July 14, EPITA Systems/Security Laboratory (LSE) Code sandboxing. Alpha Abdoulaye - Pierre Marsais. Introduction. Solutions.

Similar documents
Outline. Outline. Common Linux tools to explore object/executable files. Revealing Internals of Loader. Zhiqiang Lin

secubt Hacking the Hackers with User Space Virtualization

My memcheck. Version 1 7 December Epita systems/security laboratory 2017

Runtime Process Insemination

The Process Model (1)

Lecture 4: Mechanism of process execution. Mythili Vutukuru IIT Bombay

Fixing/Making Holes in Binaries

My ld.so. Version 1 5 December Epita systems/security laboratory 2018

Debugging for production systems

Process Address Spaces and Binary Formats

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Lecture 4 Processes. Dynamic Analysis. GDB

Romain Thomas - Static instrumentation based on executable file formats

ISOLATION DEFENSES GRAD SEC OCT

CS5460/6460: Operating Systems. Lecture 21: Shared libraries. Anton Burtsev March, 2014

L41 - Lecture 3: The Process Model (1)

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

The Performance of µ-kernel-based Systems

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

Lec 22: Interrupts. Kavita Bala CS 3410, Fall 2008 Computer Science Cornell University. Announcements

executable-only-memory-switch (XOM-Switch)

Protecting Against Unexpected System Calls

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Process Address Spaces and Binary Formats

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

Influential OS Research Security. Michael Raitza

Practical and Efficient Exploit Mitigation for Embedded Devices

Prelinker Usage for MIPS Cores CELF Jamboree #11 Tokyo, Japan, Oct 27, 2006

CS 5460/6460 Operating Systems

System Call. Preview. System Call. System Call. System Call 9/7/2018

Operating System Security

CS 326: Operating Systems. Process Execution. Lecture 5

Exception Namespaces C Interoperability Templates. More C++ David Chisnall. March 17, 2011

Real-World Buffer Overflow Protection in User & Kernel Space

Confinement (Running Untrusted Programs)

Virtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

Hardware, Modularity, and Virtualization CS 111

Advanced Systems Security: Program Diversity

Secure Containers with EPT Isolation

COMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy

Using Hardware-Assisted Virtualization to Protect Application Address Space Inside Untrusted Environment

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

ECE 471 Embedded Systems Lecture 22

Virtual machines are an interesting extension of the virtual-memory concept: not only do we give processes the illusion that they have all of memory

Distribution Kernel Security Hardening with ftrace

Making Address Spaces Smaller

DISTRIBUTED SYSTEMS Principles and Paradigms Second Edition ANDREW S. TANENBAUM MAARTEN VAN STEEN. Chapter 3 Processes

Container Isolation at Scale (... and introducing gvisor) Dawn Chen and Zhengyu He

Live Patching: The long road from Kernel to User Space. João Moreira Toolchain Engineer - SUSE Labs

Operating Systems CMPSC 473. Process Management January 29, Lecture 4 Instructor: Trent Jaeger

Last time: introduction. Networks and Operating Systems ( ) Chapter 2: Processes. This time. General OS structure. The kernel is a program!

ECS 153 Discussion Section. April 6, 2015

CS 550 Operating Systems Spring System Call

CSE506: Operating Systems CSE 506: Operating Systems

The Kernel Abstraction. Chapter 2 OSPP Part I

CSCE Operating Systems Interrupts, Exceptions, and Signals. Qiang Zeng, Ph.D. Fall 2018

Kernel Support for Paravirtualized Guest OS

Extensibility, Safety, and Performance in the Spin Operating System

Protection and System Calls. Otto J. Anshus

Protecting COTS Binaries from Disclosure-guided Code Reuse Attacks

16 Sharing Main Memory Segmentation and Paging

syscall_intercept A user space library for intercepting system calls Author Name, Company Krzysztof Czuryło, Intel

Sandboxing. (1) Motivation. (2) Sandboxing Approaches. (3) Chroot

Review: Hardware user/kernel boundary

Who Watches the Watcher? Detecting Hypervisor Introspection from Unprivileged Guests

SPIN Operating System

Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University

Integrating Segmentation and Paging Protection for Safe, Efficient and Transparent Software Extensions

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017

RoP Hooks.

Making things work as expected

Process Address Spaces and Binary Formats

Virtualization and memory hierarchy

Securing Untrusted Code

COSC 6385 Computer Architecture. Virtualizing Compute Resources

seccomp-nurse Nicolas Bareil ekoparty 2010 EADS CSC Innovation Works France seccomp-nurse: sandboxing environment

Dan Noé University of New Hampshire / VeloBit

Processes & Threads. Process Management. Managing Concurrency in Computer Systems. The Process. What s in a Process?

