1 / 22

Efficient Protection of Kernel Data Structures via Object Partitioning

Efficient Protection of Kernel Data Structures via Object Partitioning. Abhinav Srivastava , Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012. Outline. Introduction Related Work Sentry System Implementation Evaluation Conclusion. Introduction.

zeroun
Download Presentation

Efficient Protection of Kernel Data Structures via Object Partitioning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient Protection of Kernel Data Structures via Object Partitioning AbhinavSrivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012

  2. Outline • Introduction • Related Work • Sentry System • Implementation • Evaluation • Conclusion

  3. Introduction • Kernel-level malicious malware often uses DKOM(Direct Kernel Object Manipulation) to hide the process from the kernel’s process accounting list. • They may also escalate a process’ privileges by overwriting the process’ credentials with those for a root or administrative user • We present a system called Sentry that creates access control protections for security-critical kernel data.

  4. Related Work • Petroni et al. detect process which reachable in scheduler but not in process accounting list. • Cannot detect the list of loaded kernel modules, which do not offer multiple views. • XFI and BGI guarded write instructions subject to access control policy constraints. • Require all kernel drivers and modules to use this system • Low performance.

  5. Sentry System • Page-level Granularity: use hardware’s page read/write protection to enforce access control policy • Partitioning: to separate kernel data structure into regionswhich have different access control policies • Based on VM: to get full control to hardware page-fault handling and management

  6. Sentry System

  7. Page-level Granularity • Old methods • Applying policy checking is to check all possible write operation to kernel data Slow performance • Protecting a single security-critical member requires whole page to be protected Low memory utility • Sentry use structure partitioning and page write protection to apply access control policies

  8. Page-level Granularity (Cont.) • How page write protection protect the data? • Simply using the write flag in page data structure • If someone tries to write to a protected page, a page fault happen, and a function sh_page_fault in XEN hypervisor is called to handle this event • Sentry changes the handling function to add a policy check: • If write is valid, then ignore this page fault and perform write operation • If write is invalid, then the write operation is denied

  9. Partitioning • Structures such as task_structand modulecontains a mix of security-critical and not-critical fields • Structure Division • Structure Alignment

  10. Partitioning - Structure Division • Split original Objby creating a new data structure insecure_Objcontaining non-critical fields structtask_struct structtask_struct uid_tuid, euid, suid uid_tuid, euid, suid gid_tgid, egid, sgid gid_tgid, egid, sgid u64 acct_rss_mem1 structlist_head tasks u64 acct_vm_mem1 char comm[16] structlist_head tasks insecure_task_struct *insecure void *journal_info structinsecure_task_struct unsigned long personality unsigned long personality structaudit_context *audit_context structaudit_context *audit_context char comm[16] void *journal_info u64 acct_rss_mem1 ... u64 acct_vm_mem1

  11. Partitioning - Structure Alignment • Add a buffer to original Obj to separate security-critical members and non-critical members away • This can be done by using compiler options to insert or remove the alignment buffer Page Size struct module struct module enummodule_state state enummodule_state state structlist_head list structlist_head list char name[MODULE_NAME_LEN] char buffer[BIG_SPACE] const char *version const char *srcversion char name[MODULE_NAME_LEN] ... const char *version const char *srcversion ...

  12. Policy A valid write operation can be performed by: • Trusted core kernel, such as core kernel code from symbol _text to _etext, kernel boot code from symbol __init_beginto __init_end • Trusted Upgraders: Alteration reachable from most exported kernel functions, such as API provided by the Kernel

  13. Page Creation & Registration • When creating a new instance of protected structure, Objand insecure_Objare put into a page frame separately, and add page write protection on the page containing Obj • The page frame number(PFN) then send to Sentry system using VMCALL, a method to pass data to hypervisor, to tell which page frame needs mediation

  14. Implementation • Use Linux 2.6 and Xen hypervisor • Change task_structand modulestructure using division and alignment respectively • Change Linux source code where use those structures into correct variable • current->journal_infocurrent->insecure->journal_info • Alter 0.036%(2536/7041452) SLOC(Source Line of Code) in Linux 2.6 • This can be done by source-to-source transformation techniques, such as provided by CIL

  15. Implementation (Cont.) • Structure Division • Apply on task_struct structure only • Categorized 28 of 122 members as critical • Change structure creation function kmem_cache_allocinto get_free_pagesand kmalloc • Structure Alignment • Apply on modulestructure only • Categorized 2 of 29 members as critical • Only a recompilation of the kernel

  16. Implementation (Cont.) • APIs to communicate to hypervisor • addPFNtoDB, removePFNfromDB, checkPFNinDB • Modify __sh_propagateto make a shadow of memory of guest operating system for monitor • Sentry check write operation’s vaildityby the eipregister when sh_page_faultis called, and traverse the stack frame using ebpto get full call trace

  17. Evaluation • Attack Prevention and Detection

  18. Evaluation (Cont.) • Performance on loading and unloading modules • Normal: no kernel memory protection • Protected: protection without partitioning • Sentry: both memory protection and partitioning

  19. Evaluation (Cont.) • Performance on file system read/write • Memory page utility • A partitioned kernel used 6502 pages as compared to 6302 pages used by the unpartitioned kernel

  20. Evaluation (Cont.) • Performance on real world jobs • Performance on process data structure • 1000 µs = 1 ms

  21. Evaluation (Cont.) • False Positive Analysis • Since benign modules don’t directly modify security-critical kernel data, and uses exported APIs provided by kernel • For example, benign modules don’t directly modify run_list, but using enqueue_taskand dequeue_taskto modify this member, and those functions are valid APIs, so the modules can still works fine • Our system did not show any false positives and detected all attacks

  22. Conclusion • We create protected memory regions within the unified kernel data space. • We show how to optimize kernel memory space layout for the protection constraints created by our system. • We design and develop a system, Sentry, which is capable of protecting both statically and dynamically allocated data structures.

More Related