SlideShare ist ein Scribd-Unternehmen logo

Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 (CCS'18)

‱
‱
星
星曌 陈

Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 (CCS'18) [Unofficial] Slide presented by cxm95

Technologie
1 von 30
Downloaden Sie, um offline zu lesen
Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 Memory Defense Paper Sharing(I) ccs 2018 Hojoon Lee, Chihyun Song, Brent Byunghoon Kang Presented by Xingman Chen 2018-10-09
In-Process Isolation ● Most attacks against ○ Control Flow ■ Control flow hijack/bending ○ Data Flow ■ Non-control data attack 2
In-Process Isolation ● Most attacks against ○ Control Flow ■ Control flow hijack/bending ○ Data Flow ■ Non-control data attack ● Sensitive data in memory ○ Cryptographic keys ○ Function table ○ Control flow intergrity mitigation metadata ○ (Un)trust libs ● Need to be protected 3
Motivations ● HeartBleed Vulnerability ○ A malicious memcpy(bp,pl,payload) in openssl nearly bring down the HTTPs ○ Sensitive data: Private key 4
Motivations ● Metadata Protection ○ Shadow Stack ■ Backup return address to avoid ret based control flow hijack ■ Sensitive data: backup return address ○ Code Pointer Intergrity ■ Move code pointer and indirect code pointers to safe region ■ Sensitive data: safe region 5
Motivations ● Metadata Protection ○ Shadow Stack ■ Backup return address to avoid ret based control flow hijack ■ Sensitive data: backup return address ○ Code Pointer Intergrity ■ Move code pointer and indirect code pointers to safe region ■ Sensitive data: safe region 6
Motivations ● Untrusted Library ○ Blackhat’17 by Chaitin: Many Birds, One Stone: Exploiting a Single SQLite Vulnerability Across Multiple Software ○ CVE-2015-7036 ■ SQLite fts3_tokenizer Untrusted Pointer Remote Code Execution Vulnerability 7
In-Process Isolation: Approaches ● Software based ○ Randomization based ■ e.g. ASLR ○ Instrument non-sen code with bounds checks prior to indirect memory accesses ■ e.g. SFI 8 Application Sen-Code (Sensitive Data Related Code) Non Sen Code Non Sen Memory Sen Memory
● Software based ○ Randomization based ■ e.g. ASLR ○ Instrument non-sen code with bounds checks prior to indirect memory accesses ■ e.g. Software Fault Isolation(SFI) ● OS/Hardware based ○ OS feature based: Paging or Segmentation based appoarches ○ Hardware feature based ■ e.g. intel MPX(CFIXX), SGX, CET, MPK; arm Memory Domain(Shred) In-Process Isolation: Approaches 9 Application Sen-Code (Sensitive Data Related Code) Non Sen Code Non Sen Memory Sen Memory
Lord of the x86 Rings: A Portable User Mode Privilege Separation Architecture on x86 ● Presented LOTRx86, a novel approach that establishes a new user privilege layer safeguards secure access sensitive data to achieve in-process privilege separation ● OS Feature based ● Feature ○ No extra hardware feature needed ○ Fast: average of 30.40% overhead on Intel processor 10
Motivation ● Randomization based: Weak ● SFI: High overhead ● Hardware feature based: Not portable ● LOTRx86: Trade off ○ Portable approach based on segmentation & paging features ○ Harnesses the underused x86 intermediate Rings (Ring1 and Ring2) 11
Preliminaries: Addressing in x86 ● Segmentation in x86(IA-32,386) ○ DPL(Description Priviliege Level): in GDT/LDT ○ CPL(Current Priviliege Level): 2bit in Segment register(cs) ○ RPL(Request Privilege Level) 12
Preliminaries: Addressing in x86 ● Pagging in x86 ○ 2-level page table ■ User/Supervisor: priviliege required for accessing this page 13
Preliminaries: Addressing in x64 ● x64(x86_64,amd64/IA-32e, EM64T): Weakened Segmentation 14
Preliminaries: Addressing in x64 ● x64(x86_64,amd64/IA-32e, EM64T): Weakened Segmentation ○ Treats the segment base of CS, DS, ES, SS as zero, creating a linear address ○ Used only for memory protection ○ CPL Remained ■ DPL: Valid for code segment descriptor, ignored for data segment descriptor 15
Preliminaries: Callgate ● Callgate: Privilege escalation & de-escalation ○ Callgate Descriptor defined at GDT/LDT ○ DPLg: minium priv requirement ○ Stack pivot after escalation/decalation 16
Preliminaries: Inter-bitness control transfer ● Bitness(32/64): defined by the currently active code segment descriptor ○ L bit ○ callgate cannot target a 32-bit code segment in long mode(64 bit) 17
Thread Model & Target ● Thread Model ○ Arbitary Code Execution ● Security Guarantee ○ User mode cannot directly access a region protected 18 Application Sen-Code (Sensitive Data Related Code) Non Sen Code Non Sen Memory Sen Memory
● Establishing PrivUser memory space ○ M-SR1. User mode must not be able to access PrivUser memory ■ set S-page PTE s-bit Design 19
● Establishing PrivUser memory space ○ M-SR1. User mode must not be able to access PrivUser memory ■ set S-page PTE s-bit ○ M-SR2. PrivUser mode must not be able to access kernel memory space ■ set privuser code page as 32-bit segmentation enabled code segment ● run 32bit code with special segment(cs) Design 20
Design ● Challenges ○ Hardware constraint: 32-bit call gate is disabled, a 64-bit call gate have to be introduced ○ Potential risk: any non-ring3 64-bit code can access kernel memory ■ if Privuser jump to 64-bit call gate area instead of call gate entry, it can access the kernel memory 21
Design ● Challenges ○ Hardware constraint: 32-bit call gate is disabled, a 64-bit call gate have to be introduced ○ Potential risk: any non-ring3 64-bit code can access kernel memory ■ if Privuser jump to 64-bit call gate area instead of call gate entry, it can access the kernel memory ● Solution: Inescapable segmentation enforcement ○ An ring-1 callgate(x64) with lret 22
Design ● Challenges ○ Hardware constraint: 32-bit call gate is disabled, a 64-bit call gate have to be introduced ○ Potential risk: any non-ring3 64-bit code can access kernel memory ■ if Privuser jump to 64-bit call gate area instead of call gate entry, it can access the kernel memory ● Solution: Inescapable segmentation enforcement ○ An ring-1 callgate(x64) with lret 23
Implementation ● Components ○ lotr-kmod: build PrivUser space ■ space size is fixed ■ generate LDT, init S-page PTE, init ring1 ring2 ○ liblotr: util functions for calling initalize PrivUser space, entering, etc. ○ lotr-libc: private libc, no scalable ○ kernel modification: let mmap/mprotect bypass and return error 24
Implementation ● Components ○ lotr-build: create 32-bit machine code 25
Evaluation ● Micro-benchmark ○ compare with normal function ■ But why intel different with amd? 26 no cache opt
Evaluation ● micro-Benchmark ○ compare with normal function 27
Evaluation ● LOTRx86 enabled web server ○ latency: response time 28
Discussion ● Portable but no scalable ○ e.g. Size, Libc, argument passing ● Low automation ● High Overhead: 35% 29
Thanks! 30

