Defeating Return-Oriented Rootkits with Return-less Kernels

Similar documents
Return-orientated Programming

HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity

Return-Oriented Rootkits

Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms

Multi-Aspect Profiling of Kernel Rootkit Behavior

kguard++: Improving the Performance of kguard with Low-latency Code Inflation

The Geometry of Innocent Flesh on the Bone

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Outline. Memory Exploit

Selected background on ARM registers, stack layout, and calling convention

Practical Malware Analysis

Mitigating Code-Reuse Attacks with. Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011

Remix: On-demand Live Randomization

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Control-flow Enforcement Technology H.J. Lu. Intel November, 2018

Program Exploitation Intro

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Shuffler: Fast and Deployable Continuous Code Re-Randomization

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA

String Oriented Programming Exploring Format String Attacks. Mathias Payer

W4118: PC Hardware and x86. Junfeng Yang

18-600: Recitation #4 Exploits

Inject malicious code Call any library functions Modify the original code

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Jump-Oriented Programming: A New Class of Code-Reuse Attack

Recitation: Attack Lab

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

Function Call Convention

Architecture-level Security Vulnerabilities

EECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

What Cannot be Read, Cannot be Leveraged?

Control Flow Integrity for COTS Binaries Report

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

Spectre Returns! Speculation Attacks Using Return Stack Buffer

Functions. Ray Seyfarth. August 4, Bit Intel Assembly Language c 2011 Ray Seyfarth

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Outline. x86 Architecture

Buffer Overflow Attack (AskCypert CLaaS)

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

How Software Executes

Lecture 3 CIS 341: COMPILERS

Return Oriented Programming

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

CSE 351 Midterm - Winter 2017

Lecture 4 CIS 341: COMPILERS

CS 2150 Exam 2, Spring 2018 Page 1 of 6 UVa userid:

Q: Exploit Hardening Made Easy

Advanced Buffer Overflow

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

CSE 351 Midterm - Winter 2015

Architecture-level Security Vulnerabilities. Julian Stecklina

CSE 127 Computer Security

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

CSE 509: Computer Security

Securing Untrusted Code

Reverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta

T Jarkko Turkulainen, F-Secure Corporation

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

CSE 351 Midterm - Winter 2015 Solutions

Software Security: Buffer Overflow Attacks

%r8 %r8d. %r9 %r9d. %r10 %r10d. %r11 %r11d. %r12 %r12d. %r13 %r13d. %r14 %r14d %rbp. %r15 %r15d. Sean Barker

18-600: Recitation #4 Exploits (Attack Lab)

SOEN228, Winter Revision 1.2 Date: October 25,

Virtual Machine Introspection Bhushan Jain

CS 261 Fall Machine and Assembly Code. Data Movement and Arithmetic. Mike Lam, Professor

C to Assembly SPEED LIMIT LECTURE Performance Engineering of Software Systems. I-Ting Angelina Lee. September 13, 2012

Just-in-Time Code Reuse

CSE351 Autumn 2012 Midterm Exam (5 Nov 2012)

Software Security: Buffer Overflow Defenses

Lucas Davi University of Duisburg-Essen, Germany ICRI-SC Associated Researcher

Advanced Buffer Overflow

Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization

CPS104 Recitation: Assembly Programming

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Smashing the Buffer. Miroslav Štampar

Lecture 2 Assembly Language

kr^x Comprehensive Kernel Protection against Just-In-Time Code Reuse

Subverting the Linux Kernel Linux Kernel Rootkits 101

Advanced Systems Security: Control-Flow Integrity

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 4

Exploits and gdb. Tutorial 5

Computer Systems Lecture 9

Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27

How Software Executes

Procedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

1358 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 37, NO. 7, JULY 2018

Virtual Machine Tutorial

CSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs

Systems Architecture I

Transcription:

5 th ACM SIGOPS EuroSys Conference, Paris, France April 15 th, 2010 Defeating Return-Oriented Rootkits with Return-less Kernels Jinku Li, Zhi Wang, Xuxian Jiang, Mike Grace, Sina Bahram Department of Computer Science North Carolina State University

Outline 1. Motivation 2. Background: Return-Oriented Programming 3. Our Approach 4. Implementation & Evaluation 5. Conclusions

Motivation: Rootkit Threats Number Of New Rootkits 79% 639 116% 1381 2471 2006 2007 2008 Jan-Jun Source: Kaspersky Security Bulletin Malware evolution 2007 2008

Kernel Rootkits Rootkit goals: Maintain undetectable presence Keep privileges, hide malicious activities, etc. Need to execute code at kernel privilege

Rootkit Examples adore-ng Linux 2.4/2.6 Kernel module Adds custom functions Hooks VFS SucKIT Linux 2.4 /dev/kmem Adds custom functions Hooks system calls

Existing Defenses Attestation: Is the code to be executed expected? e.g., driver signing Kernel Code Integrity (W X): Make kernel code read-only and kernel data non-executable SecVisor [Seshadri et al., SOSP 2007], NICKLE [Riley et al., RAID 2008] Control Flow Integrity (CFI): Detect unexpected execution paths SBCFI [Petroni et al., CCS 2007]

Arms Race 1. W X prevents injected code from executing 2. Return-to-libc defeats W X by returning to an existing function e.g., system (char *command) 3. Return-Oriented Programming (ROP) generalizes return-to-libc by misusing legitimate code fragments or gadgets [Shacham et al., CCS 07], [Buchanan et al., CCS 08], [Hund et al., USENIX Sec 09] 4. Our technique de-generalizes ROP back to return-to-libc

Return-Oriented Programming Gadget A sequence of instructions ending with a ret to complete an operation Stack A manipulated stack to chain gadgets together New Instruction Pointer (IP)

Return-Oriented Programming Turing-complete: allowing for performing arbitrary computation based on gadgets [Shacham et al., CCS 07], [Buchanan et al., CCS 08], [Hund et al., USENIX Sec 09] Return-to-libc attacks are not Turing-complete Example gadgets Load/store, arithmetic, logic, control flow, system calls,

Our Defense Against ROP Observation: Each gadget ends with a ret Can we build a kernel without using ret?

Finding ret FreeBSD 8.0/x86-amd64: 8,329 ret instr. / 675,763 total instr. = 1/81 Additional challenge in x86: variable-length instructions +10,001 additional ret opcodes 18,330 ret opcodes / 675,763 total instr. = 1/37

Finding ret Example: AcpiUtDeleteRwLock (FreeBSD 8.0/x86-amd64 function) 48 8b 3b mov (%rbx), %rdi e8 c3 e0 00 00 callq <AcpiOsDeleteMutex> 3b e8 c3 cmp %eax, %ebp retq

Our Defense Against ROP Can we build a kernel without return opcodes?

Our Approach return opcode (18,330) instruction opcodes (8,337) instruction operands (9,993) return instructions (8,329) non-return instructions (8) immediate operands (2,923) register operands Return Indirection Peephole Optimization Register Allocation (7,070)

Return Indirection: Removing return instructions Naïve approach: ret pop + jmp This still can be used to make gadgets! Our approach: return address return index call dst push $index; jmp dst ret pop %reg; jmp *RetAddrTable(%reg) arguments: return address previous frame pointer local variables: arguments: return index previous frame pointer local variables: return address

Return Indirection: Removing return instructions Return indirection de-generalizes ROP back to return-to-libc Additional control-flow integrity checks can be enforced to defeat return-to-libc e.g., function type-based validation

Register Allocation Adjust register operands when being allocated to avoid introducing ret opcodes Example: 48 89 c3 mov %rax, %rbx (rbx introduces ret opcode) 49 89 c5 mov %rax, %r13 (replace rbx with r13)

Peephole Optimization Non-return instructions 0f c3 movnti mem32, reg32 Immediate operands cmp $0xc3, %ecx 89 mov mem32/64, reg32/64 mov $0xc4, %reg dec %reg cmp %reg, %ecx Relative offset e9 c3 00 00 00 jmpq 0xffffffff801a4fc9 e9 c4 00 00 00 90 jmpq 0xffffffff801a4fca nop

Implementation & Evaluation Our prototype, based on LLVM, is used to compile a FreeBSD 8.0 kernel FreeBSD OS image file size increased by 9.4% 4,370,704 bytes 4, 782,952 bytes Instruction count increased by 10.9% 675,763 749,227 No return opcodes!

Implementation & Evaluation LMbench microbenchmark

Limitations Kernel source code access Return-oriented attacks return-to-libc Jump-oriented programming?

Related Work Return-Oriented Rootkit Detection e.g DROP [Chen et al., ICISS 09], DynIMA [Davi et al., STC 09] Kernel Rootkit Prevention e.g SecVisor [Seshadri et al., SOSP 07], Lares [Payne et al., Oakland 08], NICKLE [Riley et al., RAID 08]

Conclusions Compiler-based approach to defeat ROP Return indirection Peephole optimization Register allocation Result: Return-less Kernel No ret opcode no return-oriented gadgets

Thank you!

Return Opcodes x86 has four ret opcodes c2, c3, ca, cb All handled

CFI vs. Return-less Kernels Major CFI approaches: Control transfer instruction instrumentation Data Flow Integrity Memory-safe programming languages Software bounds checking Challenging to apply in kernel space Return-less approach complements CFI

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback