ret2dir: Rethinking kernel isolation

Proceedings of the 23rd USENIX Security Symposium

Volumn , Issue , 2014, Pages 957-972

  Kemerlis, Vasileios P ^a   Polychronakis, Michalis ^a   Keromytis, Angelos D ^a  

^a Och Spine at New York Presbyterian Hospitals   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

VIRTUAL ADDRESSES;

DESIGN AND IMPLEMENTATIONS; EXPLOITATION TECHNIQUES; FUNDAMENTAL DESIGN; HARDWARE SUPPORTS; PHYSICAL MEMORY; RUNTIME OVERHEADS; SOFTWARE AND HARDWARES; VIRTUAL ADDRESS SPACE;

LINUX;

EID: 84939170403     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (95)

1. Pagemap, from the userspace perspective, December 2008. https://www.kernel.org/doc/Documentation/vm/pagemap.txt.
2. ACCETTA, M. J., and BARON., R. V., BOLOSKY, W. J., GOLUB, D. B., and RASHID., R. F., TEVANIAN, A., and YOUNG, M. Mach: A New Kernel Foundation for UNIX Development. In Proc. of USENIX Summer (1986), pp. 93-113.
3. ARGYROUDIS, P. Binding the Daemon: FreeBSD Kernel Stack and Heap Exploitation. In Black Hat USA (2010).
4. ARM® ARCHITECTURE REFERENCE MANUAL. ARM®v7-A and ARM®v7-R edition. Tech. rep., Advanced RISC Machine (ARM), July 2012.
5. BEN HAYAK. The Kernel is calling a zero(day) pointer-CVE-2013-5065 - Ring Ring, December 2013. http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-cve-2013-5065-ring-ring.html.
6. BONWICK, J. The Slab Allocator: An Object-Caching Kernel Memory Allocator. In Proc. of USENIX Summer (1994), pp. 87-98.
7. rd ed. 2005, ch. Memory Management, pp. 294-350.
8. CHECKOWAY, S., DAVI, L., DMITRIENKO, A., SADEGHI, A.-R., SHACHAM, H., and WINANDY, M. Return-Oriented Programming without Returns. In Proc. of CCS (2010), pp. 559-572.
9. CHEN, H., MAO, Y., WANG, X., ZHOU, D., ZELDOVICH, N., and KAASHOEK, M. F. Linux kernel vulnerabilities: State-of-the-art defenses and open problems. In Proc. of APsys (2011), pp. 51-55.
10. COMMON VULNERABILITIES and EXPOSURES. CVE-2005-0736, March 2005.
11. COMMON VULNERABILITIES and EXPOSURES. CVE-2009-1527, May 2009.
12. COMMON VULNERABILITIES and EXPOSURES. CVE-2009-2698, August 2009.
13. COMMON VULNERABILITIES and EXPOSURES. CVE-2009-3002, August 2009.
14. COMMON VULNERABILITIES and EXPOSURES. CVE-2009-3234, September 2009.
15. COMMON VULNERABILITIES and EXPOSURES. CVE-2009-3547, October 2009.
16. COMMON VULNERABILITIES and EXPOSURES. CVE-2010-2959, August 2010.
17. COMMON VULNERABILITIES and EXPOSURES. CVE-2010-3437, September 2010.
18. COMMON VULNERABILITIES and EXPOSURES. CVE-2010-3904, October 2010.
19. COMMON VULNERABILITIES and EXPOSURES. CVE-2010-4073, October 2010.
20. COMMON VULNERABILITIES and EXPOSURES. CVE-2010-4347, November 2010.
21. COMMON VULNERABILITIES and EXPOSURES. CVE-2012-0946, February 2012.
22. COMMON VULNERABILITIES and EXPOSURES. CVE-2013-0268, December 2013.
23. COMMON VULNERABILITIES and EXPOSURES. CVE-2013-1828, February 2013.
24. COMMON VULNERABILITIES and EXPOSURES. CVE-2013-2094, February 2013.
25. COMMON VULNERABILITIES and EXPOSURES. CVE-2013-2852, April 2013.
26. COMMON VULNERABILITIES and EXPOSURES. CVE-2013-2892, August 2013.
27. COMMON VULNERABILITIES and EXPOSURES. CVE-2013-4343, June 2013.
28. CORBET, J. Virtual Memory I: the problem, March 2004. http://lwn.net/Articles/75174/.
29. CORBET, J. An updated guide to debugfs, May 2009. http://lwn.net/Articles/334546/.
30. CORBET, J. How many page flags do we really have?, June 2009. http://lwn.net/Articles/335768/.
31. CORBET, J. Supervisor mode access prevention, October 2012. http://lwn.net/Articles/517475/.
32. CORBET, J., KROAH-HARTMAN, G., and MCPHERSON, A. Linux Kernel Development. Tech. rep., Linux Foundation, September 2013.
33. DING, Y., WEI, T., WANG, T., LIANG, Z., and ZOU, W. Heap Taichi: Exploiting Memory Allocation Granularity in Heap-Spraying Attacks. In Proc. of ACSAC (2010), pp. 327-336.
34. DISTROWATCH. Put the fun back into computing. Use Linux, BSD., November 2013. http://distrowatch.com.
35. EDGE, J. Kernel address space layout randomization, October 2013. http://lwn.net/Articles/569635/.
36. EXPLOIT DATABASE. EBD-131, December 2003.
37. EXPLOIT DATABASE. EBD-16835, September 2009.
38. EXPLOIT DATABASE. EBD-14814, August 2010.
39. EXPLOIT DATABASE. EBD-15150, September 2010.
40. EXPLOIT DATABASE. EBD-15285, October 2010.
41. EXPLOIT DATABASE. EBD-15916, January 2011.
42. EXPLOIT DATABASE. EBD-17391, June 2011.
43. EXPLOIT DATABASE. EBD-17787, September 2011.
44. EXPLOIT DATABASE. EBD-20201, August 2012.
45. EXPLOIT DATABASE. EBD-24555, February 2013.
46. GEORGE, V, PIAZZA, T., and JIANG, H. Technology Insight: Intel©Next Generation Mcroarchitecture Codename Ivy Bridge, September 2011. http://www.intel.com/idf/library/pdf/sf_2011/SF11_SPCS005_101F.pdf.
47. GOOGLE. Android, November 2013. http://www.android.com.
48. GOOGLE. Chromium OS, November 2013. http://www.chromium.org/chromium-os.
49. HARDY, N. The Confused Deputy: (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22 (October 1988), 36-38.
50. HERDER, J. N., BOS, H., GRAS, B., HOMBURG, P., and TANENBAUM, A. S. MINIX 3: A Highly Reliable, Self-Repairing Operating System. SIGOPS Oper. Syst. Rev. 40, 3 (July 2006), 80-89.
51. HUND, R., HOLZ, T., and FREILING, F. C. Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. In Proc. ofUSENIXSec (2009), pp. 384-398.
52. HUNT, G. C, and LARUS, J. R. Singularity: Rethinking the Software Stack. SIGOPS Oper. Syst. Rev. 41, 2 (April 2007), 37-49.
53. INGO MOLNAR. 4G/4G split on x86, 64 GB RAM (and more) support, July 2003. http://lwn.net/Articles/39283/.
54. INTEL® 64 AND IA-32 ARCHITECTURES SOFTWARE DEVELOPER'S MANUAL. Instruction Set Extensions Programming Reference. Tech. rep., Intel Corporation, January 2013.
55. INTEL® 64 AND IA-32 ARCHITECTURES SOFTWARE DEVELOPER'S MANUAL. System Programming Guide, Part 1. Tech. rep., Intel Corporation, September 2013.
56. JANA, S., and SHMATIKOV, V. Memento: Learning Secrets from Process Footprints. In Proc. of IEEE S & P (2012), pp. 143-157.
57. KEMERLIS, V. P., PORTOKALIDIS, G., and KEROMYTIS, A. D. kGuard: Lightweight Kernel Protection against Return-to-user Attacks. In Proc. of USENIX Sec (2012), pp. 459-474.
58. KILLIAN, T. J. Processes as Files. In Proc. of USENIX Summer (1984), pp. 203-207.
59. KING, R. Kernel Memory Layout on ARM Linux, November 2005. https://www.kernel.org/doc/Documentation/arm/memory.txt.
60. KLEEN, A. Memory Layout on amd64 Linux, July 2004. https://www.kernel.org/doc/Documentation/x86/x86_64/mm.txt.
61. KNOWLTON, K. C. A fast storage allocator. Commun. ACM 8, 10 (October 1965), 623-624.
62. KOLDINGER, E. J., and CHASE., J. S., and EGGERS, S. J. Architecture Support for Single Address Space Operating Systems. In Proc. ofASPLOS (1992), pp. 175-186.
63. KURMUS, A., TARTLER, R., DORNEANU, D., HEINLOTH, B., ROTHBERG, V., RUPRECHT, A., SCHRÖDER-PREIKSCHAT, W., LOHMANN, D., AND KAPITZA, R. Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring. In Proc. of NDSS (2013).
64. LAMETER, C. Generic Virtual Memmap support for SPARSEMEM v3, April 2007. http://lwn.net/Articles/229670/.
65. LIAKH, S. NX protection for kernel data, July 2009. http://lwn.net/Articles/342266/.
66. LIEDTKE, J. On jU-Kernel Construction. In Proc. of SOSP (1984), pp. 237-250.
67. nd ed. 2005, ch. Memory Management, pp. 181-208.
68. MARINAS, C. arm64: Distinguish between user and kernel XN bits, November 2012. https://forums.grsecurity.net/viewtopic.php?f=7&t=3292.
69. MARINAS, C. Memory Layout on AArch64 Linux, February 2012. https://www.kernel.org/doc/Documentation/arm64/memory.txt.
70. nd ed. 2006, ch. File System Framework, pp. 710-710.
71. MOKB. Broadcom Wireless Driver Probe Response SSID Overflow, November 2006.
72. MOZILLA. Firefox OS, November 2013. https://www.mozilla.org/en-US/firefox/os/.
73. NATIONAL VULNERABILITY DATABASE. Kernel Vulnerabilities, November 2013. http://goo.gl/GJpw0b.
74. NILS AND JON. Polishing Chrome for Fun and Profit, August 2013. http://goo.gl/b5hmjj.
75. OFFENSIVE SECURITY. The Exploit Database, November 2013. http://www.exploit-db.com.
76. ORMANDY, T., and TINNES, J. Linux ASLR Curiosities. In CanSecWest (2009).
77. PAX. Homepage of The PaX Team, November 2013. http://pax.grsecurity.net.
78. PAX TEAM. UDEREF/i386, April 2007. http://grsecurity.net/~spender/uderef.txt.
79. PAX TEAM. UDEREF/amd64, April 2010. http://grsecurity.net/pipermail/grsecurity/2010-April/001024.html.
80. PAX TEAM. Better kernels with GCC plugins, October 2011. http://lwn.net/Articles/461811/.
81. PERLA, E., and OLDANI, M. A Guide To Kernel Exploitation: Attacking the Core. 2010, ch. Stairway to Successful Kernel Exploitation, pp. 47-99.
82. PTS. Phoronix Test Suite, February 2014. http://www.phoronix-test-suite.com.
83. RAMON DE CARVALHO VALLE & PACKET STORM. sock-sendpage() NULL pointer dereference (PPC/PPC64 exploit), September 2009. http://packetstormsecurity.org/files/81212/Linux-sock_sendpage-NULL-Pointer-Dereference.html.
84. RIZZO, L. Netmap: A Novel Framework for Fast Packet I/O. In Proc. of USENIX ATC (2012), pp. 101-112.
85. ROSENBERG, D. Owned Over Amateur Radio: Remote Kernel Exploitation in 2011. In Proc. of DEF CON® (2011).
86. SECURITYFOCUS. Linux Kernel 'perf-counter-open()' Local Buffer Overflow Vulnerability, September 2009.
87. SHACHAM, H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proc. of CCS (2007), pp. 552-61.
88. SINAN EREN. Smashing The Kernel Stack For Fun And Profit. Phrack 6, 60 (December 2002).
89. SPENGLER, B. Enlightenment Linux Kernel Exploitation Framework, July 2013. https://grsecurity.net/~spender/exploits/enlightenment.tgz.
90. SPENGLER, B. Recent ARM security improvements, February 2013. https://forums.grsecurity.net/viewtopic.php?f=7&t=3292.
91. SQRKKYU, AND TWZI. Attacking the Core: Kernel Exploiting Notes. Phrack 6, 64 (May 2007).
92. VAN DE VEN, A. Debug option to write-protect ro-data: the write protect logic and config option, November 2005. http://lkml.indiana.edu/hypermail/linux/kernel/0511.0/2165.html.
93. VAN DE VEN, A. Add-fstack-protector support to the kernel, July 2006. http://lwn.net/Articles/193307/.
94. VAN DE VEN, A. x86: add code to dump the (kernel) page tables for visual inspection, February 2008. http://lwn.net/Articles/267837/.
95. YU, F. Enable/Disable Supervisor Mode Execution Protection, May 2011. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit; h=de5397ad5b9ad22e2401c4dacdf1bb3b19c05679.