Enforcing Kernel Security Invariants with Data Flow Integrity

23rd Annual Network and Distributed System Security Symposium, NDSS 2016

Volumn , Issue , 2016, Pages

  Song, Chengyu ^a   Lee, Byoungyoung ^a   Lu, Kangjie ^a   Harris, William ^a   Kim, Taesoo ^a   Lee, Wenke ^a  

^a GEORGIA INSTITUTE OF TECHNOLOGY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER OPERATING SYSTEMS; CONTROL SYSTEMS;

ACCESS CONTROL SYSTEMS; CONTROL-FLOW; DATAFLOW; HIGHER-LEVEL SECURITY; NON-CONTROL DATA ATTACKS; OPERATION SYSTEM; PROTECTION MECHANISMS; SECURITY MECHANISM; SYSTEM KERNEL; TRUSTED COMPUTING BASE;

ACCESS CONTROL;

EID: 85135962401     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss.2016.23218     Document Type: Conference Paper

References (68)

1. M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti, “Control-flow integrity,” in ACM Conference on Computer and Communications Security (CCS), 2005.
2. A. V. Aho, R. Sethi, and J. D. Ullman, Compilers: Principles, Techniques, and Tools. Addison-Wesley, 1986.
3. P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro, “Preventing memory error exploits with WIT,” in IEEE Symposium on Security and Privacy (Oakland), 2008.
4. J. P. Anderson, “Computer security technology planning study,” U.S. Air Force Electronic Systems Division, Deputy for Command and Management Systems, HQ Electronic Systems Division (AFSC), Tech. Rep. ESD-TR-73-51, 1972.
5. Android Open Source Project, “Verified boot,” https://source.android.com/ devices/tech/security/verifiedboot/index.html.
6. W. Arbaugh, D. J. Farber, J. M. Smith et al., “A secure and reliable bootstrap architecture,” in IEEE Symposium on Security and Privacy (Oakland), 1997.
7. ARM Limited, ARM Architecture Reference Manual. ARMv8, for ARMv8- A architecture profile. ARM Limited, 2015.
8. K. Ashcraft and D. R. Engler, “Using programmer-written compiler extensions to catch security holes,” in IEEE Symposium on Security and Privacy (Oakland), 2002.
9. A. M. Azab, P. Ning, J. Shah, Q. Chen, R. Bhutkar, G. Ganesh, J. Ma, and W. Shen, “Hypervision across worlds: Real-time kernel protection from the arm trustzone secure world,” in ACM Conference on Computer and Communications Security (CCS), 2014.
10. A. Baliga, V. Ganapathy, and L. Iftode, “Automatic inference and enforcement of kernel data structure invariants,” in Annual Computer Security Applications Conference (ACSAC), 2008.
11. T. Ball, E. Bounimova, B. Cook, V. Levin, J. Lichtenberg, C. McGarvey, B. Ondrusek, S. K. Rajamani, and A. Ustuner, “Thorough static analysis of device drivers,” in ACM EuroSys Conference, 2006, pp. 73-85.
12. J. Bonwick and B. Moore, “Zfs: The last word in file systems,” 2007.
13. M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang, “Mapping kernel objects to enable systematic integrity checking,” in ACM Conference on Computer and Communications Security (CCS), 2009.
14. N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross, “Controlflow bending: On the effectiveness of control-flow integrity,” in Usenix Security Symposium, 2015.
15. M. Castro, M. Costa, and T. Harris, “Securing software by enforcing data-flow integrity,” in Symposium on Operating Systems Design and Implementation (OSDI), 2006.
16. M. Castro, M. Costa, J.-P. Martin, M. Peinado, P. Akritidis, A. Donnelly, P. Barham, and R. Black, “Fast byte-granularity software fault isolation,” in ACM Symposium on Operating Systems Principles (SOSP), 2009.
17. H. Chen and D. Wagner, “MOPS: an infrastructure for examining security properties of software,” in ACM Conference on Computer and Communications Security (CCS), 2002.
18. H. Chen, Y. Mao, X. Wang, D. Zhou, N. Zeldovich, and M. F. Kaashoek, “Linux kernel vulnerabilities: State-of-the-art defenses and open problems,” in Asia-Pacific Workshop on Systems (APSys), 2011.
19. J. Chen, “Andersen’s inclusion-based pointer analysis re-implementation in llvm,” https://github.com/grievejia/andersen/tree/field-sens.
20. S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer, “Non-control-data attacks are realistic threats,” in Usenix Security Symposium, 2005.
