SlideShare ist ein Scribd-Unternehmen logo

Analyzing Kernel Security and Approaches for Improving it

M
Milan Rajpara

This presentation gives a basic detail on kernel security and different approaches to improving it.

BildungTechnologie
1 von 27
Downloaden Sie, um offline zu lesen
Analyzing Kernel Security and Approaches for Improving It Milan Rajpara IT Systems and Network Security Gujarat Technological University C DAC Ahmedabad Pune
Agenda • Kernel Introduction • Necessity for Kernel Security • Kernel breach • Analyzing Kernel Security • Improving Approaches • Future Work Milan Rajpara October 8, 2013 2
What is Kernel ? • A computer program that manages input/output requests from software and translates them into data processing instructions for the central processing unit and other electronic components of a computer. [Wikipedia] • The kernel is a fundamental part of a modern computer's operating system. • OS rests on a outer ring, and application above that. Fig: Privilege rings for the x86 available in protected mode [Source: Wikipedia] Milan Rajpara October 8, 2013 3
Necessity for Kernel Security • Kernel, a vary basic (core) part of the Operating Systems • Single vulnerability will be exposes large number of systems • Increasing of Cloud Usage with Virtual Systems • Smartphones now is in every hand Milan Rajpara October 8, 2013 4
We talk on .. • Kernels for General Purpose Operating System • Some Linux flavor gives Server Optimized Kernel • Ex. Ubuntu older then 12.04, were gave this option. Since 12.04, linux-image-server is merged into linuximage-generic, there is no difference between Generic and Server kernel. [4] • Windows do not disclose. • Kernels which Constructed in C language • Almost kernels are in C • Improvement for Monolithic kernels • All work performed in Virtual environment • The Xen, and VMware used Milan Rajpara October 8, 2013 5
How Kernel Affected ? • By Kernel level rootkits • Manipulating pointers • Manipulating data • Direct Kernel Object Manipulation (DKOM) • By Boot-kits • Via hooking techniques • Direct Hardware or Firmware injection Milan Rajpara October 8, 2013 6
Effect of this Attacks • Escalate a process’ privileges by overwriting the process’ credentials • Hide itself by illicitly removing data structures identifying their presence from loaded drivers • Eliding task structures for the processes from the kernel’s process accounting list • Alter the overall behavior of OS without injecting any malicious code into the kernel address space, by just pointer manipulating. Milan Rajpara October 8, 2013 7
How to analyze the Kernel Security • Find the most critical objects of the kernel, without prior knowledge of the OS kernel data layout in memory • Identifying OS Kernel Objects for Run-time Security Analysis • Sort-out objects which are vulnerable to hijack • Do Kernel Data Disambiguation • This will make the system easy to analyze Milan Rajpara October 8, 2013 8
Most critical objects in Kernel • Windows and Linux, the core kernel part are mostly written in C • 40% inter-data structure relations are Pointer based • 35% of these are Generic Pointers • Pointers which defines at run time, no initial value or data type is associated • 28% kernel data structure are well known objects Milan Rajpara October 8, 2013 9
Generic Pointer Problem • It is the weak link in kernel security • Use of void pointers *, assists hackers to point somewhere else • Use of NULL pointers (to implements linklist), helps hackers to hide / change runtime objects. • Use of Casting in C • Enables the hackers to exploit data structure layout in physical memory Milan Rajpara October 8, 2013 10
To Find Critical Objects 1. Memory Mapping techniques • Travers address space from global variables via pointer dereferencing until reaching running object. • according to a predefined kernel data definition for each kernel version. 2. Value Invariant Approaches • Use the value invariants of certain fields or of a whole data structure as a signature to scan the memory for matching running instances. Ex. DeepScanner, DIMSIM • Drawbacks of this approaches - Not very accurate - Require a predefined definition of the kernel data layout - Not effective when memory mapping and object reachability information is not available. - High performance overhead Milan Rajpara October 8, 2013 11
To Find Critical Objects 3. DIGGER [1] • Uncover all system runtime objects without any prior knowledge of the OS kernel data layout in memory. • First it performs offline and constructs type-graph (which is used to enable systematic memory traversal of the object details). • Then it uses the 4-byte pool memory tagging schema (to uncover kernel runtime objects from the kernel address space.) • (+) • Accurate result • Low performance overhead • Fast and nearly complete coverage Milan Rajpara October 8, 2013 12
DIGGER & KDD • DIGGER uses the KDD (Kernel Data Disambiguator) to precisely models the direct and indirect relations between data structures. • KDD is a static analysis tool that operates offline on an OS kernel’s source code • Generates a type-graph for the kernel data with direct and indirect relations between structures, models data structures [2] • KDD disambiguates pointer-based relations (including generic pointers) • by performing static points-to analysis on the kernel’s source code. • Points-to analysis is the problem of determining statically a set of locations to which a given variable may point to at runtime. Milan Rajpara October 8, 2013 13
KDD Operation Source: Ref [2] AST: Abstract Syntax Tree (high-level intermediate representation for the source code ) Milan Rajpara October 8, 2013 14
