Seminar on Computer Security Threats and Counter Measures

Transcription

1 Seminar on Computer Security Threats and Counter Measures Hardware Attack Prevention (No execute bit, DEP data execution prevention) Trusted Platform Module Patrick Anagnostaras

2 Summary 1 Hardware attack prevention 2. Trusted Platform Module

3 1.1 No Execute Bit Aims Prevent software from taking over computer inserting their code into another data storage area running their code within this section buffer overflow Prevent from virus, worm and Trojan Horse attacks Blaster Sasser Code Red

4 1.2 No execute bit Technology used in CPU s Segregate areas of memory Storage of processor instruction Storage of data (normaly( only on Harvard architecture processors) NX No NX only store data no executions of processor instructions processor instructions

5 1.3 No Execute Bit Denominations AMD No Execute (NX) Intel Execute Disable Bit (XD) Microsoft Execution Protection

6 1.4 NX Bit hardware background Bit number 63 on the paging table entry of an x86 processor If set to 0 If set to 1 code can be executed from this page no execution possible anything on the page assumed as data Pages must have PAE table format (Physical Address Extension) PAE maps up to 64 GB of physical memory into a 32-bit (4 GB) virtual address space using either 4-KB 4 or 2-MB 2 pages.

7 1.5 First NX Bit compatible processors IBM PowerPC (1992) Sun processors SPARC (1995) AMD Intel Tansmeta: Opteron (2004) Athlon 64 (2004) Itanium (2004) Pentium 4 (2004) Efficeon (2004)

8 1.6 Software emulation of the NX Bit Emulation on operating system Prevents stack and heap memory to be executable Prevents executable memory from being writable Helps prevent buffer overflow

9 1.7 OS technologies of the NX Bit PaX Exec Shield W^X DEP Adamantix,, Hardened Gentoo (october 2000) Fedora Core, Red Hat enterprise (may 2003) OpenBSD operating system Windows Vista, Windows XP SP2, Windows server 2003 SP1 (august 2004)

10 1.8 Comparison of technologies: Overhead Amount of extra CPU procession power required for each technology to function Emulation of NX bit will usually impose a measurable overhead No significant measurable overhead on CPUs supplying a hardware NX bit

11 1.8.1 Comparison of technologies: Checks for two ELF header markings (stack or heap needs to be executable) ecutable) PT-GNU-STACK PT-GNU-HEAP Allows controls to set both binary executables and libraries Executable loads a library requiring restriction relaxed inherit that marking + restriction relaxed. Track upper code segment limit Exec Shield CPUs without NX bit pages below the code segment limit not protected Few cycle of overhead immeasurable

12 1.8.2 Comparison of technologies: PaX technology can emulate NX bit or NX functionnality or use hardware NX bit trampoline emulation Works on x86 CPUs that do not have NX bit Ignore PT-GNU GNU-STACK and PT-GNU GNU-HEAP Supplies 2 methods of NX bit emulation SEGMEXEC PAGEEXEC PaX

13 1.8.3 Comparison of technologies: Impose measurable low overhead ( <1%) Virtual memory mirroring PaX - SEGMEXEC Effect of cutting in two the task s s virtual address space Task access less memory No problems until task requires more than half the normal address space (rare) Restricts the system memory that a program can access

14 1.8.4 Comparison of technologies: Similar to Exec Shield No pages will become executable unless operating system explicitly ly makes them as such Protects pages below the code segment limit Supplies mprotect() restriction prevent programs from marking memory for potential exploit High overhead operation PaX - PAGEEXEC If hardware NX bit used no emulation used no overhead

15 1.8.5 Comparison of technologies: Memory protection W^X Any page in a process address space is either writable or executable ( xor = ^) Stack not executable no execution of arbitrary code injected will cause the program to terminate

16 1.8.6 Comparison of technologies: DEP On windows services by default Configurable through advance properties in the «my computer»

17 1.9 Hardware enforced DEP same design for 32-bit and 64 bit versions of Windows Developers should be aware of DEP behavior Device driver Execution code from the stack DEP is enabled no permission DEP access violation error 0XFC: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY

18 1.10 Software DEP protection Handling of the NX faults: other technologies terminate the program DEP raises an exception program flow is destroyed in a unrecoverable manner Checks when an exception is thrown Exception is registered function table

19 1.10 Software DEP protection NX supported enabled by default Allows programs to control which pages disallow execution through its API Also through the section headers in a portable executable file Win32 API calls VirtualAlloc[Ex] ] and VirtualProtect[Ex] page protection setting specified by programmer each page individually flagged executable or non-executable

20 1.11 DEP limitations DEP provides no address space layout randomization allows return-to to-lib attack the return address on the stack replaced the address of another function correct portion of the stack is overwritten provide arguments to this function allows attackers to call pre-existing existing functions no need to inject malicious code into a program

21 1.12 DEP software conflicts Causes software problems Old software Drivers compatibility problems Prevent programs to be virtualized correctly Solution disabling DEP features

22 1.14 Examples of DEP on Windows

23 1.13 Windows error reporting signature for a DEP problem

24 1.15 NX Bit attack example: Microsoft s s Xbox CPU had no NX bit buffer overflow 007:Agent Under Fire save game exploit Newer version of XDK set code segment limit to the beginning of the kernel s.data section no code should be after this point No change memory executed below the beginning of the kernel s.data section new version of Xbox with new kernel

25 2. Trusted Module Platform (TPM) 2.1 What is a Trusted Platform Module? 2.2 TPM applications 2.3 Three discussed features of TPM 2.4 TPM architecture 2.5 Example Application (Microsoft Outlook)

26 2.1 What is a Trusted Platform Module? Hardware chip on motherboards Chip is unique for each particular device Used to authenticate hardware device No one played with the hardware No changes to bios Secure generation of cryptographic keys Provide chain of trust

27 2.2 TPM applications BitLocker Drive Encryption: Microsoft Windows Vista Enterprise editions Microsoft Windows Vista Ultimate Linux security module 2006 Laptop TPM available 2008 New Intel s southbridge chipset

28 2.3 Three discussed features of TPM Remote attestation Summary of software on the computer Allow verifying software is not compromised (digital music store) Threat to privacy Sealing Encrypted data decryption only exact same state Same software + same computer very restrictive digital rights management. Binding Encrypt data using TPM endorsement key (unique RSA key put in the chip during production) very restrictive

29 2.4 TPM architecture Endorsement key: Public/private key pair Size : 2048 bits Unique Attestation Identity Key Platform authentication Pseudo anonymous authentication

30 2.5 Example Application (Microsoft Outlook) Verisign TPM Create new key 1 5 Public Key Private Key Outlook 1. Outlook get digital ID launches Verisign website 2. Verisign talk to the TPM hardware 3. TPM generates a new key pair for signing 4. TPM send the public key of above pair to Verisign 5. Verisign signs the public key and returns to Outlook

31 Questions?