21. M. Conti, S. Crane, L. Davi, M. Franz, P. Larsen, C. Liebchen, M. Negro, M. Qunaibit, and A. R. Sadeghi, “Losing control: On the effectiveness of control-flow integrity under stack attacks,” in ACM Conference on Computer and Communications Security (CCS), 2015.
22. J. Criswell, N. Dautenhahn, and V. Adve, “KCoFI: Complete control-flow integrity for commodity operating system kernels,” in IEEE Symposium on Security and Privacy (Oakland), 2014.
23. J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve, “Secure virtual architecture: A safe execution environment for commodity operating systems,” in ACM Symposium on Operating Systems Principles (SOSP), 2007.
24. N. Dautenhahn, T. Kasampalis, W. Dietz, J. Criswell, and V. Adve, “Nested kernel: An operating system architecture for intra-kernel privilege separation,” in International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2015.
25. U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula, “Xfi: Software guards for system address spaces,” in Symposium on Operating Systems Design and Implementation (OSDI), 2006.
26. I. Evans, S. Fingeret, J. Gonzalez, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi, “Missing the Point(er): On the Effectiveness of Code Pointer Integrity,” in IEEE Symposium on Security and Privacy (Oakland), 2015.
27. I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos, “Control jujutsu: On the weaknesses of finegrained control flow integrity,” in ACM Conference on Computer and Communications Security (CCS), 2015.
28. H. Hu, Z. L. Chua, S. Adrian, P. Saxena, and Z. Liang, “Automatic generation of data-oriented exploits,” in Usenix Security Symposium, 2015.
29. R. Hund, C. Willems, and T. Holz, “Practical Timing Side Channel Attacks Against Kernel Space ASLR,” in IEEE Symposium on Security and Privacy (Oakland), 2013.
30. Intel, “Intel kernel-guard technology,” https://01.org/intel-kgt.
31. Intel, “Introduction to intel memory protection extensions,” https://software.intel.com/en-us/articles/introduction-to-intel-memoryprotection- extensions.
32. R. Johnson and D. Wagner, “Finding user/kernel pointer bugs with type inference.” in Usenix Security Symposium, 2004.
33. V. P. Kemerlis, G. Portokalidis, and A. D. Keromytis, “kguard: Lightweight kernel protection against return-to-user attacks,” in Usenix Security Symposium, 2012.
34. Y. Kim, R. Daly, J. Kim, C. Fallin, J. H. Lee, D. Lee, C. Wilkerson, K. Lai, and O. Mutlu, “Flipping bits in memory without accessing them: An experimental study of dram disturbance errors,” in Annual International Symposium on Computer Architecture (ISCA), 2014.
35. G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish et al., “sel4: Formal verification of an os kernel,” in ACM Symposium on Operating Systems Principles (SOSP), 2009.
36. V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song, “Code-pointer integrity,” in Symposium on Operating Systems Design and Implementation (OSDI), 2014.
37. C. Lameter, “Slub: The unqueued slab allocator,” http://lwn.net/Articles/ 223411/, 2007.
38. D. Larochelle and D. Evans, “Statically detecting likely buffer overflow vulnerabilities.” in Usenix Security Symposium, 2001.
39. J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram, “Defeating returnoriented rootkits with return-less kernels,” in European Symposium on Research in Computer Security (ESORICS), 2010.
40. J. Li, M. N. Krohn, D. Mazières, and D. Shasha, “Secure untrusted data repository (sundr),” in Symposium on Operating Systems Design and Implementation (OSDI), 2004.
41. Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang, “Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures.” in Network and Distributed System Security Symposium (NDSS), 2011.
42. LLVM, “The LLVM compiler infrastructure project,” llvm.org, 2015.
43. Y. Mao, H. Chen, D. Zhou, X. Wang, N. Zeldovich, and M. F. Kaashoek, “Software fault isolation with api integrity and multi-principal modules,” in ACM Symposium on Operating Systems Principles (SOSP), 2011.
