulti-Aspect Profiling of Kernel Rootkit Behavior
Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nürnberg, Germany Rootkits Stealthy malware Hide attacker
More informationECE 598 Advanced Operating Systems Lecture 19
ECE 598 Advanced Operating Systems Lecture 19 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 7 April 2016 Homework #7 was due Announcements Homework #8 will be posted 1 Why use
More informationCS 550 Operating Systems Spring System Call
CS 550 Operating Systems Spring 2018 System Call 1 Recap: The need for protection When running user processes, the OS needs to protect itself and other system components For reliability: buggy programs
More informationOverview. This Lecture. Interrupts and exceptions Source: ULK ch 4, ELDD ch1, ch2 & ch4. COSC440 Lecture 3: Interrupts 1
This Lecture Overview Interrupts and exceptions Source: ULK ch 4, ELDD ch1, ch2 & ch4 COSC440 Lecture 3: Interrupts 1 Three reasons for interrupts System calls Program/hardware faults External device interrupts
More informationWelcome to Rootkit Country
Welcome to Rootkit Country CanSecWest 03/2011 Graeme Neilson Security Consultant & Researcher Aura Software Security graeme@aurasoftwaresecurity.co.nz Rootkit == cancerous software A rootkit is software
More informationHackveda Training - Ethical Hacking, Networking & Security
Hackveda Training - Ethical Hacking, Networking & Security Day1: Hacking windows 7 / 8 system and security Part1 a.) Windows Login Password Bypass manually without CD / DVD b.) Windows Login Password Bypass
More informationKI-Mon: A Hardware-assisted Event-triggered Monitoring Platform for Mutable Kernel Object
KI-Mon: A Hardware-assisted Event-triggered Monitoring Platform for Mutable Kernel Object Hojoon Lee, Korea Advanced Institute of Science and Technology (KAIST); HyunGon Moon, Seoul National University;
More informationJailbreaking. Apple Watch. Max Bazaliy. December 4-7, 2017
1 2 Jailbreaking 3 4 5 Apple Watch 6 7 8 9 Max Bazaliy 10 11 12 whoami 1 2 3 o Security researcher at Lookout o ios/tvos/watchos jailbreak author o Lead researcher on Pegasus exploit chain o Focused on
More informationThe DNS system is organized in a structure.
Agenda DNS security review Virtualization fundamentals What defenders can do with virtualization (Livewire) What attackers can do with virtualization (Subvirt) Summary 1/37 The DNS system is organized
More informationKernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory
Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory Junghwan Rhee 1, Ryan Riley 2, Dongyan Xu 1, and Xuxian Jiang 3 1 Purdue University, {rhee,dxu}@cs.purdue.edu 2 Qatar
More informationAndroid Rootkits. Adam Zakaria. Ming Chow
Android Rootkits Adam Zakaria adam.zakaria@tufts.edu Ming Chow Abstract A rootkit is software designed to help a user maintain root privileges through the hiding of processes and the redirection of system
More informationCS 550 Operating Systems Spring Interrupt
CS 550 Operating Systems Spring 2019 Interrupt 1 Revisit -- Process MAX Stack Function Call Arguments, Return Address, Return Values Kernel data segment Kernel text segment Stack fork() exec() Heap Data
More informationLinux Boot Process. Nassim Eddequiouaq LSE Summer Week 2015
Linux Boot Process Nassim Eddequiouaq LSE Summer Week 2015 Why does boot matter? No boot No boot! OS uses evolving hardware features Faster and more secure please What does Linux need? Hardware initialization
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationELEC 377 Operating Systems. Week 12 Class 2
ELEC 377 Operating Systems Week 12 Class 2 Admin Lab 4/5 Will be marked shortly Quiz #3 returning today Today Unix History What is a Root Kit? Root Kit is software to hide the evidence of system modification
More informationMechanisms for entering the system
Mechanisms for entering the system Yolanda Becerra Fontal Juan José Costa Prats Facultat d'informàtica de Barcelona (FIB) Universitat Politècnica de Catalunya (UPC) BarcelonaTech 2017-2018 QP Content Introduction
