180 likes | 297 Views
Secure Operating Systems. Lesson B : Let’s go break something. Where are we?. We’ve looked at hardware and software, but I have failed to really show you how to break things… which does rather make the beauty of Multics harder to see So… let’s look at some examples of OSes breaking.
E N D
Secure Operating Systems Lesson B: Let’s go break something
Where are we? • We’ve looked at hardware and software, but I have failed to really show you how to break things… which does rather make the beauty of Multics harder to see • So… let’s look at some examples of OSes breaking
Linux: Overview • Based on Chen et al.’s “Linux kernel vulnerabilities: State-of-the-art defenses and open problems” • They looking at a year (approx) of Linux Kernel vulnerabilities and found the following…
Vulns • Source: Chen et al.
Vulns (cntd) • Source: Chen et al.
What about countermeasures? • Software fault isolation • Code Integrity (such as SecVisor) • User-level drivers • Memory tagging (detect misuse of untrusted inputs) • Uninitialized memory tracking
Semantic Vulnerabilities • Simply not protecting something that needs to be protected • Does it happen? Yes! (See CVE-2010-1641 and many manymore) • Much harder to detect automatically • This is a hard problem!
Another problem: Shatter • From: “Exploiting design flaws in the Win32 API for privilege escalation. Or... Shatter Attacks – How to break Windows” • Shatter is a classic example of how things can go wrong
The Setup • Shatter is a local privilege escalation attack • VirusScan runs as LocalAdministrator • I run as an unprivileged user • Can I get VirusScan to execute code on my behalf?
How it works • First, we get a handle to the higher privileged Window – Windows provides the APIs for this • We now have access to the controls on that window programmatically • Set up the max length for our shell code, and paste it in using Windows Messages
WM_TIMER • Send the window a WM_TIMER message with the location of the code we want to execute (oops) • Bingo! • Let’s discuss for a minute…
Complicated: IA64 sysret • Okay, this one is REALLY quite complicated… let’s take a look • Following: “A Stitch In Time Saves Nine: A Case Of Multiple OS Vulnerability” • Eek!
AMD • From Wojtczuk:
Intel • From Wojtczuk:
Think about it… • From Wojtczuk:
Exploitation • DoS is easy, but code injection is a bit harder but not impossible • What’s worse, it’s hard to fix • The basic idea is how the exception gets kicked off
Things to Do • Read: “Linux kernel vulnerabilities: State-of-the-art defenses and open problems”
Questions & Comments • What do you want to know?