44. L. W. McVoy, C. Staelin et al., “lmbench: Portable tools for performance analysis.” in ATC Annual Technical Conference (ATC), 1996.
45. C. Min, S. Kashyap, B. Lee, C. Song, and T. Kim, “Cross-checking semantic correctness: The case of finding file system bugs,” in ACM Symposium on Operating Systems Principles (SOSP), 2015.
46. MITRE, “Cve-2013-6282,” https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2013-6282, 2013.
47. G. C. Necula and P. Lee, “Safe kernel extensions without run-time checking,” in Symposium on Operating Systems Design and Implementation (OSDI), 1996.
48. J. Newsome and D. Song, “Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software,” in Network and Distributed System Security Symposium (NDSS), 2005.
49. Oracle, “Introduction to sparc m7 and application data integrity (adi),” https://swisdev.oracle.com/_files/What-Is-ADI.html.
50. M. Paolino, “ARM TrustZone and KVM Coexistence with RTOS For Automotive,” in ALS Japan, 2015.
51. PAX, “Homepage of the pax team,” https://pax.grsecurity.net/, 2013.
52. B. D. Payne, M. Carbone, M. Sharif, and W. Lee, “Lares: An architecture for secure active monitoring using virtualization,” in IEEE Symposium on Security and Privacy (Oakland), 2008.
53. N. L. Petroni Jr, T. Fraser, A. Walters, and W. A. Arbaugh, “An architecture for specification-based detection of semantic integrity violations in kernel dynamic data.” in Usenix Security Symposium, 2006.
54. N. L. Petroni Jr and M. Hicks, “Automated detection of persistent kernel control-flow attacks,” in ACM Conference on Computer and Communications Security (CCS), 2007.
55. A. Seshadri, M. Luk, N. Qu, and A. Perrig, “Secvisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity oses,” in ACM Symposium on Operating Systems Principles (SOSP), 2007.
56. M. I. Sharif, W. Lee, W. Cui, and A. Lanzi, “Secure in-vm monitoring using hardware virtualization,” in ACM Conference on Computer and Communications Security (CCS), 2009.
57. S. Smalley and R. Craig, “Security enhanced (se) android: Bringing flexible mac to android.” in Network and Distributed System Security Symposium (NDSS), 2013.
58. A. Srivastava and J. Giffin, “Efficient protection of kernel data structures via object partitioning,” in Annual Computer Security Applications Conference (ACSAC), 2012.
59. “System error code,” https://msdn.microsoft.com/en-us/library/windows/ desktop/ms681382%28v=vs.85%29.aspx, 2001.
60. The IEEE and The Open Group, errno.h - system error numbers. The Open Group, 2013, the Open Group Base Specifications Issue 7, IEEE Std 1003.1, 2013 Edition, http://pubs.opengroup.org/onlinepubs/9699919799/ functions/rename.html.
61. The Linux Foundation, “Llvmlinux,” http://llvm.linuxfoundation.org/ index.php/Main_Page.
62. D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken, “A first step towards automated detection of buffer overrun vulnerabilities.” in Network and Distributed System Security Symposium (NDSS), 2000.
63. R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham, “Efficient software-based fault isolation,” in ACM Symposium on Operating Systems Principles (SOSP), 1994.
64. X. Wang, H. Chen, Z. Jia, N. Zeldovich, and M. F. Kaashoek, “Improving integer security for systems with kint.” in Symposium on Operating Systems Design and Implementation (OSDI), 2012.
65. Z. Wang and X. Jiang, “Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity,” in IEEE Symposium on Security and Privacy (Oakland), 2010.
66. J. Yang, T. Kremenek, Y. Xie, and D. Engler, “Meca: an extensible, expressive system and language for statically checking security properties,” in ACM Conference on Computer and Communications Security (CCS), 2003.
67. B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar, “Native client: A sandbox for portable, untrusted x86 native code,” in IEEE Symposium on Security and Privacy (Oakland), 2009.
68. Y. Zhou, X. Wang, Y. Chen, and Z. Wang, “Armlock: Hardwarebased fault isolation for arm,” in ACM Conference on Computer and Communications Security (CCS), 2014.