More informationHijacking the Linux Kernel
Hijacking the Linux Kernel Boris Procházka 1, Tomáš Vojnar 2, and Martin Drahanský 3 1 Faculty of Information Technology, Brno University of Technology Božetěchova 2, 61266 Brno, Czech Republic iprochaz@fit.vutbr.cz
More informationDynamic Hooks: Hiding Control Flow Changes within Non-Control Data
Dynamic Hooks: Hiding Control Flow Changes within Non-Control Data Sebastian Vogl, Robert Gawlik, Behrad Garmany, Thomas Kittel, Jonas Pfoh, Claudia Eckert, Thorsten Holz Technische Universität München
More informationFirmware Rootkits: The Threat to the Enterprise. John Heasman, Director of Research
Firmware Rootkits: The Threat to the Enterprise John Heasman, Director of Research Agenda Recap of ACPI BIOS rootkit and limitations Brief overview of the PCI Bus Abusing expansion ROMs Abusing PXE Detection,
More informationArsenal. Shadow-Box: Lightweight Hypervisor-Based Kernel Protector. Seunghun Han, Jungwhan Kang (hanseunghun
Arsenal Shadow-Box: Lightweight Hypervisor-Based Kernel Protector Seunghun Han, Jungwhan Kang (hanseunghun ultract)@nsr.re.kr Who are we? - Senior security researcher at NSR (National Security Research
More informationSandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018
Sandboxing CS-576 Systems Security Instructor: Georgios Portokalidis Sandboxing Means Isolation Why? Software has bugs Defenses slip Untrusted code Compartmentalization limits interference and damage!
More informationOS security mechanisms:
OS security mechanisms: Memory Protection: One of the important aspects of Operating system security is Memory Protection. Memory provides powerful indirect way for an attacker to circumvent security mechanism,
More informationIntroduction to Kernel Programming. Luca Abeni
Introduction to Kernel Programming Luca Abeni luca.abeni@santannapisa.it About the Course Goal: understand how to code an OS kernel This course will introduce the students to the pains and joys of kernel
More informationCSC369 Lecture 2. Larry Zhang, September 21, 2015
CSC369 Lecture 2 Larry Zhang, September 21, 2015 1 Volunteer note-taker needed by accessibility service see announcement on Piazza for details 2 Change to office hour to resolve conflict with CSC373 lecture
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More information238P: Operating Systems. Lecture 5: Address translation. Anton Burtsev January, 2018
238P: Operating Systems Lecture 5: Address translation Anton Burtsev January, 2018 Two programs one memory Very much like car sharing What are we aiming for? Illusion of a private address space Identical
More informationKernel Support for Paravirtualized Guest OS
Kernel Support for Paravirtualized Guest OS Shibin(Jack) Xu University of Washington shibix@cs.washington.edu ABSTRACT Flexibility at the Operating System level is one of the most important factors for
More informationMemory Management. Fundamentally two related, but distinct, issues. Management of logical address space resource
Management Fundamentally two related, but distinct, issues Management of logical address space resource On IA-32, address space may be scarce resource for a user process (4 GB max) Management of physical
More informationCS 290 Host-based Security and Malware. Christopher Kruegel
CS 290 Host-based Security and Malware Christopher Kruegel chris@cs.ucsb.edu Windows Windows > 90 % of all computers run Windows when dealing with security issues, it is important to have (some) knowledge
More informationCSE543 - Computer and Network Security Module: Virtualization
CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 1 Operating System Quandary Q: What is the primary goal of
More informationOverhead Evaluation about Kprobes and Djprobe (Direct Jump Probe)
Overhead Evaluation about Kprobes and Djprobe (Direct Jump Probe) Masami Hiramatsu Hitachi, Ltd., SDL Jul. 13. 25 1. Abstract To implement flight recorder system, the overhead
More informationIntroduction to the Linux Kernel. Hao-Ran Liu
