151 research outputs found
Directed Multicut with linearly ordered terminals
Motivated by an application in network security, we investigate the following
"linear" case of Directed Mutlicut. Let be a directed graph which includes
some distinguished vertices . What is the size of the
smallest edge cut which eliminates all paths from to for all ? We show that this problem is fixed-parameter tractable when parametrized in
the cutset size via an algorithm running in time.Comment: 12 pages, 1 figur
Sprobes: Enforcing Kernel Code Integrity on the TrustZone Architecture
Many smartphones now deploy conventional operating systems, so the rootkit
attacks so prevalent on desktop and server systems are now a threat to
smartphones. While researchers have advocated using virtualization to detect
and prevent attacks on operating systems (e.g., VM introspection and trusted
virtual domains), virtualization is not practical on smartphone systems due to
the lack of virtualization support and/or the expense of virtualization.
Current smartphone processors do have hardware support for running a protected
environment, such as the ARM TrustZone extensions, but such hardware does not
control the operating system operations sufficiently to enable VM
introspection. In particular, a conventional operating system running with
TrustZone still retains full control of memory management, which a rootkit can
use to prevent traps on sensitive instructions or memory accesses necessary for
effective introspection. In this paper, we present SPROBES, a novel primitive
that enables introspection of operating systems running on ARM TrustZone
hardware. Using SPROBES, an introspection mechanism protected by TrustZone can
instrument individual operating system instructions of its choice, receiving an
unforgeable trap whenever any SPROBE is executed. The key challenge in
designing SPROBES is preventing the rootkit from removing them, but we identify
a set of five invariants whose enforcement is sufficient to restrict rootkits
to execute only approved, SPROBE-injected kernel code. We implemented a
proof-of-concept version of SPROBES for the ARM Fast Models emulator,
demonstrating that in Linux kernel 2.6.38, only 12 SPROBES are sufficient to
enforce all five of these invariants. With SPROBES we show that it is possible
to leverage the limited TrustZone extensions to limit conventional kernel
execution to approved code comprehensively.Comment: In Proceedings of the Third Workshop on Mobile Security Technologies
(MoST) 2014 (http://arxiv.org/abs/1410.6674
An Evil Copy: How the Loader Betrays You
Abstract-Dynamic loading is a core feature used on current systems to (i) enable modularity and reuse, (ii) reduce memory footprint by sharing code pages of libraries and executables among processes, and (iii) simplify update procedures by eliminating the need to recompile executables when a library is updated. The Executable and Linkable Format (ELF) is a generic specification that describes how executable programs are stitched together from object files produced from source code to libraries and executables. Programming languages allow fine-grained control over variables, including access and memory protections, so programmers may write defense mechanisms assuming that the permissions specified at the source and/or compiler level will hold at runtime. Unfortunately, information about memory protection is lost during compilation. We identify one case that has significant security implications: when instantiating a process, constant external variables that are referenced in executables are forcefully relocated to a writable memory segment without warning. The loader trades security for compatibility due to the lack of memory protection information on the relocated external variables. We call this new attack vector COREV for Copy Relocation Violation. An adversary may use a memory corruption vulnerability to modify such "read-only" constant variables like vtables, function pointers, format strings, and file names to bypass defenses (like FORTIFY SOURCE or CFI) and to escalate privileges. We have studied all Ubuntu 16.04 LTS packages and found that out of 54,045 packages, 4,570 packages have unexpected copy relocations that change read-only permissions to read-write, presenting new avenues for attack. The attack surface is broad with 29,817 libraries exporting relocatable read-only variables. The set of 6,399 programs with actual copy relocation violations includes ftp servers, apt-get, and gettext. We discuss the cause, effects, and a set of possible mitigation strategies for the COREV attack vector
Top of the Heap: Efficient Memory Error Protection for Many Heap Objects
Exploits against heap memory errors continue to be a major concern. Although
many defenses have been proposed, heap data are not protected from attacks that
exploit memory errors systematically. Research defenses focus on complete
coverage of heap objects, often giving up on comprehensive memory safety
protection and/or incurring high costs in performance overhead and memory
usage. In this paper, we propose a solution for heap memory safety enforcement
that aims to provide comprehensive protection from memory errors efficiently by
protecting those heap objects whose accesses are provably safe from memory
errors. Specifically, we present the Uriah system that statically validates
spatial and type memory safety for heap objects, isolating compliant objects on
a safe heap that enforces temporal type safety to prevent attacks on memory
reuse. Using Uriah, 71.9% of heap allocation sites can be shown to produce
objects (73% of allocations are found safe) that satisfy spatial and type
safety, which are then isolated using Uriah's heap allocator from memory
accesses via unsafe heap objects. Uriah only incurs 2.9% overhead and only uses
9.3% more memory on SPEC CPU2006 (C/C++) benchmarks, showing that many heap
objects can be protected from all classes of memory errors efficiently
- …