Betriebssysteme KU Security IAIK Graz University of Technology 1
1. Drivers 2. Security - The simple stuff 3. Code injection attacks 4. Side-channel attacks 2
1. Drivers 2. Security - The simple stuff 3. Code injection attacks 4. Side-channel attacks 3
Driver Basics Hardware has a defined interface reference manual x86: I/O address space via outb,inb,... ARM: Memory mapped in physical address space Let s have a look at qemu s mtree command 4
Mouse driver (x86) Send init sequence using inb and outb Service Mouse IRQs (depending on config) 5
MMC driver (ARM) Send init sequence using memory mapped registers Commands: Read/Write Send and retrieve data 6
Sounds simple? Writing device drivers is about implementing an interface Reference manual what the hardware does Reference manual what the hardware expects the OS to do Large drivers (GPU) can get very complex 7
1. Drivers 2. Security - The simple stuff 3. Code injection attacks 4. Side-channel attacks 8
Multi user environments Usermanagement File access rights Extend the existing file system 9
DOS attacks Denial of service using an unfairly amount of resources to block the whole system 10
DOS attacks Denial of service using an unfairly amount of resources to block the whole system Improve the Scheduler (priorities) Scheduler for I/O activity? 10
DOS attacks Denial of service using an unfairly amount of resources to block the whole system Improve the Scheduler (priorities) Scheduler for I/O activity? Out of memory handling? ulimit as an operating system service 10
Private exec Modern browsers have a private browsing mode Shouldn t that be a service of the operating system? 11
Private exec Modern browsers have a private browsing mode Shouldn t that be a service of the operating system? priv_exec execute a program in a sandbox No accesses to real file system,... No interaction with any hardware Maybe a limited set of syscalls? 11
1. Drivers 2. Security - The simple stuff 3. Code injection attacks 4. Side-channel attacks 12
Code injection attack Idea: Use buffer overflow to inject binary code int f() { char b[128]; gets(b); } How does the stack look now? 13
Code injection attack Stack: 0xfc return address 0xf8 ebp from calling function 0xf4 b[124],b[125],b[126],b[127]...... 14
Code injection attack Input string has 128 bytes + attack payload: "\0\1\2\3" // the ebp i choose "\xe0\x05\x00\x08" // 080005e0 - execv "\4\5\6\7" // argument: char* path "\8\9\10\11" // argument: char** argv 15
Countermeasures against code injection NX-bit in page table prevent execution on a page Use this bit for stack pages: PageFault if eip points on a stack page 16
Countermeasures against code injection NX-bit in page table prevent execution on a page Use this bit for stack pages: PageFault if eip points on a stack page Think of the attack we just saw: did we execute code on the stack? 16
Countermeasures against code injection NX-bit in page table prevent execution on a page Use this bit for stack pages: PageFault if eip points on a stack page Think of the attack we just saw: did we execute code on the stack? Return-to-libc/Return-Oriented-Programming (ROP) still possible! Any ideas? 16
Countermeasures against code injection NX-bit in page table prevent execution on a page Use this bit for stack pages: PageFault if eip points on a stack page Think of the attack we just saw: did we execute code on the stack? Return-to-libc/Return-Oriented-Programming (ROP) still possible! Any ideas? Randomize the position of (shared) library code! 16
Countermeasures against code injection Stack canaries detect stack corruption Kernel stops execution if stack is corrupted check during context switch 17
Countermeasures against code injection Stack canaries detect stack corruption Kernel stops execution if stack is corrupted check during context switch Who protects the kernel against code injection attacks? 17
Syscall-based countermeasures If injection only changes arguments passed to syscall: Randomize syscall numbers Randomize syscall argument order Blacklist syscalls Whitelist syscalls... 18
NX-Bit Execution Prevention for stack pages... what more? 19
NX-Bit Execution Prevention for stack pages... what more? Binary might prefer non-writeable code pages and non-executable data pages 19
NX-Bit Execution Prevention for stack pages... what more? Binary might prefer non-writeable code pages and non-executable data pages Is there any reason to have a page writeable and executable? (apart from self-modifying code) 19
NX-Bit Execution Prevention for stack pages... what more? Binary might prefer non-writeable code pages and non-executable data pages Is there any reason to have a page writeable and executable? (apart from self-modifying code) W X policy no page writeable and executable at the same time 19
NX-Bit Execution Prevention for stack pages... what more? Binary might prefer non-writeable code pages and non-executable data pages Is there any reason to have a page writeable and executable? (apart from self-modifying code) W X policy no page writeable and executable at the same time (except if the binary wants self-modifying code) 19
Code injection in kernel What if you can only write a very small amount of data in the kernel? Where to jump? 20
Code injection in kernel What if you can only write a very small amount of data in the kernel? Where to jump? We should prevent the kernel from being able to execute userspace code Now think of Return-to-libc/ROP... 20
Code injection in kernel What if you can only write a very small amount of data in the kernel? Where to jump? We should prevent the kernel from being able to execute userspace code Now think of Return-to-libc/ROP... What if we can set ebp/esp to point into userspace? 20
Code injection in kernel Maybe the kernel should not have userspace data mapped? 21
Code injection in kernel Maybe the kernel should not have userspace data mapped? We remove the userspace mapping from kernel Linux did that too, but they are still vulnerable... why? 21
Code injection in kernel Maybe the kernel should not have userspace data mapped? We remove the userspace mapping from kernel Linux did that too, but they are still vulnerable... why? Identity mapping breaks everything! 21
1. Drivers 2. Security - The simple stuff 3. Code injection attacks 4. Side-channel attacks 22
Cache Attacks Cache is faster than Memory 23
Cache Attacks Cache is faster than Memory That s the problem. 23
Cache Attacks - Modern Caches Shared in Memory Shared in Cache 24
Cache Attacks - Modern Caches Shared in Memory Shared in Cache clflush flushes data from cache Shared in Cache I can flush shared data Shared libraries different process execute on physically shared memory 24
Cache Attacks - Flush+Reload After loading a shared library, attack as follows: 1. clflush interesting function code 2. Wait a bit 3. Check whether function was accessed 25
Cache Attacks - Flush+Reload RSA: Square+Multiply depending on secret key bits 96.7% of the key bits after a single decryption 26
Cache Attacks - without shared memory? www.iaik.tugraz.at F+R requires shared memory disable shared memory? 27
Cache Attacks - without shared memory? F+R requires shared memory disable shared memory? Prime+Probe works similar and does not require shared memory 27
Cache Attacks Cache attack only possible by executing attacker s code I only start self-compiled programs. Are we safe now? 28
Cache Attacks Cache attack only possible by executing attacker s code I only start self-compiled programs. Are we safe now? Recent paper: The Spy in the Sandbox - Practical Cache Attacks in Javascript 28
Cache attack countermeasures OS could flush cache during context switch 29
Cache attack countermeasures OS could flush cache during context switch Maybe not the whole cache, but only parts of it 29
Cache attack countermeasures OS could flush cache during context switch Maybe not the whole cache, but only parts of it User programs could tell the OS which parts they want to protect 29
Cache attack countermeasures OS could flush cache during context switch Maybe not the whole cache, but only parts of it User programs could tell the OS which parts they want to protect And what about Hyperthreading? 29
Cache attack countermeasures OS could flush cache during context switch Maybe not the whole cache, but only parts of it User programs could tell the OS which parts they want to protect And what about Hyperthreading? disable it? 29
Copy-on-write attack Let s exploit copy-on-write! 30
Copy-on-write attack Let s exploit copy-on-write!... 30
Copy-on-write attack Let s exploit copy-on-write!... Ummm.. 30
Copy-on-write attack Let s exploit copy-on-write!... Ummm.. How? 30
Copy-on-write attack Regular write access vs. copy-on-write write access 31
Copy-on-write attack Regular write access vs. copy-on-write write access Timing difference? 31
Copy-on-write attack Regular write access vs. copy-on-write write access Timing difference? Yes! Enormous timing difference! We get a true/false information whether our page was twice in memory! 31
Page Deduplication Search Memory for identical pages Make them CoW! 32
Page Deduplication Search Memory for identical pages Make them CoW! Save lot s of memory save lot s of money! 32
Page Deduplication Attack 1. Fill a page with data 33
Page Deduplication Attack 1. Fill a page with data 2. Wait 33
Page Deduplication Attack 1. Fill a page with data 2. Wait 3. Measure write access time to the page 4. 5. High time found it! 33
Page Deduplication Attack - Countermeasures 1. Disable Page Deduplication? 2. Deduplicate only read-only pages? 3. Attack requires native code execution? 34
EOF Better ideas? We want to see them! Have fun programming! 35