KDD Operation • Interprocedural Analysis 1: Takes AST and differentiate it • Gets: Variables, Procedure definition, Procedure call, etc.. . • Interprocedural Analysis 2: Do points-to analysis across different files to perform whole-program analysis. • Context Sensitive Analysis: • It uses Procedure Dependency Graph (PDG) consists of nodes representing the statements of the data dependency in the program. • context-sensitive analysis solves two problems: the calling context and the indirect (implicit) relations between nodes. Milan Rajpara October 8, 2013 15
Soundness and Precision of KDD • The points-to analysis algorithm is sound if the points-to set for each variable contains all its actual runtime targets, and is imprecise if the inferred set is larger than necessary. • Check on C programs from the SPEC2000 and SPEC2006 benchmark suites. • Achieved a high level of precision and 100% of soundness. • And 96% precision on Windows (WRK*, Vista) and Linux kernel (v3.0.22). [2] *WRK – Windows Research Kernel, the only available code from windows [6] Milan Rajpara October 8, 2013 16
DIGGER Approach Source: Ref [1] Milan Rajpara October 8, 2013 17
DIGGER Approach • Static Analysis Component: from KDD • Signature Extraction Component: • When the object manager allocates a memory pool block, it associates with a pool tag (pool tag is a unique four-byte tag for each object type.) Uses this tag to uncover the kernel objects running instances, and they are static and cannot be changed during object runtime. • Dynamic Memory Analysis Component: Extract the object details, • From Pool Tag, it gets the pool block start memory address and the object’s start address. Milan Rajpara October 8, 2013 18
Analyzing Kernel through DIGGER Gives … • Disambiguate the points-to relations between data structures, all without any prior knowledge of the OS kernel data layout. • Robust and quite small signature size to uncover runtime objects, enhancing performance • Able to keep track of all critical objects of kernel Milan Rajpara October 8, 2013 19
Protection of Kernel • Protect the generic pointers. • Microsoft added a feature PatchGuard, which blocks kernel mode drivers from altering sensitive parts of the Windows kernel. • But TDL (rootkit) manages to circumvent this protection as well, by altering a machine's MBR so that it can intercept Windows startup routines. [7] • One approach is use of “Object Partitioning” to protect kernel data structure. [3] • Uses Sentry, that creates access control protections for security-critical kernel data. Milan Rajpara October 8, 2013 20
Sentry Architecture • Sentry protects critical data and enforces data access restrictions based upon the origin of the access within the code of the kernel and its modules or drivers. [3] • The data integrity model is straightforward and matches that of the Biba ring policy [9] • The malicious code that modifies privileges by directly writing to memory is in a loaded module and not in the core kernel code, so Sentry will prevent the write Milan Rajpara October 8, 2013 21
Kernel Memory Access Control • Protect data structure from DCOM • Sentry’s design uses a hypervisor to remain isolated from an untrusted kernel • To keep the overhead low, Sentry uses memory partitioning to lay out sensitive data on separate memory pages and protects those pages using the hypervisor • The policy enforcer mediates attempted writes to protected data and uses the policy to determine when writes should be permitted. Milan Rajpara October 8, 2013 22
Working of Sentry • Identifying Security-Critical Members • Activation of mediated access • Instruction emulation • Secure execution history extraction Milan Rajpara October 8, 2013 23
Evaluation of Sentry • Performance • Low performance overhead • more performance van be achieved by memory layout optimization • False Positive Analysis • There were no instances when security-critical kernel data protected by Sentry was directly modified by a benign driver. • Sentry provided a 100% detection rate for DKOM rootkits Milan Rajpara October 8, 2013 24
Future Work • Detect all kernel data structures automatically, beyond the kernel version • The DIGGER can only be used to analyze Windows Kernels. • The current prototype of Sentry only protects two key structures. • Other kernel data structures may also require similar protection. • This may gives versatile performance of Sentry, (if more data structure included) Milan Rajpara October 8, 2013 25
References [1] Amani S. Ibrahim, James Hamlyn-Harris, John Grundy, Mohamed Almorsy, "Identifying OS Kernel Objects for Run-Time Security Analysis", DOI: 10.1007/978-3-642-34601-9_6 [2] Amani S. Ibrahim, John Grundy, James Hamlyn-Harris, Mohamed Almorsy, "Operating System Kernel Data Disambiguation to Support Security Analysis", DOI: 10.1007/978-3-642-34601-9_20 [3] Abhinav Srivastava, Jonathon Giffin, "Efficient Protection of Kernel Data Structures via Object Partitioning", DOI: 10.1145/2420950.2421012 [4] RFC: Linux kernel merging. https://lists.ubuntu.com/archives/kernel-team/2011-October/017471.html [5] Rootkits detail by Symantec http://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf [6] Windows Research Kernel https://www.facultyresourcecenter.com/curriculum/pfv.aspx?ID=7366&c1=enus&c2=0 [7] TDL Rootkit: http://www.theregister.co.uk/2010/11/16/tdl_rootkit_does_64_bit_windows [8] Windows hooks: http://msdn.microsoft.com/en-us/library/ms644959(v=vs.85).aspx [9] K. J. Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, Mitre, Apr. 1977 Milan Rajpara October 8, 2013 26
Thank you  Questions __________________________ - Milan Rajpara 27

