kguard: lightweight kernel protection against return-to-user attacks authors: vasileios p. kemerlis...
TRANSCRIPT
kGuard: Lightweight Kernel Protection against Return-to-User Attacks
Authors: Vasileios P. Kemerlis Georgios PortokalidisAngelos D. Keromytis
Presenter: Behnaz Hassanshahi
Problem Statement
• Kernel exploitation• Kernel-level memory corruption• Traditionally: Code injection – (Code Reuse)ROP• Recently: Run user land code (ret2user attacks)
Return to User Attacks
• The root problem stems from the weak separation of user and kernel spaces.– Shared process/kernel model for Performance
benefits– Kernel code can do anything in user land, so if it is
abused, attacker can force it to run the shell code in user space.
– Over-writing kernel-level control data(e.g., return addresses, jump tables, function pointers) with user space addresses.
Return to User Attacks
• Example: exploiting a NULL pointer dereference error to launch a ret2user attack
Vulnerable program
Return to User Attacks1. malicious process invokes “sendfile” system call
with offending arguments2. libc wrapper traps to the OS via “sysenter”3. system call handler of Linux
(sysenter_do_call()) is executed which resolves the kernel address of sys-sendfile
4. Privileged execution continues until sock_sendpage() is invoked
5. the value of sendpage pointer is NULL6. control is transferred to address 07. malicious process has mmapped page 0 and
dropped a function pointer of his own at address 0, the kernel will call that function pointer in kernel mode
Existing Defense Mechanisms
• CFI and Program Shepherding• PAX• Mmap_min_addr• Intel SMEP– Doesn`t prevent kernel from accessing user “data”
kGuard
• Inline monitoring and code diversification– Adding “Control Flow Assertions” at compile time
before every indirect control transfer• E.g., call, jmp and ret in x86• CFAR : compares the branch target with lower kernel
address 0xC00000 • CFAm :
– Branch target is within the kernel address space– Memory address where the branch target is loaded from is
also in kernel space
kGuard
• Example CFA guard
Bypassing kGuard
• Bypass trampolines1. Find two computed branch instructions whose operands can be reliably overwritten2. Overwrite the value (branch target) of the first with the address of the second3. Overwrite the value of the second with a user-space address4. Solution: Code inflation and CFA motion
Code Inflation
• Reshapes the Kernel text at at compile time
CFA Motion
Relocation of protected branches at boot time
Implementation
• The implementation consists of a plugin for GCC.
• At RTL level, after most of the important optimizations
Effectiveness on Privilege Escalation Attacks
Performance Evaluation
Performance Evaluation – latency overhead and code diversification
Conclusion and Discussion
• In near future all memory regions will be randomized
• Randomization of the address at which kernel is loaded
• Intel SMEP vs kGuard– Performance– Side channel attacks