Empfohlen

Queue Type on Mikrotik
Queue Type on MikrotikQueue Type on Mikrotik
Queue Type on Mikrotik
GLC Networks
 
Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102
Linaro
 
Distributed unique id generation
Distributed unique id generationDistributed unique id generation
Distributed unique id generation
Tung Nguyen
 
SDN Programming with Go
SDN Programming with GoSDN Programming with Go
SDN Programming with Go
Donaldson Tan
 
Radio Optimization In Telco - Part 2
Radio Optimization In Telco - Part 2Radio Optimization In Telco - Part 2
Radio Optimization In Telco - Part 2
GLC Networks
 
OSPF On Router OS7
OSPF On Router OS7OSPF On Router OS7
OSPF On Router OS7
GLC Networks
 
ACL on Linux - Part 1
ACL on Linux - Part 1ACL on Linux - Part 1
ACL on Linux - Part 1
GLC Networks
 
Module: drand - the Distributed Randomness Beacon
Module: drand - the Distributed Randomness BeaconModule: drand - the Distributed Randomness Beacon
Module: drand - the Distributed Randomness Beacon
Ioannis Psaras
 

Empfohlen

Queue Type on Mikrotik
Queue Type on MikrotikQueue Type on Mikrotik
Queue Type on Mikrotik
GLC Networks
 
Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102
Linaro
 
Distributed unique id generation
Distributed unique id generationDistributed unique id generation
Distributed unique id generation
Tung Nguyen
 
SDN Programming with Go
SDN Programming with GoSDN Programming with Go
SDN Programming with Go
Donaldson Tan
 
Radio Optimization In Telco - Part 2
Radio Optimization In Telco - Part 2Radio Optimization In Telco - Part 2
Radio Optimization In Telco - Part 2
GLC Networks
 
OSPF On Router OS7
OSPF On Router OS7OSPF On Router OS7
OSPF On Router OS7
GLC Networks
 
ACL on Linux - Part 1
ACL on Linux - Part 1ACL on Linux - Part 1
ACL on Linux - Part 1
GLC Networks
 
Module: drand - the Distributed Randomness Beacon
Module: drand - the Distributed Randomness BeaconModule: drand - the Distributed Randomness Beacon
Module: drand - the Distributed Randomness Beacon
Ioannis Psaras
 
CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1
GLC Networks
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1
GLC Networks
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1
GLC Networks
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for Monitoring
GLC Networks
 
BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE
Linaro
 
Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)
GLC Networks
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
Leszek Mi?
 
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on Mikrotik
GLC Networks
 
LAS16-504: Secure Storage updates in OP-TEE
LAS16-504: Secure Storage updates in OP-TEELAS16-504: Secure Storage updates in OP-TEE
LAS16-504: Secure Storage updates in OP-TEE
Linaro
 
Best Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for SecurityBest Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for Security
GLC Networks
 
BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2 BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2
Linaro
 
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
GLC Networks
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1
GLC Networks
 
CCNA : Intro to Cisco IOS - Part 2
CCNA : Intro to Cisco IOS - Part 2CCNA : Intro to Cisco IOS - Part 2
CCNA : Intro to Cisco IOS - Part 2
GLC Networks
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOS
GLC Networks
 
Up and Running SSH Service - Part 1
Up and Running SSH Service - Part 1Up and Running SSH Service - Part 1
Up and Running SSH Service - Part 1
GLC Networks
 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-Dive
GLC Networks
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1
GLC Networks
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed Hashing
Sam Bowne
 
Telecommunication Evolution
Telecommunication EvolutionTelecommunication Evolution
Telecommunication Evolution
GLC Networks
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
Tamas K Lengyel
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 

Weitere Àhnliche Inhalte

Was ist angesagt?

BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE
Linaro
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
Leszek Mi?
 
BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2 BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2
Linaro
 

Was ist angesagt? (20)

CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for Monitoring
 
BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE
 
Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
 
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on Mikrotik
 
LAS16-504: Secure Storage updates in OP-TEE
LAS16-504: Secure Storage updates in OP-TEELAS16-504: Secure Storage updates in OP-TEE
LAS16-504: Secure Storage updates in OP-TEE
 
Best Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for SecurityBest Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for Security
 
BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2 BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2
 
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1
 
CCNA : Intro to Cisco IOS - Part 2
CCNA : Intro to Cisco IOS - Part 2CCNA : Intro to Cisco IOS - Part 2
CCNA : Intro to Cisco IOS - Part 2
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOS
 
Up and Running SSH Service - Part 1
Up and Running SSH Service - Part 1Up and Running SSH Service - Part 1
Up and Running SSH Service - Part 1
 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-Dive
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed Hashing
 
Telecommunication Evolution
Telecommunication EvolutionTelecommunication Evolution
Telecommunication Evolution
 

Ähnlich wie Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 (CCS'18)

Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
Tamas K Lengyel
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
A Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsA Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm Basebands
Priyanka Aash
 
Advanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona ServerAdvanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona Server
Severalnines
 
cachegrand: A Take on High Performance Caching
cachegrand: A Take on High Performance Cachingcachegrand: A Take on High Performance Caching
cachegrand: A Take on High Performance Caching
ScyllaDB
 
Improving Scalability of Xen: The 3,000 Domains Experiment
Improving Scalability of Xen: The 3,000 Domains ExperimentImproving Scalability of Xen: The 3,000 Domains Experiment
Improving Scalability of Xen: The 3,000 Domains Experiment
The Linux Foundation
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Anne Nicolas
 

Ähnlich wie Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 (CCS'18) (20)

Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Go
 
Linux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
Linux Stammtisch Munich: Ceph - Overview, Experiences and OutlookLinux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
Linux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
 
A Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsA Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm Basebands
 
Advanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona ServerAdvanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona Server
 
cachegrand: A Take on High Performance Caching
cachegrand: A Take on High Performance Cachingcachegrand: A Take on High Performance Caching
cachegrand: A Take on High Performance Caching
 
Security issues in FPGA based systems.
Security issues in FPGA based systems.Security issues in FPGA based systems.
Security issues in FPGA based systems.
 
Advanced microprocessor
Advanced microprocessorAdvanced microprocessor
Advanced microprocessor
 
One Stone, Three Birds_ Finer-Grained Encryption with Apache Parquet @ Large ...
One Stone, Three Birds_ Finer-Grained Encryption with Apache Parquet @ Large ...One Stone, Three Birds_ Finer-Grained Encryption with Apache Parquet @ Large ...
One Stone, Three Birds_ Finer-Grained Encryption with Apache Parquet @ Large ...
 
An Introduction to Apache Cassandra
An Introduction to Apache CassandraAn Introduction to Apache Cassandra
An Introduction to Apache Cassandra
 
Improving Scalability of Xen: The 3,000 Domains Experiment
Improving Scalability of Xen: The 3,000 Domains ExperimentImproving Scalability of Xen: The 3,000 Domains Experiment
Improving Scalability of Xen: The 3,000 Domains Experiment
 
Operation Unthinkable – Software Defined Storage @ Booking.com (Peter Buschman)
Operation Unthinkable – Software Defined Storage @ Booking.com (Peter Buschman)Operation Unthinkable – Software Defined Storage @ Booking.com (Peter Buschman)
Operation Unthinkable – Software Defined Storage @ Booking.com (Peter Buschman)
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
 
Do you know what your digital pins are "really" saying
Do you know what your digital pins are "really" sayingDo you know what your digital pins are "really" saying
Do you know what your digital pins are "really" saying
 
Bluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case StudyBluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case Study
 
Study on 32-bit Cortex - M3 Powered MCU: STM32F101
Study on 32-bit Cortex - M3 Powered MCU: STM32F101Study on 32-bit Cortex - M3 Powered MCU: STM32F101
Study on 32-bit Cortex - M3 Powered MCU: STM32F101
 
Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019
 
module01.ppt
module01.pptmodule01.ppt
module01.ppt
 
Lect 1 Into.pptx
Lect 1 Into.pptxLect 1 Into.pptx
Lect 1 Into.pptx
 

KĂŒrzlich hochgeladen

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

KĂŒrzlich hochgeladen (20)

AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 (CCS'18)