Empfohlen

Kernel security Concepts
Kernel security ConceptsKernel security Concepts
Kernel security Concepts
Mohit Saxena
 
Kernel security of Systems
Kernel security of SystemsKernel security of Systems
Kernel security of Systems
Jamal Jamali
 
EMBEDDED OS
EMBEDDED OSEMBEDDED OS
EMBEDDED OS
AJAL A J
 
Chapter02
Chapter02Chapter02
Chapter02
Downloadssu Fullmaza
 
Chapter02
Chapter02Chapter02
Chapter02
kamran zamanifar
 
RTOS for Embedded System Design
RTOS for Embedded System DesignRTOS for Embedded System Design
RTOS for Embedded System Design
anand hd
 
RTOS Basic Concepts
RTOS Basic ConceptsRTOS Basic Concepts
RTOS Basic Concepts
Pantech ProLabs India Pvt Ltd
 
Operating system overview by narender singh sandhu
Operating system overview by narender singh sandhuOperating system overview by narender singh sandhu
Operating system overview by narender singh sandhu
NarenderSinghSandhu2
 

Empfohlen

Kernel security Concepts
Kernel security ConceptsKernel security Concepts
Kernel security Concepts
Mohit Saxena
 
Kernel security of Systems
Kernel security of SystemsKernel security of Systems
Kernel security of Systems
Jamal Jamali
 
EMBEDDED OS
EMBEDDED OSEMBEDDED OS
EMBEDDED OS
AJAL A J
 
Chapter02
Chapter02Chapter02
Chapter02
Downloadssu Fullmaza
 
Chapter02
Chapter02Chapter02
Chapter02
kamran zamanifar
 
RTOS for Embedded System Design
RTOS for Embedded System DesignRTOS for Embedded System Design
RTOS for Embedded System Design
anand hd
 
RTOS Basic Concepts
RTOS Basic ConceptsRTOS Basic Concepts
RTOS Basic Concepts
Pantech ProLabs India Pvt Ltd
 
Operating system overview by narender singh sandhu
Operating system overview by narender singh sandhuOperating system overview by narender singh sandhu
Operating system overview by narender singh sandhu
NarenderSinghSandhu2
 
How to choose an RTOS?
How to choose an RTOS?How to choose an RTOS?
How to choose an RTOS?
Rohit Choudhury
 
Embedded os
Embedded osEmbedded os
Embedded os
chian417
 
How to Measure RTOS Performance
How to Measure RTOS Performance How to Measure RTOS Performance
How to Measure RTOS Performance
mentoresd
 
Introduction to Operating Systems - Mary Margarat
Introduction to Operating Systems - Mary MargaratIntroduction to Operating Systems - Mary Margarat
Introduction to Operating Systems - Mary Margarat
Mary Margarat
 
Os4
Os4Os4
Os4
gopal10scs185
 
Lec 2
Lec 2Lec 2
Lec 2
mohamed ali
 
Unit 4 Real Time Operating System
Unit 4 Real Time Operating SystemUnit 4 Real Time Operating System
Unit 4 Real Time Operating System
Dr. Pankaj Zope
 
Ch1 introduction
Ch1 introductionCh1 introduction
Ch1 introduction
Welly Dian Astika
 
Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)
Peter Tröger
 
Windows kernel
Windows kernelWindows kernel
Windows kernel
Sisimon Soman
 
Real time Operating System
Real time Operating SystemReal time Operating System
Real time Operating System
Tech_MX
 
Operating system interview question
Operating system interview questionOperating system interview question
Operating system interview question
sriram saravanan
 
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)
Arti Parab Academics
 
Microkernel
MicrokernelMicrokernel
Microkernel
Suraj Mehta
 
CS6401 Operating Systems
CS6401 Operating SystemsCS6401 Operating Systems
CS6401 Operating Systems
Kathirvel Ayyaswamy
 
Real Time Operating System
Real Time Operating SystemReal Time Operating System
Real Time Operating System
Himanshu Choudhary
 
Bca i-fundamental of computer-u-3-functions operating systems
Bca i-fundamental of computer-u-3-functions operating systemsBca i-fundamental of computer-u-3-functions operating systems
Bca i-fundamental of computer-u-3-functions operating systems
Rai University
 
Real time operating system
Real time operating systemReal time operating system
Real time operating system
Pratik Hiremath
 
Rtos ss
Rtos ssRtos ss
Rtos ss
Sudheesh S Madhav
 
Operating system concepts
Operating system conceptsOperating system concepts
Operating system concepts
Arnav Chowdhury
 
chapter1
chapter1chapter1
chapter1
Awud Auwal
 
Nonlinear component analysis as a kernel eigenvalue problem
Nonlinear component analysis as a kernel eigenvalue problemNonlinear component analysis as a kernel eigenvalue problem
Nonlinear component analysis as a kernel eigenvalue problem
Michele Filannino
 

Weitere ähnliche Inhalte

Was ist angesagt?

Embedded os
Embedded osEmbedded os
Embedded os
chian417
 
How to Measure RTOS Performance
How to Measure RTOS Performance How to Measure RTOS Performance
How to Measure RTOS Performance
mentoresd
 
Real time Operating System
Real time Operating SystemReal time Operating System
Real time Operating System
Tech_MX
 
Operating system interview question
Operating system interview questionOperating system interview question
Operating system interview question
sriram saravanan
 

Was ist angesagt? (20)

How to choose an RTOS?
How to choose an RTOS?How to choose an RTOS?
How to choose an RTOS?
 
Embedded os
Embedded osEmbedded os
Embedded os
 
How to Measure RTOS Performance
How to Measure RTOS Performance How to Measure RTOS Performance
How to Measure RTOS Performance
 
Introduction to Operating Systems - Mary Margarat
Introduction to Operating Systems - Mary MargaratIntroduction to Operating Systems - Mary Margarat
Introduction to Operating Systems - Mary Margarat
 
Os4
Os4Os4
Os4
 
Lec 2
Lec 2Lec 2
Lec 2
 
Unit 4 Real Time Operating System
Unit 4 Real Time Operating SystemUnit 4 Real Time Operating System
Unit 4 Real Time Operating System
 
Ch1 introduction
Ch1 introductionCh1 introduction
Ch1 introduction
 
Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)
 
Windows kernel
Windows kernelWindows kernel
Windows kernel
 
Real time Operating System
Real time Operating SystemReal time Operating System
Real time Operating System
 
Operating system interview question
Operating system interview questionOperating system interview question
Operating system interview question
 
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)
 
Microkernel
MicrokernelMicrokernel
Microkernel
 
CS6401 Operating Systems
CS6401 Operating SystemsCS6401 Operating Systems
CS6401 Operating Systems
 
Real Time Operating System
Real Time Operating SystemReal Time Operating System
Real Time Operating System
 
Bca i-fundamental of computer-u-3-functions operating systems
Bca i-fundamental of computer-u-3-functions operating systemsBca i-fundamental of computer-u-3-functions operating systems
Bca i-fundamental of computer-u-3-functions operating systems
 
Real time operating system
Real time operating systemReal time operating system
Real time operating system
 
Rtos ss
Rtos ssRtos ss
Rtos ss
 
Operating system concepts
Operating system conceptsOperating system concepts
Operating system concepts
 

Andere mochten auch

Principal component analysis and matrix factorizations for learning (part 2) ...
Principal component analysis and matrix factorizations for learning (part 2) ...Principal component analysis and matrix factorizations for learning (part 2) ...
Principal component analysis and matrix factorizations for learning (part 2) ...
zukun
 
fauvel_igarss.pdf
fauvel_igarss.pdffauvel_igarss.pdf
fauvel_igarss.pdf
grssieee
 
Kernel Entropy Component Analysis in Remote Sensing Data Clustering.pdf
Kernel Entropy Component Analysis in Remote Sensing Data Clustering.pdfKernel Entropy Component Analysis in Remote Sensing Data Clustering.pdf
Kernel Entropy Component Analysis in Remote Sensing Data Clustering.pdf
grssieee
 
KPCA_Survey_Report
KPCA_Survey_ReportKPCA_Survey_Report
KPCA_Survey_Report
Randy Salm
 
Modeling and forecasting age-specific mortality: Lee-Carter method vs. Functi...
Modeling and forecasting age-specific mortality: Lee-Carter method vs. Functi...Modeling and forecasting age-specific mortality: Lee-Carter method vs. Functi...
Modeling and forecasting age-specific mortality: Lee-Carter method vs. Functi...
hanshang
 
Explicit Signal to Noise Ratio in Reproducing Kernel Hilbert Spaces.pdf
Explicit Signal to Noise Ratio in Reproducing Kernel Hilbert Spaces.pdfExplicit Signal to Noise Ratio in Reproducing Kernel Hilbert Spaces.pdf
Explicit Signal to Noise Ratio in Reproducing Kernel Hilbert Spaces.pdf
grssieee
 
Regularized Principal Component Analysis for Spatial Data
Regularized Principal Component Analysis for Spatial DataRegularized Principal Component Analysis for Spatial Data
Regularized Principal Component Analysis for Spatial Data
Wen-Ting Wang
 
Pca and kpca of ecg signal
Pca and kpca of ecg signalPca and kpca of ecg signal
Pca and kpca of ecg signal
es712
 
DataEngConf: Feature Extraction: Modern Questions and Challenges at Google
DataEngConf: Feature Extraction: Modern Questions and Challenges at GoogleDataEngConf: Feature Extraction: Modern Questions and Challenges at Google
DataEngConf: Feature Extraction: Modern Questions and Challenges at Google
Hakka Labs
 
Principal component analysis and matrix factorizations for learning (part 1) ...
Principal component analysis and matrix factorizations for learning (part 1) ...Principal component analysis and matrix factorizations for learning (part 1) ...
Principal component analysis and matrix factorizations for learning (part 1) ...
zukun
 
Principal Component Analysis and Clustering
Principal Component Analysis and ClusteringPrincipal Component Analysis and Clustering
Principal Component Analysis and Clustering
Usha Vijay
 

Andere mochten auch (20)

chapter1
chapter1chapter1
chapter1
 
Nonlinear component analysis as a kernel eigenvalue problem
Nonlinear component analysis as a kernel eigenvalue problemNonlinear component analysis as a kernel eigenvalue problem
Nonlinear component analysis as a kernel eigenvalue problem
 
Principal component analysis and matrix factorizations for learning (part 2) ...
Principal component analysis and matrix factorizations for learning (part 2) ...Principal component analysis and matrix factorizations for learning (part 2) ...
Principal component analysis and matrix factorizations for learning (part 2) ...
 
fauvel_igarss.pdf
fauvel_igarss.pdffauvel_igarss.pdf
fauvel_igarss.pdf
 
Kernel Entropy Component Analysis in Remote Sensing Data Clustering.pdf
Kernel Entropy Component Analysis in Remote Sensing Data Clustering.pdfKernel Entropy Component Analysis in Remote Sensing Data Clustering.pdf
Kernel Entropy Component Analysis in Remote Sensing Data Clustering.pdf
 
Different kind of distance and Statistical Distance
Different kind of distance and Statistical DistanceDifferent kind of distance and Statistical Distance
Different kind of distance and Statistical Distance
 
Principal Component Analysis For Novelty Detection
Principal Component Analysis For Novelty DetectionPrincipal Component Analysis For Novelty Detection
Principal Component Analysis For Novelty Detection
 
KPCA_Survey_Report
KPCA_Survey_ReportKPCA_Survey_Report
KPCA_Survey_Report
 
Adaptive anomaly detection with kernel eigenspace splitting and merging
Adaptive anomaly detection with kernel eigenspace splitting and mergingAdaptive anomaly detection with kernel eigenspace splitting and merging
Adaptive anomaly detection with kernel eigenspace splitting and merging
 
Modeling and forecasting age-specific mortality: Lee-Carter method vs. Functi...
Modeling and forecasting age-specific mortality: Lee-Carter method vs. Functi...Modeling and forecasting age-specific mortality: Lee-Carter method vs. Functi...
Modeling and forecasting age-specific mortality: Lee-Carter method vs. Functi...
 
Explicit Signal to Noise Ratio in Reproducing Kernel Hilbert Spaces.pdf
Explicit Signal to Noise Ratio in Reproducing Kernel Hilbert Spaces.pdfExplicit Signal to Noise Ratio in Reproducing Kernel Hilbert Spaces.pdf
Explicit Signal to Noise Ratio in Reproducing Kernel Hilbert Spaces.pdf
 
A Comparative Study between ICA (Independent Component Analysis) and PCA (Pri...
A Comparative Study between ICA (Independent Component Analysis) and PCA (Pri...A Comparative Study between ICA (Independent Component Analysis) and PCA (Pri...
A Comparative Study between ICA (Independent Component Analysis) and PCA (Pri...
 
Regularized Principal Component Analysis for Spatial Data
Regularized Principal Component Analysis for Spatial DataRegularized Principal Component Analysis for Spatial Data
Regularized Principal Component Analysis for Spatial Data
 
Pca and kpca of ecg signal
Pca and kpca of ecg signalPca and kpca of ecg signal
Pca and kpca of ecg signal
 
DataEngConf: Feature Extraction: Modern Questions and Challenges at Google
DataEngConf: Feature Extraction: Modern Questions and Challenges at GoogleDataEngConf: Feature Extraction: Modern Questions and Challenges at Google
DataEngConf: Feature Extraction: Modern Questions and Challenges at Google
 
Probabilistic PCA, EM, and more
Probabilistic PCA, EM, and moreProbabilistic PCA, EM, and more
Probabilistic PCA, EM, and more
 
Principal component analysis and matrix factorizations for learning (part 1) ...
Principal component analysis and matrix factorizations for learning (part 1) ...Principal component analysis and matrix factorizations for learning (part 1) ...
Principal component analysis and matrix factorizations for learning (part 1) ...
 
