Protection. Disclaimer: some slides are adopted from book authors slides with permission 1

Similar documents
Protection. Disclaimer: some slides are adopted from book authors slides with permission 1

Recap: Protection. Prevent unintended/unauthorized accesses. Class hierarchy: root can to everything a normal user can do + alpha

Heartbleed Attack Lab

Language-Based Protection

The Security Problem

CS 155: Real-World Security

CSE 127 Computer Security

CS 155: Real-World Security

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

CIS 5373 Systems Security

Meltdown or "Holy Crap: How did we do this to ourselves" Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory

Spectre and Meltdown. Clifford Wolf q/talk

Computer Security. CS November, 2017

Buffer overflow background

Engineering Robust Server Software

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Locking Down the Processor via the Rowhammer Attack

Introduction to Information Security Vulnerabilities

Introduction to OS Processes in Unix, Linux, and Windows MOS 2.1 Mahmoud El-Gayyar

Meltdown and Spectre - understanding and mitigating the threats (Part Deux)

Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick

ISA564 SECURITY LAB. Code Injection Attacks

Meltdown and Spectre - understanding and mitigating the threats

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

CMPSC 497 Buffer Overflow Vulnerabilities

Secure Software Development: Theory and Practice

Lecture 08 Control-flow Hijacking Defenses

Operating System Security

Basic Buffer Overflows

Program Security and Vulnerabilities Class 2

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

(Early) Memory Corruption Attacks

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Practical Malware Analysis

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Embedded Systems Dr. Santanu Chaudhury Department of Electrical Engineering Indian Institute of Technology, Delhi

20: Exploits and Containment

Shreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S

Process. Heechul Yun. Disclaimer: some slides are adopted from the book authors slides with permission

Protection and System Calls. Otto J. Anshus

Memory Management. Disclaimer: some slides are adopted from book authors slides with permission 1

Computer Architecture Background

Software Security: Buffer Overflow Attacks

Software Security: Buffer Overflow Defenses

CS 550 Operating Systems Spring Interrupt

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Buffer Overflow Vulnerability

By John Kuhn, Senior Threat Researcher

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CSE 120 Principles of Operating Systems

ECS 153 Discussion Section. April 6, 2015

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Rowhammer.js: A Remote Software- Induced Fault Attack in Javascript

Memory Corruption 101 From Primitives to Exploit

Software Security: Buffer Overflow Attacks (continued)

Memory Management. Disclaimer: some slides are adopted from book authors slides with permission 1

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

CS 326 Operating Systems C Programming. Greg Benson Department of Computer Science University of San Francisco

Micro-architectural Attacks. Chester Rebeiro IIT Madras

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Rapid Detection of RowHammer Attacks using Dynamic Skewed Hash Tree

The Kernel Abstraction. Chapter 2 OSPP Part I

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Fundamentals of Computer Security

Chapter 15: Security. Operating System Concepts 8 th Edition,

Lecture 19: Virtual Memory: Concepts

Buffer Overflow Attack (AskCypert CLaaS)

Memory Management. Disclaimer: some slides are adopted from book authors slides with permission 1

CSE 565 Computer Security Fall 2018

Carnegie Mellon. 16 th Lecture, Mar. 20, Instructors: Todd C. Mowry & Anthony Rowe

Hardware Enclave Attacks CS261

Protection and Security. Sarah Diesburg Operating Systems CS 3430

TCSS 422: OPERATING SYSTEMS

White Paper. How the Meltdown and Spectre bugs work and what you can do to prevent a performance plummet. Contents

buffer overflow exploitation

ECEN 449 Microprocessor System Design. Hardware-Software Communication. Texas A&M University

Hardware OS & OS- Application interface

ECE 471 Embedded Systems Lecture 22

Protection. Thierry Sans

COS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy

Secure Coding in C and C++

Sample slides and handout

Operating Systems. Introduction & Overview. Outline for today s lecture. Administrivia. ITS 225: Operating Systems. Lecture 1

Data Security and Privacy. Unix Discretionary Access Control

Processes. Johan Montelius KTH

Machine-Level Programming V: Unions and Memory layout

0x1A Great Papers in Computer Security

Operating Systems. Week 13 Recitation: Exam 3 Preview Review of Exam 3, Spring Paul Krzyzanowski. Rutgers University.

Buffer Overflows. Buffers. Administrative. COMP 435 Fall 2017 Prof. Cynthia Sturton. Buffers

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

CS 416: Operating Systems Design April 22, 2015

Intel Analysis of Speculative Execution Side Channels

DRAM Disturbance Errors

Process. Heechul Yun. Disclaimer: some slides are adopted from the book authors slides with permission 1

A process. the stack

CS 322 Operating Systems Practice Midterm Questions

Transcription:

Protection Disclaimer: some slides are adopted from book authors slides with permission 1

Today Protection Security 2

Examples of OS Protection Memory protection Between user processes Between user and kernel File protection Prevent unauthorized accesses to files 3

Principles of Protection Principle of least privilege Programs and users should be given just enough privileges to perform their tasks Limit the damage if the entity has a bug or abused 4

Protection Domains Let D i and D j be any two domain rings If j < I D i D j Kernel mode vs. user mode Most privileged Least privileged 5

Access Control Matrix Domains in rows Domain: a user or a group of users Resources in columns File, device, E.g., User D1 can read F1 or F3 6

Method 1: Access Control List Each object stores users and their permissions -rw-rw-r-- heechul heechul 38077 Apr 23 15:16 main.tex owner group world 7

Method 2: Capability List Each domain tracks which objects can access Page table: each process (domain) tracks all pages (objects) it can access 8

Protection Summary Prevent unintended/unauthorized accesses Protection domains Class hierarchy: root can to everything a normal user can do + alpha Access control matrix Domains (Users) Resources (Objects) Resource oriented: Access control list Domain oriented: Capability list 9

Security 10

Today Security basics Stack overflow Some recent security bugs 11

Security System secure if resources used and accessed as intended under all circumstances Unachievable Intruders (crackers) attempt to breach security Threat is potential security violation Attack is attempt to breach security 12

Threats: Software Stack and Buffer Overflow Exploits a bug in a program (overflow either the stack or memory buffers) Failure to check bounds on inputs, arguments Write past arguments on the stack into the return address on stack When routine returns from call, returns to hacked address Pointed to code loaded onto stack that executes malicious code Unauthorized user or privilege escalation 13

Stack Frame Layout Stack pointer 14

Code with Buffer Overflow #define BUFFER_SIZE 256 int process_args(char *arg1) { char buffer[buffer SIZE]; strcpy(buffer,arg1);... } int main(int argc, char *argv[]) { process_args(argv[1]);... } What is wrong in this code? 15

Code with Buffer Overflow #define BUFFER_SIZE 256 int process_args(char *arg1) { char buffer[buffer SIZE]; strcpy(buffer,arg1);... } int main(int argc, char *argv[]) { process_args(argv[1]);... } arg1 Stack layout after calling process_arg() 16

Code with Buffer Overflow #define BUFFER_SIZE 256 int process_args(char *arg1) { char buffer[buffer SIZE]; strcpy(buffer,arg1);... } int main(int argc, char *argv[]) { process_args(argv[1]);... } arg1 Do you remember strcpy() in C? 17

Let s Get the Shell Steps Compile the code you want to illegitimately execute Carefully modify the binary Pass the modified binary as string to the process_arg() #include <stdio.h> int main(int argc, char *argv[]) { execvp( /bin/sh, /bin/sh, NULL); return 0; } 18

The Attack: Buffer Overflow Before After executing strcpy(buffer, arg1) the crafted string containing the illegitimate code 19

Linux Kernel Buffer Overflow Bugs 212 reported buffer overflow bugs in Linux Source: http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id- 47/cvssscoremin-9/cvssscoremax-/Linux-Linux-Kernel.html 20

Linux Kernel Buffer Overflow Bugs 21

Slide from Dr. Vitaly Shmatikov (Cornell) 22

Slide from Dr. Vitaly Shmatikov (Cornell) 23

Slide from Dr. Vitaly Shmatikov (Cornell) 24

Slide from Dr. Vitaly Shmatikov (Cornell) 25

Goto Fail Bug ios 7.0.6 Data Security Available for: iphone 4 and later, ipod touch (5th generation), ipad 2 and later Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps. 26

Goto Fail Bug err = 0... hashout.data = hashes + SSL_MD5_DIGEST_LEN; hashout.length = SSL_SHA1_DIGEST_LEN; if ((err = SSLFreeBuffer(&hashCtx))!= 0) goto fail; if ((err = ReadyHash(&SSLHashSHA1, &hashctx))!= 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &clientrandom))!= 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverrandom))!= 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedparams))!= 0) goto fail; goto fail; MISTAKE! THIS LINE SHOULD NOT BE HERE if ((err = SSLHashSHA1.final(&hashCtx, &hashout))!= 0) goto fail; err = sslrawverify(...); // This code must be executed... fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); Return err; 27

Synopsis Heartbleed Bug Due to a bug in OpenSSL (popular s/w for encrypted communication), web server s internal memory can be dumped remotely 28

Heartbleed Bug Image source: xkcd.com 29

Heartbleed Bug Image source: xkcd.com 30

Heartbleed Bug struct { HeartbeatMessageType type; uint16 payload_length; opaque payload[heartbeatmessage.payload_length]; opaque padding[padding_length]; } HeartbeatMessage Heartbeat req. message Heartbeat Response function int tls1_process_heartbeat(ssl *s) {... /* Read type and payload length first */ hbtype = *p++; n2s(p, payload); // payload = recv_packet.payload_length pl = p;... if (hbtype == TLS1_HB_REQUEST) {... buffer = OPENSSL_malloc(1 + 2 + payload + padding); bp = buffer; memcpy(bp, pl, payload); r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);... 31

Synopsis Shellshock Bug You can remotely execute arbitrary programs on a server running a web server by simply sending a specially crafted http request. Example curl -H "User-Agent: () { :; }; /bin/eject" http://example.com/ The problem Fail to check the validity of a function definition before executing it For detailed explanation: security.stackexchange.com 32

Threats: Hardware Disturbance errors in DRAM (*) a.k.a. Row Hammer Bug Repeated opening/closing a DRAM row can cause bit flips in adjacent rows. In more than 80% DRAM modules between 2010-2013 Google demonstrated successful hacking method utilizing the bug (**) manipulate page tables at the user-level (*) Yoongu Kim et al, Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors, ISCA 14 (**) Google Project Zero. Exploiting the DRAM rowhammer bug to gain kernel privileges, 2015 33

DRAM Chip Row of Cells Row Victim Row Row Aggressor Opened Closed Row Row Victim Row Row Wordline V LOW HIGH Repeatedly opening and closing a row induces disturbance errors in adjacent rows This slide is from the Dr. Yoongu Kim s ISCA 2014 presentation 34

Drammer Successful exploit to gain root privilege of Android smartphones Exploit row hammer bugs on mobile DRAM Use Android s special memory allocation feature Alter page table entries (privileged) by hammering nearby memory blocks (non-privileged) [Demo] https://www.vusec.net/projects/drammer/ 35

What is it? Meltdown An attack that exploits Intel CPU s flaw that allows any user-level process to read the content of the kernelonly accessible memory---usually the entire dram What s the impact? An attacker can dump the entire memory, including password and other confidential information Which CPUs are affected? Almost all Intel CPUs that do Out-of-Order Execution to improve performance 36

Virtual Memory Abstraction A large (e.g., 4GB) linear address space for each process Reality A limited (e.g., 1GB) amount of actual physical memory shared with many other processes How? 37

Properties of Virtual Memory Memory isolation among different processes E.g., Process A cannot see process B s memory (vice versa.) What about memory isolation between kernel and user? Q1. how does kernel map its own private memory? Q2. how to prevent user processes from accessing the kernel mapped memory? 38

Kernel/User Virtual Memory 0xFFFFFFFF 0xC0000000 Kernel Kernel memory Kernel code, data Identical to all address spaces Fixed 1-1 mapping of physical memory 0x00000000 User User memory Process code, data, heap, stack,... Unique to each address space On-demand mapping (page fault) 39

Kernel/User Virtual Memory 0xFFFFFFFF 0xC0000000 0x00000000 Kernel User Every user-process has mappings to kernel memory But the kernel memory is only accessible at the kernel mode when you execute system calls or interrupt handlers. Benefits of this design: Performance Kernel can move data between user memory and kernel memory easily w/o changing the address space. 40

ARM Page Table 41

Kernel/User Virtual Memory 0xFFFFFFFF 0xC0000000 Kernel User Meltdown tricks the CPU so that the user can access its kernel memory How? By exploiting weaknesses in Intel s outof-order execution engine 0x00000000 42

Out-of-Order Execution Background A cache-miss can take ~100 cycles Idling CPU while waiting data from memory is bad Out-of-order execution A technique to minimize data waiting time by executing future instructions Introduced in 1967 (Tomasulo algorithm) Most (all) high-performance CPUs use OoOE Intel, AMD, ARM,. 43

Out-of-Order Execution Instructions are fetched into a queue Any instructions whose data (operands) are ready are executed out-of-order (subject to data dependency) Results are retired in-order. 44

Speculative Execution If (condition) { Do something A1 Do something A2 Do something A3 } else { Do something B1 Do something B2 Do something B3 } Guess which branch to take. Speculatively execute instructions in the likely branch. If guessed wrong, squash the results But the side-effect (cache state change) remain 45

Meltdown This is it. 46

Meltdown Step 1: load an attacker chosen kernel address into a register. This would raise an exception but it may take some time. 47

Meltdown Step 2: access memory based on the secret content of the rax register. This access will be in the cache. 48

Meltdown Step 3: measure the access timing of the probe array (one per page) to determine which is in the cache. Which in turn tell what was the content of the kernel address [rcx] 49

Process address space Meltdown Kernel Physical Memory User Entire physical memory is 1-to-1 mapped into part of kernel memory. So, you can dump it. 50

System security Increasingly important Summary Bank accounts (money theft) Cars (remote control of steering, breaking of Jeep cars) Airplanes (remote control of drones) Understand threats in both software and hardware Exploiting the threats often require deep understanding in OS 51

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback