PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables

24th Annual Network and Distributed System Security Symposium, NDSS 2017

Volumn , Issue , 2017, Pages

  Davi, Lucas ^a   Gens, David ^b   Liebchen, Christopher ^b   Sadeghi, Ahmad Reza ^b  

^a UNIVERSITY OF DUISBURG ESSEN   (Germany)

^b DARMSTADT UNIVERSITY OF TECHNOLOGY   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

CODES (SYMBOLS); LINUX; NETWORK SECURITY;

ACCESS PERMISSIONS; CODE INJECTION; CODE REUSE; DESIGN AND IMPLEMENTATIONS; FULL CONTROL; HYPERVISORS; INTEGRITY CHECK; LINUX KERNEL; PAGE TABLE; PRACTICAL SOLUTIONS;

HARDENING;

EID: 85132864173     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss.2017.23421     Document Type: Conference Paper

References (56)

1. M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information System Security, 13, 2009.
2. Andi Kleen. x86_64 Linux Virtual Memory Map. http://www.kernel.org/doc/Documentation/x86/x86_64/mm.txt, 2004.
3. ARM. ARM architecture reference manual. http://silver.arm.com/download/ARM_and_AMBA_Architecture/AR150-DA-70000-r0p0-00bet9/DDI0487A_h_armv8_arm.pdf, 2015.
4. A. Azab, K. Swidowski, R. Bhutkar, J. Ma, W. Shen, R. Wang, and P. Ning. Skee: A lightweight secure kernel-level execution environment for arm. In 23rd Annual Network and Distributed System Security Symposium, NDSS, 2016.
5. A. M. Azab, P. Ning, J. Shah, Q. Chen, R. Bhutkar, G. Ganesh, J. Ma, and W. Shen. Hypervision across worlds: Real-time kernel protection from the arm trustzone secure world. In ACM SIGSAC Conference on Computer and Communications Security, CCS, 2014.
6. M. Backes and S. Nürnberger. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. In 23rd USENIX Security Symposium, USENIX Sec, 2014.
7. S. Bhatkar and R. Sekar. Data space randomization. In 5th Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA, 2008.
8. D. Bigelow, T. Hobson, R. Rudd, W. Streilein, and H. Okhravi. Timely rerandomization for mitigating memory disclosures. In ACM SIGSAC Conference on Computer and Communications Security, CCS, 2015.
9. C. Cadar, P. Akritidis, M. Costa, J.-P. Martin, and M. Castro. Data randomization. Technical Report MSR-TR-2008-120, Microsoft Research, 2008.
10. S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In 14th USENIX Security Symposium, USENIX Sec, 2005.
11. M. Conti, S. Crane, L. Davi, M. Franz, P. Larsen, C. Liebchen, M. Negro, M. Qunaibit, and A.-R. Sadeghi. Losing control: On the effectiveness of control-flow integrity under stack attacks. In ACM SIGSAC Conference on Computer and Communications Security, CCS, 2015.
12. S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical code randomization resilient to memory disclosure. In 36th IEEE Symposium on Security and Privacy, S&P, 2015.
13. J. Criswell, N. Dautenhahn, and V. Adve. Kcofi: Complete control-flow integrity for commodity operating system kernels. In 35th IEEE Symposium on Security and Privacy, S&P, 2014.
14. CVE Details. Linux kernel: Vulnerability statistics. http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html, 2016.
15. L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code randomization resilient to (Just-In-Time) return-oriented programming. In 22nd Annual Network and Distributed System Security Symposium, NDSS, 2015.
16. N. A. Economou and E. E. Nissim. Getting physical extreme abuse of intel based paging systems. https://www.coresecurity.com/system/files/publications/2016/05/CSW2016%20-%20Getting%20Physical% 20-%20Extended%20Version.pdf, 2016.
17. J. Edge. Kernel address space layout randomization. http://lwn.net/Articles/569635, 2013.
18. S. Esser. iOS kernel exploitation. In Blackhat Europe, BH EU, 2011.
19. X. Ge, N. Talele, M. Payer, and T. Jaeger. Fine-grained control-flow integrity for kernel software. In 1st IEEE European Symposium on Security and Privacy, Euro S&P, 2016.
20. X. Ge, H. Vijayakumar, and T. Jaeger. SPROBES: Enforcing kernel code integrity on the trustzone architecture. In Mobile Security Technologies, MoST, 2014.
21. C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum. Enhanced operating system security through efficient and fine-grained address space randomization. In 21st USENIX Security Symposium, USENIX Sec, 2012.
22. Y. Gu, Y. Fu, A. Prakash, Z. Lin, and H. Yin. Os-sommelier: Memory-only operating system fingerprinting in the cloud. In 3rd ACM Symposium on Cloud Computing, SoCC, 2012.
23. H. Hu, Z. L. Chua, S. Adrian, P. Saxena, and Z. Liang. Automatic generation of data-oriented exploits. In 24th USENIX Security Symposium, USENIX Sec, 2015.
24. H. Hu, S. Shinde, A. Sendroiu, Z. L. Chua, P. Saxena, and Z. Liang. Data-oriented programming: On the expressiveness of non-control data attacks. In 37th IEEE Symposium on Security and Privacy, S&P, 2016.
25. R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In 18th USENIX Security Symposium, USENIX Sec, 2009.
26. R. Hund, C. Willems, and T. Holz. Practical timing side channel attacks against kernel space ASLR. In 34th IEEE Symposium on Security and Privacy, S&P, 2013.
27. Intel. Intel 64 and IA-32 architectures software developer’s manual. http://www-ssl.intel.com/content/www/us/en/processors/architecturessoftware-developer-manuals.html, 2015.
28. A. Ionescu. Owning the image object file format, the compiler toolchain, and the operating system: Solving intractable performance problems through vertical engineering. www.alex-ionescu.com/?p=323, 2016.
29. Y. Kim, R. Daly, J. Kim, C. Fallin, J. H. Lee, D. Lee, C. Wilkerson, K. Lai, and O. Mutlu. Flipping bits in memory without accessing them: An experimental study of dram disturbance errors. In 41st Annual International Symposium on Computer Architecture, ISCA, 2014.
30. V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In 11th USENIX Symposium on Operating Systems Design and Implementation, OSDI, 2014.
31. P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. SoK: Automated software diversity. In 35th IEEE Symposium on Security and Privacy, S&P, 2014.
32. LTP developer. The linux test project. https://linux-test-project.github.io/, 2016.
33. K. Lu, C. Song, B. Lee, S. P. Chung, T. Kim, and W. Lee. Aslr-guard: Stopping address space leakage for code reuse attacks. In ACM SIGSAC Conference on Computer and Communications Security, CCS, 2015.
34. T. Mandt. Attacking the ios kernel: A look at "evasi0n". http://www.nislab.no/content/download/38610/481190/file/NISlecture201303.pdf, 2013.
35. L. McVoy and C. Staelin. Lmbench: Portable tools for performance analysis. In USENIX Technical Conference, ATEC, 1996.
36. T. Müller, F. C. Freiling, and A. Dewald. Tresor runs encryption securely outside ram. In 20th USENIX Security Symposium, USENIX Sec, 2011.
37. MWR Labs. MWR Labs Pwn2Own 2013 write-up - kernel exploit. http://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up-kernel-exploit, 2013.
38. MWR Labs. Windows 8 kernel memory protections bypass. http://labs.mwrinfosecurity.com/blog/2014/08/15/windows-8-kernel-memory-protections-bypass, 2014.
39. V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In 22nd USENIX Security Symposium, USENIX Sec, 2013.
40. Perception Point Research Team. Analysis and exploitation of a linux kernel vulnerability (cve-2016-0728). http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/, 2016.
41. Phoronix. Phoronix test suite. http://www.phoronix-test-suite.com/, 2016.
42. S. Renaud. Technical analysis of the windows win32k.sys keyboard layout stuxnet exploit. http://web.archive.org/web/20141015182927/http://www.vupen.com/blog/20101018.Stuxnet_Win32k_Windows_Kernel_ 0Day_Exploit_CVE-2010-2743.php, 2010.
43. R. Riley, X. Jiang, and D. Xu. Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In 11th International Symposium on Research in Attacks, Intrusions and Defenses, RAID, 2008.
44. F. L. Sang, V. Nicomette, and Y. Deswarte. I/O attacks in Intel PC-based architectures and countermeasures. In SysSec Workshop, SysSec, 2011.
45. A. Seshadri, M. Luk, N. Qu, and A. Perrig. Secvisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity oses. ACM SIGOPS Operating Systems Review, 41(6):335–350, 2007.
46. H. Shacham. The geometry of innocent flesh on the bone: return-intolibc without function calls (on the x86). In ACM SIGSAC Conference on Computer and Communications Security, CCS, 2007.
47. H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In ACM SIGSAC Conference on Computer and Communications Security, CCS, 2004.
48. K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In 34th IEEE Symposium on Security and Privacy, S&P, 2013.
49. C. Song, B. Lee, K. Lu, W. R. Harris, T. Kim, and W. Lee. Enforcing kernel security invariants with data flow integrity. In 23rd Annual Network and Distributed System Security Symposium, NDSS, 2016.
50. B. Spengler. Grsecurity. Internet [May, 2016]. Available on: http://grsecurity.net, 2016.
51. L. Szekeres, M. Payer, T. Wei, and D. Song. SoK: Eternal war in memory. In 34th IEEE Symposium on Security and Privacy, S&P, 2013.
52. P. Team. RAP: RIP ROP. https://pax.grsecurity.net/docs/PaXTeamH2HC15-RAP-RIP-ROP.pdf, 2015.
53. Trusted Computing Group. Tpm 1.2 protection profile. https://www.trustedcomputinggroup.org/tpm-1-2-protection-profile/, 2016.
54. Z. Wang and X. Jiang. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Security and Privacy (SP), 2010 IEEE Symposium on, pages 380–395. IEEE, 2010.
55. R. Wojtczuk. Subverting the xen hypervisor. In Blackhat USA, BH US, 2008.
56. R. Wojtczuk. Tsx improves timing attacks against kaslr. https://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/, 2014.