Minos Control Data Attack Prevention

minos control data attack prevention orthogonal n.w
1 / 45
Embed
Share

Learn about control data, Biba's low-water-mark integrity policy, Minos architecture, security assessments, vulnerabilities, motivations behind control data attacks, securing commodity software, Minos security goals, and Biba's low-water-mark integrity policy security properties.

  • Minos
  • Control Data
  • Security Assessments
  • Data Attacks
  • Vulnerabilities
rayaanacharya
ada_kre Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Minos: Control Data Attack Prevention Orthogonal to Memory Model Jedidiah R. Crandall and Frederic T. Chong Department of Computer Science University of California at Davis

  2. Outline What is control data? Motivation Biba s low-water-mark integrity policy The Minos architecture Security assessment UMD 10/04 F. Chong - Minos

  3. What is control data? Any data which is loaded into the program counter on control flow transfer, or any data used to calculate such data Executable code is not control data UMD 10/04 F. Chong - Minos

  4. A Control Data Vulnerability typedef function(); function *f; scanf( %d , (int *) &f); f(); More commonly: buffer overflows, format string attacks UMD 10/04 F. Chong - Minos

  5. Motivation Control data attacks cost users billions of dollars a year Remote intrusions Cleaning up worms SPAM and DoS from botnets Without architectural support, every memory corruption vulnerability is an opportunity to hijack control flow UMD 10/04 F. Chong - Minos

  6. Securing commodity software Minos supports an untyped, linear address space Allows us to secure commodity software Supports code as data (dynamic libaries, JITs) Modification of source code is optional, but helpful Minos implements a simple, low-level security policy that does not need to be customized to each application. UMD 10/04 F. Chong - Minos

  7. Minos Security Goals Control data attacks constitute the overwhelming majority of remote intrusions Minos protects against remote control data attacks Minos protects against local vulnerabilities but only because the line between these and remote vulnerabilities is not clear UMD 10/04 F. Chong - Minos

  8. Bibas Low-water-mark Integrity Policy Security properties Integrity Confidentiality Availability Tracks the taintedness of data Access controls are based on accesses a subject has made in the past UMD 10/04 F. Chong - Minos

  9. Bibas Low-water-mark Integrity Policy (Formally) Any subject may modify any object if The integrity of the object is not greater than that of the subject Any subject may read any object The subject s integrity is lowered to the minimum of the object s integrity and it s own Notorious for its monotonic behavior UMD 10/04 F. Chong - Minos

  10. The Minos Architecture Integrity bit kept with every word of L1 cache Integrity bits grouped into words in L2 cache Integrity bits grouped into pages in VM UMD 10/04 F. Chong - Minos

  11. Gratuitous Dante Quote Minos the dreadful snarls at the gate, and wraps himself in his tail with as many turns as levels down that shade will have to dwell UMD 10/04 F. Chong - Minos

  12. Two Implementations Linux Windows Whistler and XP Full system emulation SPEC benchmarks are statically compiled binaries that do not use the network A proof-of-concept was needed because of the low-water-mark policy UMD 10/04 F. Chong - Minos

  13. OS Changes Read system call forces data low integrity unless The ctime and mtime of the inode are before an establishment time OR The inode points to a pipe between lightweight processes that share the same address space Network sockets, readv()s, and pread()s are forced low integrity unconditionally UMD 10/04 F. Chong - Minos

  14. OS Changes (Continued) Establishment time requirement applies to mmap()ed files A static binary may be mounted and executed if it is flushed to the disk first More user friendly methods of defining trust could be developed UMD 10/04 F. Chong - Minos

  15. Quantitative Measures Stability Monotonic loss of system integrity? Virtual Memory Performance Hardware investment in cache system Slightly increased pressure on VM swapping UMD 10/04 F. Chong - Minos

  16. One Month of a Minos Web Server UMD 10/04 F. Chong - Minos

  17. SPEC2000 gcc UMD 10/04 F. Chong - Minos

  18. Virtual Memory Swapping Memory Swap drive 4kb Page w/ tags Tags (128 bytes) 4kb Page (no tags) 4kb Page w/ tags UMD 10/04 F. Chong - Minos

  19. Virtual Memory Swapping Experimental Methodology Minos-enabled Linux vs. unmodified Linux 1.6 GHz Pentium 4 with 256 MB RAM 512 MB Swap Space Used mlocks() to take away memory 4 SPEC2000 benchmarks UMD 10/04 F. Chong - Minos

  20. vpr mcf gcc bzip2 UMD 10/04 F. Chong - Minos

  21. Qualitative Measures Real attacks Many return pointer protection papers erroneously cite Code Red as motivation Two attacks (innd and su-dtors) caused changes to our original, simple policy We designed attacks specifically designed to subvert Minos UMD 10/04 F. Chong - Minos

  22. How to catch worms 22

  23. Only one false positive 23

  24. Actually a non-target pest 24

  25. Attacks tested on Minos Real Vulnerability? Remote? Vulnerability Type Caught ? rpc.statd Yes Remote Format string Yes traceroute Yes Local Double free() Yes su-dtors Yes Possibly remote Format string Yes wu-ftpd Yes Remote Format string Yes wu-ftpd Yes Remote Heap globbing Yes innd Yes Remote Buffer overflow Yes hannibal Yes Remote Format string Yes Windows DCOM Yes Remote Buffer overflow Yes Windows LSASS Yes Remote Buffer overflow Yes tigger No Local long_jmp() buffer Yes str2int No Local Buffer overflow Yes offbyone No Local Off-by-one buffer overflow Yes virt No Local Virtual function pointers Yes envvar No Local Environment variables Yes longstr No Local Hypothetical format string Yes