Return-orientated Programming

Flatpak a technical walk-through. Alexander Larsson, Red Hat

Security Architecture

A recompilation and instrumentation-free monitoring architecture for detecting heap memory errors and exploits

Dune: Safe User- level Access to Privileged CPU Features

CS261 Scribe Notes: Secure Computation 1

LibSysCTr(3) System Call Tracing Library LibSysCTr(3)

Advances in Linux process forensics with ECFS

Namespaces and Capabilities Overview and Recent Developments

VEOS high level design. Revision 2.1 NEC

Reserves time on a paper sign-up sheet. Programmer runs his own program. Relays or vacuum tube hardware. Plug board or punch card input.

Implementing Secure Software Systems on ARMv8-M Microcontrollers

Project #1: Tracing, System Calls, and Processes

OS Agnostic Sandboxing Using Virtual CPUs

SCONE: Secure Linux Container Environments with Intel SGX

Address spaces and memory management

Distributed Systems Principles and Paradigms

Operating Systems CMPSCI 377 Spring Mark Corner University of Massachusetts Amherst

64 bit Bare Metal Programming on RPI-3. Tristan Gingold

Reducing Memory Usage at Shard Library Use on Embedded Devices

CSE 153 Design of Operating Systems Fall 18

Transcription:

EPITA Systems/Security Laboratory (LSE) July 14, 2017 1 / 34

2 / 34

What do we want? Limit usage of some resources such as system calls and shared object functions But not from the whole program (we trust our libc.so, ld.so,... ) 3 / 34

Needed when executing untrusted code on your machine. Allow or deny use of some resources Usually theses resources are accessed through syscalls We already have namespaces(7) and seccomp(2) 4 / 34

Are all needs fulfilled? There is no ready-to-use solution for: Function usage Library usage 5 / 34

Technical choices Aim for: Speed Reliability Security 6 / 34

7 / 34

Solving the problem Trap at each function call Check if the call is righteous Continue as if nothing happened 8 / 34

How a library function is called CODE: call my func@plt PLT: PLT[0]: push GOT[1] jmp *(GOT[2]) // resolver PLT[n]: // my func@plt jmp *(my func@got) push n jmp PLT[0] GOT: GOT[2]: resolver address my func@got: PLT[n] + 6 9 / 34

How a library function is called CODE: call my func@plt PLT: PLT[0]: push GOT[1] jmp *(GOT[2]) // resolver PLT[n]: // my func@plt jmp *(my func@got) push n jmp PLT[0] GOT: GOT[2]: resolver address my func@got: PLT[n] + 6 9 / 34

How a library function is called CODE: call my func@plt PLT: PLT[0]: push GOT[1] jmp *(GOT[2]) // resolver PLT[n]: // my func@plt jmp *(my func@got) push n jmp PLT[0] GOT: GOT[2]: resolver address my func@got: PLT[n] + 6 9 / 34

How a library function is called CODE: call my func@plt PLT: PLT[0]: push GOT[1] jmp *(GOT[2]) // resolver PLT[n]: // my func@plt jmp *(my func@got) push n jmp PLT[0] GOT: GOT[2]: resolver address my func@got: PLT[n] + 6 9 / 34

How a library function is called CODE: call my func@plt PLT: PLT[0]: push GOT[1] jmp *(GOT[2]) // resolver PLT[n]: // my func@plt jmp *(my func@got) push n jmp PLT[0] GOT: GOT[2]: resolver address my func@got: PLT[n] + 6 9 / 34

How a library function is called CODE: call my func@plt PLT: PLT[0]: push GOT[1] jmp *(GOT[2]) // resolver PLT[n]: // my func@plt jmp *(my func@got) push n jmp PLT[0] GOT: GOT[2]: resolver address my func@got: PLT[n] + 6 9 / 34

How a library function is called CODE: call my func@plt PLT: PLT[0]: push GOT[1] jmp *(GOT[2]) // resolver PLT[n]: // my func@plt jmp *(my func@got) push n jmp PLT[0] GOT: GOT[2]: resolver address my func@got: PLT[n] + 6 9 / 34

How a library function is called CODE: call my func@plt PLT: PLT[0]: push GOT[1] jmp *(GOT[2]) // resolver PLT[n]: // my func@plt jmp *(my func@got) push n jmp PLT[0] GOT: GOT[2]: resolver address my func@got: PLT[n] + 6 9 / 34