Principal Component Analysis and Clustering
Principal Component Analysis and ClusteringPrincipal Component Analysis and Clustering
Principal Component Analysis and Clustering
 
Ipl process
Ipl processIpl process
Ipl process
 
ECG: Indication and Interpretation
ECG: Indication and InterpretationECG: Indication and Interpretation
ECG: Indication and Interpretation
 

Ähnlich wie Analyzing Kernel Security and Approaches for Improving it

Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
Coverity
 
Distributed semantic search system (dsss)
Distributed semantic search system (dsss) Distributed semantic search system (dsss)
Distributed semantic search system (dsss)
Isuru Vincent
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Andrejs Prokopjevs
 

Ähnlich wie Analyzing Kernel Security and Approaches for Improving it (20)

DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
 
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
 
Data Lake and the rise of the microservices
Data Lake and the rise of the microservicesData Lake and the rise of the microservices
Data Lake and the rise of the microservices
 
Closed-Loop Platform Automation by Tong Zhong and Emma Collins
Closed-Loop Platform Automation by Tong Zhong and Emma CollinsClosed-Loop Platform Automation by Tong Zhong and Emma Collins
Closed-Loop Platform Automation by Tong Zhong and Emma Collins
 
Closed Loop Platform Automation - Tong Zhong & Emma Collins
Closed Loop Platform Automation - Tong Zhong & Emma CollinsClosed Loop Platform Automation - Tong Zhong & Emma Collins
Closed Loop Platform Automation - Tong Zhong & Emma Collins
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
 
Device Drivers and Running Modules
Device Drivers and Running ModulesDevice Drivers and Running Modules
Device Drivers and Running Modules
 
Production grade edge computing on Kubernetes OSS EU 2018
Production grade edge computing on Kubernetes OSS EU 2018Production grade edge computing on Kubernetes OSS EU 2018
Production grade edge computing on Kubernetes OSS EU 2018
 
Network Processor - 2021.pptx
Network Processor - 2021.pptxNetwork Processor - 2021.pptx
Network Processor - 2021.pptx
 
Comparison between Dynamo and riak
Comparison between Dynamo and riakComparison between Dynamo and riak
Comparison between Dynamo and riak
 
The Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance TuningThe Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance Tuning
 
Distributed semantic search system (dsss)
Distributed semantic search system (dsss) Distributed semantic search system (dsss)
Distributed semantic search system (dsss)
 
Spark 1.0
Spark 1.0Spark 1.0
Spark 1.0
 
Exadata SMART Monitoring - OEM 13c
Exadata SMART Monitoring - OEM 13cExadata SMART Monitoring - OEM 13c
Exadata SMART Monitoring - OEM 13c
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
 
Ch 6 IoT Processing Topologies and Types.pdf
Ch 6 IoT Processing Topologies and Types.pdfCh 6 IoT Processing Topologies and Types.pdf
Ch 6 IoT Processing Topologies and Types.pdf
 
Cloud Security Strategy Socialization v1.0 Clean.pptx.pdf
Cloud Security Strategy Socialization v1.0 Clean.pptx.pdfCloud Security Strategy Socialization v1.0 Clean.pptx.pdf
Cloud Security Strategy Socialization v1.0 Clean.pptx.pdf
 
Taking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionTaking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout Session
 
Charles Mahler [InfluxData] | Use Case: Networking Monitoring | InfluxDays 2022
Charles Mahler [InfluxData] | Use Case: Networking Monitoring | InfluxDays 2022Charles Mahler [InfluxData] | Use Case: Networking Monitoring | InfluxDays 2022
Charles Mahler [InfluxData] | Use Case: Networking Monitoring | InfluxDays 2022
 
Approximation techniques used for general purpose algorithms
Approximation techniques used for general purpose algorithmsApproximation techniques used for general purpose algorithms
Approximation techniques used for general purpose algorithms
 

Kürzlich hochgeladen

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Association for Project Management
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Kürzlich hochgeladen (20)

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 

Analyzing Kernel Security and Approaches for Improving it

  • 1. Analyzing Kernel Security and Approaches for Improving It Milan Rajpara IT Systems and Network Security Gujarat Technological University C DAC Ahmedabad Pune
  • 2. Agenda • Kernel Introduction • Necessity for Kernel Security • Kernel breach • Analyzing Kernel Security • Improving Approaches • Future Work Milan Rajpara October 8, 2013 2
  • 3. What is Kernel ? • A computer program that manages input/output requests from software and translates them into data processing instructions for the central processing unit and other electronic components of a computer. [Wikipedia] • The kernel is a fundamental part of a modern computer's operating system. • OS rests on a outer ring, and application above that. Fig: Privilege rings for the x86 available in protected mode [Source: Wikipedia] Milan Rajpara October 8, 2013 3
  • 4. Necessity for Kernel Security • Kernel, a vary basic (core) part of the Operating Systems • Single vulnerability will be exposes large number of systems • Increasing of Cloud Usage with Virtual Systems • Smartphones now is in every hand Milan Rajpara October 8, 2013 4
  • 5. We talk on .. • Kernels for General Purpose Operating System • Some Linux flavor gives Server Optimized Kernel • Ex. Ubuntu older then 12.04, were gave this option. Since 12.04, linux-image-server is merged into linuximage-generic, there is no difference between Generic and Server kernel. [4] • Windows do not disclose. • Kernels which Constructed in C language • Almost kernels are in C • Improvement for Monolithic kernels • All work performed in Virtual environment • The Xen, and VMware used Milan Rajpara October 8, 2013 5
  • 6. How Kernel Affected ? • By Kernel level rootkits • Manipulating pointers • Manipulating data • Direct Kernel Object Manipulation (DKOM) • By Boot-kits • Via hooking techniques • Direct Hardware or Firmware injection Milan Rajpara October 8, 2013 6
  • 7. Effect of this Attacks • Escalate a process’ privileges by overwriting the process’ credentials • Hide itself by illicitly removing data structures identifying their presence from loaded drivers • Eliding task structures for the processes from the kernel’s process accounting list • Alter the overall behavior of OS without injecting any malicious code into the kernel address space, by just pointer manipulating. Milan Rajpara October 8, 2013 7
  • 8. How to analyze the Kernel Security • Find the most critical objects of the kernel, without prior knowledge of the OS kernel data layout in memory • Identifying OS Kernel Objects for Run-time Security Analysis • Sort-out objects which are vulnerable to hijack • Do Kernel Data Disambiguation • This will make the system easy to analyze Milan Rajpara October 8, 2013 8
  • 9. Most critical objects in Kernel • Windows and Linux, the core kernel part are mostly written in C • 40% inter-data structure relations are Pointer based • 35% of these are Generic Pointers • Pointers which defines at run time, no initial value or data type is associated • 28% kernel data structure are well known objects Milan Rajpara October 8, 2013 9
  • 10. Generic Pointer Problem • It is the weak link in kernel security • Use of void pointers *, assists hackers to point somewhere else • Use of NULL pointers (to implements linklist), helps hackers to hide / change runtime objects. • Use of Casting in C • Enables the hackers to exploit data structure layout in physical memory Milan Rajpara October 8, 2013 10
  • 11. To Find Critical Objects 1. Memory Mapping techniques • Travers address space from global variables via pointer dereferencing until reaching running object. • according to a predefined kernel data definition for each kernel version. 2. Value Invariant Approaches • Use the value invariants of certain fields or of a whole data structure as a signature to scan the memory for matching running instances. Ex. DeepScanner, DIMSIM • Drawbacks of this approaches - Not very accurate - Require a predefined definition of the kernel data layout - Not effective when memory mapping and object reachability information is not available. - High performance overhead Milan Rajpara October 8, 2013 11
  • 12. To Find Critical Objects 3. DIGGER [1] • Uncover all system runtime objects without any prior knowledge of the OS kernel data layout in memory. • First it performs offline and constructs type-graph (which is used to enable systematic memory traversal of the object details). • Then it uses the 4-byte pool memory tagging schema (to uncover kernel runtime objects from the kernel address space.) • (+) • Accurate result • Low performance overhead • Fast and nearly complete coverage Milan Rajpara October 8, 2013 12
  • 13. DIGGER & KDD • DIGGER uses the KDD (Kernel Data Disambiguator) to precisely models the direct and indirect relations between data structures. • KDD is a static analysis tool that operates offline on an OS kernel’s source code • Generates a type-graph for the kernel data with direct and indirect relations between structures, models data structures [2] • KDD disambiguates pointer-based relations (including generic pointers) • by performing static points-to analysis on the kernel’s source code. • Points-to analysis is the problem of determining statically a set of locations to which a given variable may point to at runtime. Milan Rajpara October 8, 2013 13
  • 14. KDD Operation Source: Ref [2] AST: Abstract Syntax Tree (high-level intermediate representation for the source code ) Milan Rajpara October 8, 2013 14
