230 likes | 397 Views
Efficient Protection of Kernel Data Structures via Object Partitioning. Abhinav Srivastava , Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012. Outline. Introduction Related Work Sentry System Implementation Evaluation Conclusion. Introduction.
E N D
Efficient Protection of Kernel Data Structures via Object Partitioning AbhinavSrivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012
Outline • Introduction • Related Work • Sentry System • Implementation • Evaluation • Conclusion
Introduction • Kernel-level malicious malware often uses DKOM(Direct Kernel Object Manipulation) to hide the process from the kernel’s process accounting list. • They may also escalate a process’ privileges by overwriting the process’ credentials with those for a root or administrative user • We present a system called Sentry that creates access control protections for security-critical kernel data.
Related Work • Petroni et al. detect process which reachable in scheduler but not in process accounting list. • Cannot detect the list of loaded kernel modules, which do not offer multiple views. • XFI and BGI guarded write instructions subject to access control policy constraints. • Require all kernel drivers and modules to use this system • Low performance.
Sentry System • Page-level Granularity: use hardware’s page read/write protection to enforce access control policy • Partitioning: to separate kernel data structure into regionswhich have different access control policies • Based on VM: to get full control to hardware page-fault handling and management
Page-level Granularity • Old methods • Applying policy checking is to check all possible write operation to kernel data Slow performance • Protecting a single security-critical member requires whole page to be protected Low memory utility • Sentry use structure partitioning and page write protection to apply access control policies
Page-level Granularity (Cont.) • How page write protection protect the data? • Simply using the write flag in page data structure • If someone tries to write to a protected page, a page fault happen, and a function sh_page_fault in XEN hypervisor is called to handle this event • Sentry changes the handling function to add a policy check: • If write is valid, then ignore this page fault and perform write operation • If write is invalid, then the write operation is denied
Partitioning • Structures such as task_structand modulecontains a mix of security-critical and not-critical fields • Structure Division • Structure Alignment
Partitioning - Structure Division • Split original Objby creating a new data structure insecure_Objcontaining non-critical fields structtask_struct structtask_struct uid_tuid, euid, suid uid_tuid, euid, suid gid_tgid, egid, sgid gid_tgid, egid, sgid u64 acct_rss_mem1 structlist_head tasks u64 acct_vm_mem1 char comm[16] structlist_head tasks insecure_task_struct *insecure void *journal_info structinsecure_task_struct unsigned long personality unsigned long personality structaudit_context *audit_context structaudit_context *audit_context char comm[16] void *journal_info u64 acct_rss_mem1 ... u64 acct_vm_mem1
Partitioning - Structure Alignment • Add a buffer to original Obj to separate security-critical members and non-critical members away • This can be done by using compiler options to insert or remove the alignment buffer Page Size struct module struct module enummodule_state state enummodule_state state structlist_head list structlist_head list char name[MODULE_NAME_LEN] char buffer[BIG_SPACE] const char *version const char *srcversion char name[MODULE_NAME_LEN] ... const char *version const char *srcversion ...
Policy A valid write operation can be performed by: • Trusted core kernel, such as core kernel code from symbol _text to _etext, kernel boot code from symbol __init_beginto __init_end • Trusted Upgraders: Alteration reachable from most exported kernel functions, such as API provided by the Kernel
Page Creation & Registration • When creating a new instance of protected structure, Objand insecure_Objare put into a page frame separately, and add page write protection on the page containing Obj • The page frame number(PFN) then send to Sentry system using VMCALL, a method to pass data to hypervisor, to tell which page frame needs mediation
Implementation • Use Linux 2.6 and Xen hypervisor • Change task_structand modulestructure using division and alignment respectively • Change Linux source code where use those structures into correct variable • current->journal_infocurrent->insecure->journal_info • Alter 0.036%(2536/7041452) SLOC(Source Line of Code) in Linux 2.6 • This can be done by source-to-source transformation techniques, such as provided by CIL
Implementation (Cont.) • Structure Division • Apply on task_struct structure only • Categorized 28 of 122 members as critical • Change structure creation function kmem_cache_allocinto get_free_pagesand kmalloc • Structure Alignment • Apply on modulestructure only • Categorized 2 of 29 members as critical • Only a recompilation of the kernel
Implementation (Cont.) • APIs to communicate to hypervisor • addPFNtoDB, removePFNfromDB, checkPFNinDB • Modify __sh_propagateto make a shadow of memory of guest operating system for monitor • Sentry check write operation’s vaildityby the eipregister when sh_page_faultis called, and traverse the stack frame using ebpto get full call trace
Evaluation • Attack Prevention and Detection
Evaluation (Cont.) • Performance on loading and unloading modules • Normal: no kernel memory protection • Protected: protection without partitioning • Sentry: both memory protection and partitioning
Evaluation (Cont.) • Performance on file system read/write • Memory page utility • A partitioned kernel used 6502 pages as compared to 6302 pages used by the unpartitioned kernel
Evaluation (Cont.) • Performance on real world jobs • Performance on process data structure • 1000 µs = 1 ms
Evaluation (Cont.) • False Positive Analysis • Since benign modules don’t directly modify security-critical kernel data, and uses exported APIs provided by kernel • For example, benign modules don’t directly modify run_list, but using enqueue_taskand dequeue_taskto modify this member, and those functions are valid APIs, so the modules can still works fine • Our system did not show any false positives and detected all attacks
Conclusion • We create protected memory regions within the unified kernel data space. • We show how to optimize kernel memory space layout for the protection constraints created by our system. • We design and develop a system, Sentry, which is capable of protecting both statically and dynamically allocated data structures.