Introduction to the Linux Kernel Hao-Ran Liu The history Initially developed by Linus Torvalds in 1991 Source code is released under GNU Public License (GPL) If you modify and release a program protected
More informationHijacking the Linux Kernel
Hijacking the Linux Kernel Boris Procházka, Tomáš Vojnar and Martin Drahanský FIT Brno University of Technology 22.10.2010 18:15 2005-12-31 Aurelius Hall Your Name Your Title Your Organization MEMICS (Line
More informationVersion:1.1. Overview of speculation-based cache timing side-channels
Author: Richard Grisenthwaite Date: January 2018 Version 1.1 Introduction This whitepaper looks at the susceptibility of Arm implementations following recent research findings from security researchers
More informationInterrupts & System Calls
Interrupts & System Calls Nima Honarmand Previously on CSE306 Open file hw1.txt App Ok, here s handle App 4 App Libraries Libraries Libraries User System Call Table (350 1200) Supervisor Kernel Hardware
More informationECE 471 Embedded Systems Lecture 22
ECE 471 Embedded Systems Lecture 22 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 31 October 2018 Don t forget HW#7 Announcements 1 Computer Security and why it matters for embedded
More informationVersion:2.1. Overview of speculation-based cache timing side-channels
Date: May 2018 Version 2.1 Introduction This whitepaper looks at the susceptibility of Arm implementations following recent research findings from security researchers at Google on new potential cache
More informationEscalating Privileges in Linux using Fault Injection. September 25, 2017
Escalating Privileges in Linux using Fault Injection Niek Timmers timmers@riscure.com (@tieknimmers) Cristofaro Mune c.mune@pulse-sec.com (@pulsoid) September 25, 2017 Fault Injection A definition... Introducing
More informationProcesses (Intro) Yannis Smaragdakis, U. Athens
Processes (Intro) Yannis Smaragdakis, U. Athens Process: CPU Virtualization Process = Program, instantiated has memory, code, current state What kind of memory do we have? registers + address space Let's
More information143A: Principles of Operating Systems. Lecture 6: Address translation. Anton Burtsev January, 2017
143A: Principles of Operating Systems Lecture 6: Address translation Anton Burtsev January, 2017 Address translation Segmentation Descriptor table Descriptor table Base address 0 4 GB Limit
More informationVirtual File System. Don Porter CSE 306
Virtual File System Don Porter CSE 306 History Early OSes provided a single file system In general, system was pretty tailored to target hardware In the early 80s, people became interested in supporting
More informationPower Aware Operating Systems: Task-Specific CPU Throttling
Power Aware Operating Systems: Task-Specific CPU Throttling Intitial Draft Sunny Gleason COM S 790 Fall 2001 1 1 Introduction With the explosive growth in notebook, handheld and embedded computers, mechanisms
More informationJump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1 Motivation Buffer overflow
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationSHADOW WALKER Raising The Bar For Rootkit Detection. By Sherri Sparks Jamie Butler
SHADOW WALKER Raising The Bar For Rootkit Detection By Sherri Sparks ssparks@longwood.cs.ucf.edu Jamie Butler james.butler@hbgary.com What Is A Rootkit? Defining characteristic is stealth. Viruses reproduce,
More informationSandboxing. (1) Motivation. (2) Sandboxing Approaches. (3) Chroot
Sandboxing (1) Motivation Depending on operating system to do access control is not enough. For example: download software, virus or Trojan horse, how to run it safely? Risks: Unauthorized access to files,
More informationOperating System Architecture. CS3026 Operating Systems Lecture 03
Operating System Architecture CS3026 Operating Systems Lecture 03 The Role of an Operating System Service provider Provide a set of services to system users Resource allocator Exploit the hardware resources
More informationReverse Engineering Malware Dynamic Analysis of Binary Malware II
