16 research outputs found
Software Fault Isolation with Api Integrity and Multi-Principal Modules
The security of many applications relies on the kernel being secure, but history suggests that kernel vulnerabilities are routinely discovered and exploited. In particular, exploitable vulnerabilities in kernel modules are common. This paper proposes LXFI, a system which isolates kernel modules from the core kernel so that vulnerabilities in kernel modules cannot lead to a privilege escalation attack. To safely give kernel modules access to complex kernel APIs, LXFI introduces the notion of API integrity, which captures the set of contracts assumed by an interface. To partition the privileges within a shared module, LXFI introduces module principals. Programmers specify principals and API integrity rules through capabilities and annotations. Using a compiler plugin, LXFI instruments the generated code to grant, check, and transfer capabilities between modules, according to the programmer's annotations. An evaluation with Linux shows that the annotations required on kernel functions to support a new module are moderate, and that LXFI is able to prevent three known privilege-escalation vulnerabilities. Stress tests of a network driver module also show that isolating this module using LXFI does not hurt TCP throughput but reduces UDP throughput by 35%, and increases CPU utilization by 2.2-3.7x.United States. Defense Advanced Research Projects Agency. Clean-slate design of Resilient, Adaptive, Secure Hosts (Contract number N66001-10-2-4089)National Science Foundation (U.S.). (Grant number CNS-1053143)National Basic Research Program of China (973 Program) (2007CB807901)National Natural Science Foundation (China) (61033001
KASR: A Reliable and Practical Approach to Attack Surface Reduction of Commodity OS Kernels
Commodity OS kernels have broad attack surfaces due to the large code base
and the numerous features such as device drivers. For a real-world use case
(e.g., an Apache Server), many kernel services are unused and only a small
amount of kernel code is used. Within the used code, a certain part is invoked
only at runtime while the rest are executed at startup and/or shutdown phases
in the kernel's lifetime run. In this paper, we propose a reliable and
practical system, named KASR, which transparently reduces attack surfaces of
commodity OS kernels at runtime without requiring their source code. The KASR
system, residing in a trusted hypervisor, achieves the attack surface reduction
through a two-step approach: (1) reliably depriving unused code of executable
permissions, and (2) transparently segmenting used code and selectively
activating them. We implement a prototype of KASR on Xen-4.8.2 hypervisor and
evaluate its security effectiveness on Linux kernel-4.4.0-87-generic. Our
evaluation shows that KASR reduces the kernel attack surface by 64% and trims
off 40% of CVE vulnerabilities. Besides, KASR successfully detects and blocks
all 6 real-world kernel rootkits. We measure its performance overhead with
three benchmark tools (i.e., SPECINT, httperf and bonnie++). The experimental
results indicate that KASR imposes less than 1% performance overhead (compared
to an unmodified Xen hypervisor) on all the benchmarks.Comment: The work has been accepted at the 21st International Symposium on
Research in Attacks, Intrusions, and Defenses 201
CHERI: a research platform deconflating hardware virtualisation and protection
Contemporary CPU architectures conflate virtualization and protection,
imposing virtualization-related performance, programmability,
and debuggability penalties on software requiring finegrained
protection. First observed in micro-kernel research, these
problems are increasingly apparent in recent attempts to mitigate
software vulnerabilities through application compartmentalisation.
Capability Hardware Enhanced RISC Instructions (CHERI) extend
RISC ISAs to support greater software compartmentalisation.
CHERI’s hybrid capability model provides fine-grained compartmentalisation
within address spaces while maintaining software
backward compatibility, which will allow the incremental deployment
of fine-grained compartmentalisation in both our most trusted
and least trustworthy C-language software stacks. We have implemented
a 64-bit MIPS research soft core, BERI, as well as a
capability coprocessor, and begun adapting commodity software
packages (FreeBSD and Chromium) to execute on the platform
HardScope: Thwarting DOP with Hardware-assisted Run-time Scope Enforcement
Widespread use of memory unsafe programming languages (e.g., C and C++)
leaves many systems vulnerable to memory corruption attacks. A variety of
defenses have been proposed to mitigate attacks that exploit memory errors to
hijack the control flow of the code at run-time, e.g., (fine-grained)
randomization or Control Flow Integrity. However, recent work on data-oriented
programming (DOP) demonstrated highly expressive (Turing-complete) attacks,
even in the presence of these state-of-the-art defenses. Although multiple
real-world DOP attacks have been demonstrated, no efficient defenses are yet
available. We propose run-time scope enforcement (RSE), a novel approach
designed to efficiently mitigate all currently known DOP attacks by enforcing
compile-time memory safety constraints (e.g., variable visibility rules) at
run-time. We present HardScope, a proof-of-concept implementation of
hardware-assisted RSE for the new RISC-V open instruction set architecture. We
discuss our systematic empirical evaluation of HardScope which demonstrates
that it can mitigate all currently known DOP attacks, and has a real-world
performance overhead of 3.2% in embedded benchmarks
CubicleOS: A library OS with software componentisation for practical isolation
Library OSs have been proposed to deploy applications isolated inside containers, VMs, or trusted execution environments. They often follow a highly modular design in which third-party components are combined to offer the OS functionality needed by an application, and they are customised at compilation and deployment time to fit application requirements. Yet their monolithic design lacks isolation across components: when applications and OS components contain security-sensitive data (e.g., cryptographic keys or user data), the lack of isolation renders library OSs open to security breaches via malicious or vulnerable third-party components
CubicleOS: A library OS with software componentisation for practical isolation
Library OSs have been proposed to deploy applications isolated inside containers, VMs, or trusted execution environments. They often follow a highly modular design in which third-party components are combined to offer the OS functionality needed by an application, and they are customised at compilation and deployment time to fit application requirements. Yet their monolithic design lacks isolation across components: when applications and OS components contain security-sensitive data (e.g., cryptographic keys or user data), the lack of isolation renders library OSs open to security breaches via malicious or vulnerable third-party components
CATTmew: Defeating Software-only Physical Kernel Isolation
All the state-of-the-art rowhammer attacks can break the MMU-enforced
inter-domain isolation because the physical memory owned by each domain is
adjacent to each other. To mitigate these attacks, physical domain isolation,
introduced by CATT, physically separates each domain by dividing the physical
memory into multiple partitions and keeping each partition occupied by only one
domain. CATT implemented physical kernel isolation as the first generic and
practical software-only defense to protect kernel from being rowhammered as
kernel is one of the most appealing targets.
In this paper, we develop a novel exploit that could effectively defeat the
physical kernel isolation and gain both root and kernel privileges. Our exploit
can work without exhausting the page cache or the system memory, or relying on
the information of the virtual-to-physical address mapping. The exploit is
motivated by our key observation that the modern OSes have double-owned kernel
buffers (e.g., video buffers and SCSI Generic buffers) owned concurrently by
the kernel and user domains. The existence of such buffers invalidates the
physical kernel isolation and makes the rowhammer-based attack possible again.
Existing conspicuous rowhammer attacks achieving the root/kernel privilege
escalation exhaust the page cache or even the whole system memory. Instead, we
propose a new technique, named memory ambush. It is able to place the
hammerable double-owned kernel buffers physically adjacent to the target
objects (e.g., page tables) with only a small amount of memory. As a result,
our exploit is stealthier and has fewer memory footprints. We also replace the
inefficient rowhammer algorithm that blindly picks up addresses to hammer with
an efficient one. Our algorithm selects suitable addresses based on an existing
timing channel.Comment: Preprint of the work accepted at the IEEE Transactions on Dependable
and Secure Computing 201