  26. Attacks By Others Attack Known Exploit? No Remote ? Remote Vulnerability Caught? Linux wu-ftpd Heap globbing Yes Code Red II Yes Remote Buffer overflow in ASCII->UNICODE Yes SQL Server 2000 No Remote Buffer overflow in authentication Yes UMD 10/04 F. Chong - Minos

  27. More info Minos architecture [Crandall, Chong, Micro 2004] Minos security assessment [Crandall, Chong, WASSA 2004] http://minos.cs.ucdavis.edu Minos emulated system If you break it, please leave a text file in /root UMD 10/04 F. Chong - Minos

  28. Minos Issues Bit-width conversions are problematic Code Red vs. Sun SDK Load/store addresses are problematic Procedure Linkage Table (PLT) Controlled increment UMD 10/04 F. Chong - Minos

  29. Bit-Width Policies All 8- and 16-bit immediates are low integrity All 8- and 16-bit loads/stores have the integrity of the addresses used checked (possible because no 8- and 16-bit ptrs) Misaligned 32-bit loads/stores are assumed low integrity Code Red exploits ASCII->Unicode bit conversion UMD 10/04 F. Chong - Minos

  30. JIT Compatibility Sun Java SDK must be run in compatibility mode: All 8-bit and 16-bit immediates are high integrity Could allow arbitrary 32-bit high integrity control data For security reasons, the JIT should be slightly modified UMD 10/04 F. Chong - Minos

  31. A fundamental tradeoff Can only do one of: 1) Check addresses for control data 32-bit loads/stores 2) Check all operands to an operation Else many false positives Size argument for heap malloc from user Entire heap becomes low integrity UMD 10/04 F. Chong - Minos

  32. Breaking Minos We couldn t break Minos So we looked at current best practices Non-executable pages StackGuard Random placement of library routines But Minos is in theory vulnerable UMD 10/04 F. Chong - Minos

  33. Hannibal Exploits format string vulnerability in wu-ftpd Upload a binary called jailbreak via anonymous FTP Switch rename() with execv() in PLT using a format string attack Request to rename jailbreak becomes execv() (Not really this simple ) UMD 10/04 F. Chong - Minos

  34. Information Flow Problems if (LowIntegrityData == 5) HighIntegrityData = 5; HighIntegrityData = HighIntegrityLookupTable[LowIntegrityData]; HighIntegrityData = 0; while (LowIntegrityData--) HighIntegrityData++; UMD 10/04 F. Chong - Minos

  35. Minos is securable Modifications of the library code and the linking mechanisms could secure a Minos system with a high degree of assurance by Taking away the power of arbitrary copy primitives with an Secure PLT Avoiding code that gives attackers abilities like a controlled increment UMD 10/04 F. Chong - Minos

  36. Related Work Capability systems AS/400, iAPX 432 M Machine, Mondriaan Dynamic Information Flow (MIT) Buffer Overflow Protection (UCSD) Minos is distinguished by its simple policy UMD 10/04 F. Chong - Minos

  37. Future Work Nearly the same HW as soft-error detection [Weaver,Emer,Mukherjee ISCA04] Similar to NAT bit for speculation on Itanium Leverage tag bit on PowerPC AS used for microcode UMD 10/04 F. Chong - Minos

  38. Collaborative Network Defense Minos honeypot detect worms DACODA analysis tool creates filter Buttercup network hardware protects all hosts UMD 10/04 F. Chong - Minos

  39. DMA and Port I/O All DMA and Port I/O is assumed high integrity Any data off the network will be read and forced low integrity It will stay low integrity because of the establishment time requirement Consider the alternative UMD 10/04 F. Chong - Minos

  40. Specific Concerns for Minos Arbitrary copy primitives Sandboxed PLT Format string attacks using long strings rather than size specifiers Minos does stop the longstr attack Dangling pointers Need arbitrary copy primitive UMD 10/04 F. Chong - Minos

  41. Security Comparison Minos G. Edward Suh, Jae W. Lee, and Srinivas Devadas. Secure Program Execution via Dynamic Information Flow Tracking , ASPLOS XI Two different policies Current best practices UMD 10/04 F. Chong - Minos

  42. Three Classes of Control Data Attacks a) Overwrite control data with untrusted data b) Cause control data to be loaded/stored to/from the wrong place c) Cause control data to be loaded from the right place but at the wrong time UMD 10/04 F. Chong - Minos

  43. Minos Protection against (a) is explicit Protection against (b) only for 8- and 16-bit data Arbitrary copy primitive needed for (c) UMD 10/04 F. Chong - Minos

  44. Information Flow Tracking Policy 1 does not fully protect against (a) Both policies protect against (b) by checking the integrity of addresses used for all loads and stores Policy 1 does not fully protect against (c) UMD 10/04 F. Chong - Minos

  45. A Fundamental Tradeoff chunk chunk- -> + > +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ + | prev_size of previous chunk (if p=1) | | | prev_size of previous chunk (if p=1) | | + +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ + | size of chunk, in bytes |p| | size of chunk, in bytes |p| mem mem- -> + > +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ + | User data starts here... . | User data starts here... . . . . . . (malloc_usable_space() bytes) . . (malloc_usable_space() bytes) . . | . | nextchunk nextchunk- -> + > +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ + | size of chunk | | size of chunk | + +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ +- -+ + UMD 10/04 F. Chong - Minos

Related


The Myth of Daedalus and Icarus

The Myth of Daedalus and Icarus

leya
The Legend of King Minos and the Minotaur

The Legend of King Minos and the Minotaur

ioan
The Myth of Icarus and Daedalus: A Tale of Ambition and Tragedy

The Myth of Icarus and Daedalus: A Tale of Ambition and Tragedy

mjon

More Related Content