Reverse Engineering Malware Dynamic Analysis of Binary Malware II Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com Advanced dynamic analysis Debugger scripting Hooking
More information[537] Virtual Machines. Tyler Harter
[537] Virtual Machines Tyler Harter Outline Machine Virtualization Overview CPU Virtualization (Trap-and-Emulate) CPU Virtualization (Modern x86) Memory Virtualization Performance Challenges Outline Machine
More informationMemory Tool Documentation
Memory Tool Documentation Hagen Fritsch Technische Universität München Dominik Meyer August 1st, 2009 Contents 1 Overview 3 2 Data acquirement process 4 2.1 Parsing
More informationProblem System administration tasks on a VM from the outside, e.g., issue administrative commands such as hostname and rmmod. One step ahead tradition
EXTERIOR: Using a Dual-VM Based External Shell for Guest-OS Introspection, Configuration, and Recovery ACM VEE 13 Problem System administration tasks on a VM from the outside, e.g., issue administrative
More information143A: Principles of Operating Systems. Lecture 5: Address translation. Anton Burtsev October, 2018
143A: Principles of Operating Systems Lecture 5: Address translation Anton Burtsev October, 2018 Two programs one memory Or more like renting a set of rooms in an office building Or more like renting a
More informationDesign and Implementation of SecPod, A Framework for Virtualization-based Security Systems
Design and Implementation of SecPod, A Framework for Virtualization-based Security Systems Xiaoguang Wang, Yong Qi, Member, IEEE, Zhi Wang, Yue Chen, and Yajin Zhou 1 Abstract The OS kernel is critical
More informationOperating Systems. Operating System Structure. Lecture 2 Michael O Boyle
Operating Systems Operating System Structure Lecture 2 Michael O Boyle 1 Overview Architecture impact User operating interaction User vs kernel Syscall Operating System structure Layers Examples 2 Lower-level
More informationKernel Self Protection
Kernel Self Protection Kernel Summit 2016, Santa Fe Kees ( Case ) Cook keescook@chromium.org @kees_cook http://kernsec.org/wiki/index.php/kernel_self_protection_project http://www.openwall.com/lists/kernel-hardening/
More informationPangu 9 Internals. Tielei Wang and Hao Xu
Pangu 9 Internals Tielei Wang and Hao Xu Team Pangu Agenda ios Security Overview Pangu 9 Overview Userland Exploits Kernel Patching in Kernel Patch Protections Persistent Code Signing Bypass Conclusion
More informationInode. Local filesystems. The operations defined for local filesystems are divided in two parts:
Local filesystems Inode The operations defined for local filesystems are divided in two parts: 1. Common to all local filesystems are hierarchical naming, locking, quotas attribute management and protection.
More informationlpengfei Ding & Chenfu Bao lsecurity Researcher & Baidu X-Lab lfocused on Mobile, IoT and Linux kernel security
lpengfei Ding & Chenfu Bao lsecurity Researcher & Developer @ Baidu X-Lab lfocused on Mobile, IoT and Linux kernel security l Introduction l Past Compat Vulnerabilities l Newly Identified Compat Vulnerabilities
More informationCS 5460/6460 Operating Systems
CS 5460/6460 Operating Systems Fall 2009 Instructor: Matthew Flatt Lecturer: Kevin Tew TAs: Bigyan Mukherjee, Amrish Kapoor 1 Join the Mailing List! Reminders Make sure you can log into the CADE machines
More informationOwning the Network: Adventures in Router Rootkits
Owning the Network: Adventures in Router Rootkits Michael Coppola Who am I? Security Consultant at Virtual Security Research in Boston, MA (we're hiring!) Student at Northeastern University Did some stuff,
More informationExploiting Concurrency Vulnerabilities in System Call Wrappers
Exploiting Concurrency Vulnerabilities in System Call Wrappers Robert N. M. Watson Security Research Group Computer Laboratory University of Cambridge USENIX WOOT07 August 6, 2007 The Plan A brief history
More information(a) Which of these two conditions (high or low) is considered more serious? Justify your answer.
CS140 Winter 2006 Final Exam Solutions (1) In class we talked about the link count in the inode of the Unix file system being incorrect after a crash. The reference count can either be either too high
More informationCPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e
CPSC 213 Introduction to Computer Systems Unit 1e Procedures and the Stack 1 Readings for Next 3 Lectures Textbook Procedures - 3.7 Out-of-Bounds Memory References and Buffer Overflow - 3.12 2 Local Variables
More informationGuest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing
Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing Ryan Riley Xuxian Jiang Dongyan Xu Purdue University George Mason University Purdue University rileyrd@cs.purdue.edu xjiang@gmu.edu
More informationReverse Engineering. Class 5. Malware Analysis. Reverse Engineering Class 5 Martin Balao martin.uy/reverse v1.0 EN CC BY-SA
Reverse Engineering Class 5 1 Something odd? 2 Process injection Hide and evade audit logs Bypass endpoint firewalls with application filtering Steal information from the injected process Change session
More informationCPSC 213. Introduction to Computer Systems. The Operating System. Unit 2e
CPSC 213 Introduction to Computer Systems Unit 2e The Operating System 1 Readings for Next Two Lectures Text Exceptional Control Flow: Processes, System Call Error Handling VM as a Tool for Memory Protection
More informationInterrupts and System Calls
Interrupts and System Calls Open file hw1.txt App First lecture Ok, here s handle 4 App App Don Porter Libraries Libraries Libraries System Call Table (350 1200) Kernel User Supervisor Hardware 1 2-2 Today
More informationCOMP 3430 Robert Guderian
Operating Systems COMP 3430 Robert Guderian file:///users/robg/dropbox/teaching/3430-2018/slides/03_processes/index.html?print-pdf#/ 1/53 1 Processes file:///users/robg/dropbox/teaching/3430-2018/slides/03_processes/index.html?print-pdf#/
More informationC O N t E N t s I N D E ta I l FORewORd by dr. Jared demott acknowledgments xvii introduction xix PaRT 1 TOOLS OF THe TRade
Foreword by Dr. Jared DeMott xv Acknowledgments xvii Introduction Prerequisites for the Reader...xx A Brief Game Hacking History....xx Why Hack Games?... xxi How This Book Is Organized...xxii About the
More informationBackground: Operating Systems
Background: Operating Systems Brad Karp UCL Computer Science CS GZ03 / M030 9 th October 2015 Outline Goals of an operating system Sketch of UNIX User processes, kernel Process-kernel communication Waiting
More informationwe are here Page 1 Recall: How do we Hide I/O Latency? I/O & Storage Layers Recall: C Low level I/O
CS162 Operating Systems and Systems Programming Lecture 18 Systems October 30 th, 2017 Prof. Anthony D. Joseph http://cs162.eecs.berkeley.edu Recall: How do we Hide I/O Latency? Blocking Interface: Wait
More informationI run a Linux server, so we re secure
Silent Signal vsza@silentsignal.hu 18 September 2010 Linux from a security viewpoint we re talking about the kernel, not GNU/Linux distributions Linux from a security viewpoint we re talking about the
More informationVirtual Machine Security
Virtual Machine Security CSE443 - Spring 2012 Introduction to Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ 1 Operating System Quandary Q: What is the primary goal
More informationMP3: VIRTUAL MEMORY PAGE FAULT MEASUREMENT
MP3: VIRTUAL MEMORY PAGE FAULT MEASUREMENT University of Illinois at Urbana-Champaign Department of Computer Science CS423 Fall 2011 Keun Soo Yim GOAL A Linux kernel module to profile VM system events
More informationIA32 Intel 32-bit Architecture
1 2 IA32 Intel 32-bit Architecture Intel 32-bit Architecture (IA32) 32-bit machine CISC: 32-bit internal and external data bus 32-bit external address bus 8086 general registers extended to 32 bit width
More informationReturn-Oriented Rootkits
Return-Oriented Rootkits Ralf Hund Troopers March 10, 2010 What is Return-Oriented Programming? New emerging attack technique, pretty hyped topic Gained awareness in 2007 in Hovav Shacham s paper The Geometry
More informationOS COMPONENTS OVERVIEW OF UNIX FILE I/O. CS124 Operating Systems Fall , Lecture 2
OS COMPONENTS OVERVIEW OF UNIX FILE I/O CS124 Operating Systems Fall 2017-2018, Lecture 2 2 Operating System Components (1) Common components of operating systems: Users: Want to solve problems by using
More information