Efficient protection of kernel data structures via object partitioning
Download
1 / 22

Efficient Protection of Kernel Data Structures via Object Partitioning - PowerPoint PPT Presentation


  • 101 Views
  • Uploaded on

Efficient Protection of Kernel Data Structures via Object Partitioning. Abhinav Srivastava , Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012. Outline. Introduction Related Work Sentry System Implementation Evaluation Conclusion. Introduction.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Efficient Protection of Kernel Data Structures via Object Partitioning' - zeroun


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Efficient protection of kernel data structures via object partitioning

Efficient Protection of Kernel Data Structures via Object Partitioning

AbhinavSrivastava, Jonathon Giffin

AT&T Labs-Research, HP Fortify

ACSAC 2012


Outline
Outline Partitioning

  • Introduction

  • Related Work

  • Sentry System

  • Implementation

  • Evaluation

  • Conclusion


Introduction
Introduction Partitioning

  • Kernel-level malicious malware often uses DKOM(Direct Kernel Object Manipulation) to hide the process from the kernel’s process accounting list.

  • They may also escalate a process’ privileges by overwriting the process’ credentials with those for a root or administrative user

  • We present a system called Sentry that creates access control protections for security-critical kernel data.


Related work
Related Work Partitioning

  • Petroni et al. detect process which reachable in scheduler but not in process accounting list.

    • Cannot detect the list of loaded kernel modules, which do not offer multiple views.

  • XFI and BGI guarded write instructions subject to access control policy constraints.

    • Require all kernel drivers and modules to use this system

    • Low performance.


Sentry system
Sentry System Partitioning

  • Page-level Granularity: use hardware’s page read/write protection to enforce access control policy

  • Partitioning: to separate kernel data structure into regionswhich have different access control policies

  • Based on VM: to get full control to hardware page-fault handling and management


Sentry system1
Sentry System Partitioning


Page level granularity
Page-level Granularity Partitioning

  • Old methods

    • Applying policy checking is to check all possible write operation to kernel data Slow performance

    • Protecting a single security-critical member requires whole page to be protected Low memory utility

  • Sentry use structure partitioning and page write protection to apply access control policies


Page level granularity cont
Page-level PartitioningGranularity (Cont.)

  • How page write protection protect the data?

  • Simply using the write flag in page data structure

  • If someone tries to write to a protected page, a page fault happen, and a function sh_page_fault in XEN hypervisor is called to handle this event

  • Sentry changes the handling function to add a policy check:

    • If write is valid, then ignore this page fault and perform write operation

    • If write is invalid, then the write operation is denied


Partitioning
Partitioning Partitioning

  • Structures such as task_structand modulecontains a mix of security-critical and not-critical fields

  • Structure Division

  • Structure Alignment


Partitioning structure division
Partitioning - PartitioningStructure Division

  • Split original Objby creating a new data structure insecure_Objcontaining non-critical fields

structtask_struct

structtask_struct

uid_tuid, euid, suid

uid_tuid, euid, suid

gid_tgid, egid, sgid

gid_tgid, egid, sgid

u64 acct_rss_mem1

structlist_head tasks

u64 acct_vm_mem1

char comm[16]

structlist_head tasks

insecure_task_struct *insecure

void *journal_info

structinsecure_task_struct

unsigned long personality

unsigned long personality

structaudit_context *audit_context

structaudit_context *audit_context

char comm[16]

void *journal_info

u64 acct_rss_mem1

...

u64 acct_vm_mem1


Partitioning structure alignment
Partitioning - PartitioningStructure Alignment

  • Add a buffer to original Obj to separate security-critical members and non-critical members away

  • This can be done by using compiler options to insert or remove the alignment buffer

Page Size

struct module

struct module

enummodule_state state

enummodule_state state

structlist_head list

structlist_head list

char name[MODULE_NAME_LEN]

char buffer[BIG_SPACE]

const char *version

const char *srcversion

char name[MODULE_NAME_LEN]

...

const char *version

const char *srcversion

...


Policy
Policy Partitioning

A valid write operation can be performed by:

  • Trusted core kernel, such as core kernel code from symbol _text to _etext, kernel boot code from symbol __init_beginto __init_end

  • Trusted Upgraders: Alteration reachable from most exported kernel functions, such as API provided by the Kernel


Page creation registration
Page Creation & Registration Partitioning

  • When creating a new instance of protected structure, Objand insecure_Objare put into a page frame separately, and add page write protection on the page containing Obj

  • The page frame number(PFN) then send to Sentry system using VMCALL, a method to pass data to hypervisor, to tell which page frame needs mediation


Implementation
Implementation Partitioning

  • Use Linux 2.6 and Xen hypervisor

  • Change task_structand modulestructure using division and alignment respectively

  • Change Linux source code where use those structures into correct variable

    • current->journal_infocurrent->insecure->journal_info

    • Alter 0.036%(2536/7041452) SLOC(Source Line of Code) in Linux 2.6

    • This can be done by source-to-source transformation techniques, such as provided by CIL


Implementation cont
Implementation (Cont.) Partitioning

  • Structure Division

    • Apply on task_struct structure only

    • Categorized 28 of 122 members as critical

    • Change structure creation function kmem_cache_allocinto get_free_pagesand kmalloc

  • Structure Alignment

    • Apply on modulestructure only

    • Categorized 2 of 29 members as critical

    • Only a recompilation of the kernel


Implementation cont1
Implementation (Cont.) Partitioning

  • APIs to communicate to hypervisor

    • addPFNtoDB, removePFNfromDB, checkPFNinDB

  • Modify __sh_propagateto make a shadow of memory of guest operating system for monitor

  • Sentry check write operation’s vaildityby the eipregister when sh_page_faultis called, and traverse the stack frame using ebpto get full call trace


Evaluation
Evaluation Partitioning

  • Attack Prevention and Detection


Evaluation cont
Evaluation (Cont.) Partitioning

  • Performance on loading and unloading modules

    • Normal: no kernel memory protection

    • Protected: protection without partitioning

    • Sentry: both memory protection and partitioning


Evaluation cont1
Evaluation (Cont.) Partitioning

  • Performance on file system read/write

  • Memory page utility

    • A partitioned kernel used 6502 pages as compared to 6302 pages used by the unpartitioned kernel


Evaluation cont2
Evaluation (Cont.) Partitioning

  • Performance on real world jobs

  • Performance on process data structure

    • 1000 µs = 1 ms


Evaluation cont3
Evaluation (Cont.) Partitioning

  • False Positive Analysis

  • Since benign modules don’t directly modify security-critical kernel data, and uses exported APIs provided by kernel

    • For example, benign modules don’t directly modify run_list, but using enqueue_taskand dequeue_taskto modify this member, and those functions are valid APIs, so the modules can still works fine

  • Our system did not show any false positives and detected all attacks


Conclusion
Conclusion Partitioning

  • We create protected memory regions within the unified kernel data space.

  • We show how to optimize kernel memory space layout for the protection constraints created by our system.

  • We design and develop a system, Sentry, which is capable of protecting both statically and dynamically allocated data structures.