How a library function is called CODE: call my func@plt PLT: PLT[0]: push GOT[1] jmp *(GOT[2]) // resolver PLT[n]: // my func@plt jmp *(my func@got) push n jmp PLT[0] GOT: GOT[2]: resolver address my func@got: PLT[n] + 6 9 / 34

How a library function is called CODE: call my func@plt PLT: PLT[0]: push GOT[1] jmp *(GOT[2]) // resolver PLT[n]: // my func@plt jmp *(my func@got) push n jmp PLT[0] GOT: GOT[2]: resolver address my func@got: my func 9 / 34

How a library function is called CODE: call my func@plt PLT: PLT[0]: push GOT[1] jmp *(GOT[2]) // resolver PLT[n]: // my func@plt jmp *(my func@got) push n jmp PLT[0] GOT: GOT[2]: resolver address my func@got: my func 9 / 34

Bound CODE: call my func@plt PLT: GOT: PLT[n]: // my func@plt jmp *(my func@got) my func@got: my func 10 / 34

Bound CODE: call my func@plt PLT: GOT: PLT[n]: // my func@plt jmp *(my func@got) my func@got: my func 10 / 34

Bound CODE: call my func@plt PLT: GOT: PLT[n]: // my func@plt jmp *(my func@got) my func@got: my func 10 / 34

Bound CODE: call my func@plt PLT: GOT: PLT[n]: // my func@plt jmp *(my func@got) my func@got: my func 10 / 34

Bound CODE: call my func@plt PLT: GOT: PLT[n]: // my func@plt jmp *(my func@got) my func@got: my func 10 / 34

So? We have two solutions: Disallow GOT reads of the sandboxed ELF Disallow code execution of executable mapping Then handle the rights violation and check if the ressource access is allowed or not. 11 / 34

Solution analysis GOT protection can be bypassed. The correct solution would be unallowing execution of executable mappings. 12 / 34

13 / 34

Goal Can we solve our problem without privileged code? 14 / 34

What do we need? Change mapping rights Handle mapping violation 15 / 34

What can we use? ptrace(2) procfs(5) 16 / 34

Is this enough? No: How to change mapping permissions from the tracer? What about non-got data on GOT pages? What about multithreaded programs? 17 / 34

The first hack How to change mappings from the tracer? We can link an ELF to the sandboxed binary. We can use signal handlers in order to protect and unprotect the GOT. Use ELF constructors to setup everything. 18 / 34

The second hack How to handle non-got data on GOT pages? GOT doesn t necessarily start and end at pages boundaries We can force this, with a custom linker script All we need is to customize the default linker script to align the GOT and export its size 19 / 34

We want reasonable performances LD BIND NOW=1 Cache authorized GOT access 20 / 34

Limitations We can t allow a lot of stuff for the sandboxed application: We currently need to link an object to the sandboxed application mprotect can t be used to PROT READ the GOT SIGSEGV can t be handled Libraries addresses can be leaked 21 / 34

Problems Address space leaks /proc/self/* auxv some syscalls addresses on stack and structures Functions pointers in structures dlopen(3), dlsym(3)... 22 / 34

Shared object randomization Idea taken from OpenBSD If the user gets a libc address, and knows what libc is used, it can easily call any function The problem arise for any libs, but the libc is the more annoying for us We currently have a script to randomize the glibc Additional work needed for other libraries 23 / 34

24 / 34

We need to go deeper Extended Page Table Additional translation level Hardware assisted Solve multi-threading problem 25 / 34

Bareflank Lightweight Extendable C++ in Kernel Multi-platform 26 / 34

Track program behaviour ptrace(2) /proc/[pid]/maps /proc/[pid]/pagemap linkmap, symbols, etc. 27 / 34

Report and Handle vmcall to report to hypervisor Virtual Machine Control Structure VM State Global Configuration VM Exits Enable EPT violation Convert to Exception 28 / 34

Pull the strings Handle #VE Trap on protected code Protect executable and check Decide!!!! And so on... 29 / 34

Recap Tracee: deref Tracer: Wait SIGVE Kernel: Hypervisor: ept protect (pid, begin, end) #VE vmcall EPT 30 / 34

31 / 34

Further work Be sure that our solution is foolproof handle multithreaded programs Work on performance What about statically linked ELFs? ROP? 32 / 34

Questions Questions? 33 / 34

Contact alpha@lse.epita.fr - pierre.marsais@lse.epita.fr 34 / 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback