220 likes | 298 Views
Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection. Xuxian Jiang George Mason University. Min Xu George Mason University. Xinwen Zhang Samsung Information Systems of America. Ravi Sandhu University of Texas at San Antonio. SACMAT 2007. Motivations.
E N D
Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection Xuxian Jiang George Mason University Min Xu George Mason University Xinwen Zhang Samsung Information Systems of America Ravi Sandhu University of Texas at San Antonio SACMAT 2007
Motivations • Ensuring the integrity of kernel resources is a fundamental goal of OS security • Exploiting a vulnerability allows the attacker to modify the kernel and core system utilities, hence compromising the integrity of the entire system • Malware: Worms, Keyloggers, Rootkits …
Threat Example: Rootkits • “A rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer”—Rootkits:Subeverting the Windows Kernel • Goals: • Hide malicious resources(e.g., processes, files, registry keys, open ports, etc.) • Provide hidden backdoor access • Techniques: modifying kernel resources (integrity violation) • Loadable Kernel Modules (most popular method) • Modify system call table, kernel text, Interrupt Descriptor Table (IDT) • Patching the running kernel (memory modification) • Modify /dev/kmem
Existing Approaches • Existing Models: MAC (Biba, Bell-LaPadula, Chinese Wall) • Clear goal • Too restrictive, coarse-grained • No ongoing check • Existing Enforcement Mechanisms: • User-Level • Good performance • No isolation • Easily compromised • OS Kernel (SELinux) • No isolation • Too many polices (50,000 +policies in Linux 2.6.18) • Hardware-based Coprocessor (Copliot) • Isolation • Needing another PCI card, no real time prevention
Our Approach • Virtual Machine Monitor (VMM) based Architecture • Strong Isolation: Compromised guest OS cannot disable protection mechanism in VMM • Introspection: VMM can see hardware states • Interposition: VMM can enforce memory access, NIC … VMM can monitor and enforce events happening in a guest VM. • UCON • Decision continuity and attribute mutability • Previous work has shown policy specification flexibility of UCON
Outline • Policy and Model: • UCONKI model for OS kernel integrity • Event-based logic model for UCONKI policy specification • VMM-based Enforcement Architecture • Prototype • Evaluation • Conclusion and Future Work
Three phases of a usage process • Decision in first two phases • pre-decision • ongoing-decisions: repeatedly check during ongoing usage phase • Decision Continuity UCON Model (Park and Sandhu 2004) • Attributes can be updated as side-effects of a usage: • pre, ongoing, and post updates • Persistent and mutable attributes • Attribute Mutability
UCONKI Model for OS Kernel Integrity • Subjects (S): • Active processes and loadable kernel modules (LKMs) • Objects (O): • Kernel memory spaces, disk devices, and registers • Subject attributes (ATT(S)): • Text hash values of subjects • Object attributes (ATT (O)): • Addresses, types, status of objects • Rights (ATT (R)): • Generic actions such as read and write • Authorizations: • Functional predicates that have to be evaluated for usage decisions
Event-based Policy Model for UCONKI • A UCONKI policy is a well-typed policy rule of the form: (e1… ei) causes (act1… actj) if (p1… pk) where e1 ,…, ei are events, act1 ,…, actj are actions, and p1 ,…, pk are predicates. • A UCONKI policy specifies that when events e1 ,…, ei occur, actions act1 ,…, actjmust be performed by the system if predicates p1 ,…, pk are satisfied.
Subjects events and system actions * means repetition
Example Policies specified by EPA • Pre-Authorization • Mutability
Architecture • Subject generates an access request event from the guest VM and intercepted by VME (step 1) • VME contacts AR and retrieves the subjects and objects attributes (steps 2 and 3) • VME queries AVC (step 4) • If AVC has valid entry and S & O attributes not changed, gives yes (step 5) and goes to step 8, otherwise gives no and goes to step6 • VME pushes S & O attributes to PDP (step 6) • PDP makes access control decision according to policy and S & O attributes (step 7) • The decision is forwarded to VME and enforced in the VM (step 8)
Architecture • Update of attributes (Mutability) • VME gets the new attributes from the guest VM (step 9) • New subject/object attributes are pushed back to AR (step 10) • e.g. update system call table address after legitimate process modified it • Update the decision cache • VME pushes the decision along with subject and object’s attributes to AVC after usage (step11)
Prototype Implementation • An OS kernel integrity protection system • Bochs IA-32 Emulator • Guest VM: Red hat7.2 (Linux 2.4.7-10) • Example policy: kernel text, system call table, IDT table and virtual file system dispatch table cannot be modified Interesting symbols found from /boot/system.map
Prototype Runtime addresses collected from a Redhat 7.2 Linux system (2.4.7-10)
Evaluation • Evaluation results with 18 real-world kernel rootkits
Example Rootkits “Adore” rootkit “Adore-ng” rootkit “suckit” rootkit
Possible Extensions • UCONKI Extensions • Attributes Management • Conditions • Obligations • Policy Enforcement
Conclusions • We have proposed a VMM-based usage framework for OS kernel integrity protection • We have subjected our prototype to 18 real-world kernel rootkits to validate its practicality and effectiveness
Ongoing and Future Work • Extending our framework for general OS security • Porting to other VMM platforms, like XEN
Thank You! Email: mxu@gmu.edu URL: http://www.list.gmu.edu/mxu