  • 15. KDD Operation • Interprocedural Analysis 1: Takes AST and differentiate it • Gets: Variables, Procedure definition, Procedure call, etc.. . • Interprocedural Analysis 2: Do points-to analysis across different files to perform whole-program analysis. • Context Sensitive Analysis: • It uses Procedure Dependency Graph (PDG) consists of nodes representing the statements of the data dependency in the program. • context-sensitive analysis solves two problems: the calling context and the indirect (implicit) relations between nodes. Milan Rajpara October 8, 2013 15
  • 16. Soundness and Precision of KDD • The points-to analysis algorithm is sound if the points-to set for each variable contains all its actual runtime targets, and is imprecise if the inferred set is larger than necessary. • Check on C programs from the SPEC2000 and SPEC2006 benchmark suites. • Achieved a high level of precision and 100% of soundness. • And 96% precision on Windows (WRK*, Vista) and Linux kernel (v3.0.22). [2] *WRK – Windows Research Kernel, the only available code from windows [6] Milan Rajpara October 8, 2013 16
  • 17. DIGGER Approach Source: Ref [1] Milan Rajpara October 8, 2013 17
  • 18. DIGGER Approach • Static Analysis Component: from KDD • Signature Extraction Component: • When the object manager allocates a memory pool block, it associates with a pool tag (pool tag is a unique four-byte tag for each object type.) Uses this tag to uncover the kernel objects running instances, and they are static and cannot be changed during object runtime. • Dynamic Memory Analysis Component: Extract the object details, • From Pool Tag, it gets the pool block start memory address and the object’s start address. Milan Rajpara October 8, 2013 18
  • 19. Analyzing Kernel through DIGGER Gives … • Disambiguate the points-to relations between data structures, all without any prior knowledge of the OS kernel data layout. • Robust and quite small signature size to uncover runtime objects, enhancing performance • Able to keep track of all critical objects of kernel Milan Rajpara October 8, 2013 19
  • 20. Protection of Kernel • Protect the generic pointers. • Microsoft added a feature PatchGuard, which blocks kernel mode drivers from altering sensitive parts of the Windows kernel. • But TDL (rootkit) manages to circumvent this protection as well, by altering a machine's MBR so that it can intercept Windows startup routines. [7] • One approach is use of “Object Partitioning” to protect kernel data structure. [3] • Uses Sentry, that creates access control protections for security-critical kernel data. Milan Rajpara October 8, 2013 20
  • 21. Sentry Architecture • Sentry protects critical data and enforces data access restrictions based upon the origin of the access within the code of the kernel and its modules or drivers. [3] • The data integrity model is straightforward and matches that of the Biba ring policy [9] • The malicious code that modifies privileges by directly writing to memory is in a loaded module and not in the core kernel code, so Sentry will prevent the write Milan Rajpara October 8, 2013 21
  • 22. Kernel Memory Access Control • Protect data structure from DCOM • Sentry’s design uses a hypervisor to remain isolated from an untrusted kernel • To keep the overhead low, Sentry uses memory partitioning to lay out sensitive data on separate memory pages and protects those pages using the hypervisor • The policy enforcer mediates attempted writes to protected data and uses the policy to determine when writes should be permitted. Milan Rajpara October 8, 2013 22
  • 23. Working of Sentry • Identifying Security-Critical Members • Activation of mediated access • Instruction emulation • Secure execution history extraction Milan Rajpara October 8, 2013 23
  • 24. Evaluation of Sentry • Performance • Low performance overhead • more performance van be achieved by memory layout optimization • False Positive Analysis • There were no instances when security-critical kernel data protected by Sentry was directly modified by a benign driver. • Sentry provided a 100% detection rate for DKOM rootkits Milan Rajpara October 8, 2013 24
  • 25. Future Work • Detect all kernel data structures automatically, beyond the kernel version • The DIGGER can only be used to analyze Windows Kernels. • The current prototype of Sentry only protects two key structures. • Other kernel data structures may also require similar protection. • This may gives versatile performance of Sentry, (if more data structure included) Milan Rajpara October 8, 2013 25
  • 26. References [1] Amani S. Ibrahim, James Hamlyn-Harris, John Grundy, Mohamed Almorsy, "Identifying OS Kernel Objects for Run-Time Security Analysis", DOI: 10.1007/978-3-642-34601-9_6 [2] Amani S. Ibrahim, John Grundy, James Hamlyn-Harris, Mohamed Almorsy, "Operating System Kernel Data Disambiguation to Support Security Analysis", DOI: 10.1007/978-3-642-34601-9_20 [3] Abhinav Srivastava, Jonathon Giffin, "Efficient Protection of Kernel Data Structures via Object Partitioning", DOI: 10.1145/2420950.2421012 [4] RFC: Linux kernel merging. https://lists.ubuntu.com/archives/kernel-team/2011-October/017471.html [5] Rootkits detail by Symantec http://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf [6] Windows Research Kernel https://www.facultyresourcecenter.com/curriculum/pfv.aspx?ID=7366&c1=enus&c2=0 [7] TDL Rootkit: http://www.theregister.co.uk/2010/11/16/tdl_rootkit_does_64_bit_windows [8] Windows hooks: http://msdn.microsoft.com/en-us/library/ms644959(v=vs.85).aspx [9] K. J. Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, Mitre, Apr. 1977 Milan Rajpara October 8, 2013 26