  • 1. Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 Memory Defense Paper Sharing(I) ccs 2018 Hojoon Lee, Chihyun Song, Brent Byunghoon Kang Presented by Xingman Chen 2018-10-09
  • 2. In-Process Isolation ● Most attacks against ○ Control Flow ■ Control flow hijack/bending ○ Data Flow ■ Non-control data attack 2
  • 3. In-Process Isolation ● Most attacks against ○ Control Flow ■ Control flow hijack/bending ○ Data Flow ■ Non-control data attack ● Sensitive data in memory ○ Cryptographic keys ○ Function table ○ Control flow intergrity mitigation metadata ○ (Un)trust libs ● Need to be protected 3
  • 4. Motivations ● HeartBleed Vulnerability ○ A malicious memcpy(bp,pl,payload) in openssl nearly bring down the HTTPs ○ Sensitive data: Private key 4
  • 5. Motivations ● Metadata Protection ○ Shadow Stack ■ Backup return address to avoid ret based control flow hijack ■ Sensitive data: backup return address ○ Code Pointer Intergrity ■ Move code pointer and indirect code pointers to safe region ■ Sensitive data: safe region 5
  • 6. Motivations ● Metadata Protection ○ Shadow Stack ■ Backup return address to avoid ret based control flow hijack ■ Sensitive data: backup return address ○ Code Pointer Intergrity ■ Move code pointer and indirect code pointers to safe region ■ Sensitive data: safe region 6
  • 7. Motivations ● Untrusted Library ○ Blackhat’17 by Chaitin: Many Birds, One Stone: Exploiting a Single SQLite Vulnerability Across Multiple Software ○ CVE-2015-7036 ■ SQLite fts3_tokenizer Untrusted Pointer Remote Code Execution Vulnerability 7
  • 8. In-Process Isolation: Approaches ● Software based ○ Randomization based ■ e.g. ASLR ○ Instrument non-sen code with bounds checks prior to indirect memory accesses ■ e.g. SFI 8 Application Sen-Code (Sensitive Data Related Code) Non Sen Code Non Sen Memory Sen Memory
  • 9. ● Software based ○ Randomization based ■ e.g. ASLR ○ Instrument non-sen code with bounds checks prior to indirect memory accesses ■ e.g. Software Fault Isolation(SFI) ● OS/Hardware based ○ OS feature based: Paging or Segmentation based appoarches ○ Hardware feature based ■ e.g. intel MPX(CFIXX), SGX, CET, MPK; arm Memory Domain(Shred) In-Process Isolation: Approaches 9 Application Sen-Code (Sensitive Data Related Code) Non Sen Code Non Sen Memory Sen Memory
  • 10. Lord of the x86 Rings: A Portable User Mode Privilege Separation Architecture on x86 ● Presented LOTRx86, a novel approach that establishes a new user privilege layer safeguards secure access sensitive data to achieve in-process privilege separation ● OS Feature based ● Feature ○ No extra hardware feature needed ○ Fast: average of 30.40% overhead on Intel processor 10
  • 11. Motivation ● Randomization based: Weak ● SFI: High overhead ● Hardware feature based: Not portable ● LOTRx86: Trade off ○ Portable approach based on segmentation & paging features ○ Harnesses the underused x86 intermediate Rings (Ring1 and Ring2) 11
  • 12. Preliminaries: Addressing in x86 ● Segmentation in x86(IA-32,386) ○ DPL(Description Priviliege Level): in GDT/LDT ○ CPL(Current Priviliege Level): 2bit in Segment register(cs) ○ RPL(Request Privilege Level) 12
  • 13. Preliminaries: Addressing in x86 ● Pagging in x86 ○ 2-level page table ■ User/Supervisor: priviliege required for accessing this page 13
  • 14. Preliminaries: Addressing in x64 ● x64(x86_64,amd64/IA-32e, EM64T): Weakened Segmentation 14
  • 15. Preliminaries: Addressing in x64 ● x64(x86_64,amd64/IA-32e, EM64T): Weakened Segmentation ○ Treats the segment base of CS, DS, ES, SS as zero, creating a linear address ○ Used only for memory protection ○ CPL Remained ■ DPL: Valid for code segment descriptor, ignored for data segment descriptor 15
  • 16. Preliminaries: Callgate ● Callgate: Privilege escalation & de-escalation ○ Callgate Descriptor defined at GDT/LDT ○ DPLg: minium priv requirement ○ Stack pivot after escalation/decalation 16
  • 17. Preliminaries: Inter-bitness control transfer ● Bitness(32/64): defined by the currently active code segment descriptor ○ L bit ○ callgate cannot target a 32-bit code segment in long mode(64 bit) 17
  • 18. Thread Model & Target ● Thread Model ○ Arbitary Code Execution ● Security Guarantee ○ User mode cannot directly access a region protected 18 Application Sen-Code (Sensitive Data Related Code) Non Sen Code Non Sen Memory Sen Memory
  • 19. ● Establishing PrivUser memory space ○ M-SR1. User mode must not be able to access PrivUser memory ■ set S-page PTE s-bit Design 19
  • 20. ● Establishing PrivUser memory space ○ M-SR1. User mode must not be able to access PrivUser memory ■ set S-page PTE s-bit ○ M-SR2. PrivUser mode must not be able to access kernel memory space ■ set privuser code page as 32-bit segmentation enabled code segment ● run 32bit code with special segment(cs) Design 20
  • 21. Design ● Challenges ○ Hardware constraint: 32-bit call gate is disabled, a 64-bit call gate have to be introduced ○ Potential risk: any non-ring3 64-bit code can access kernel memory ■ if Privuser jump to 64-bit call gate area instead of call gate entry, it can access the kernel memory 21
  • 22. Design ● Challenges ○ Hardware constraint: 32-bit call gate is disabled, a 64-bit call gate have to be introduced ○ Potential risk: any non-ring3 64-bit code can access kernel memory ■ if Privuser jump to 64-bit call gate area instead of call gate entry, it can access the kernel memory ● Solution: Inescapable segmentation enforcement ○ An ring-1 callgate(x64) with lret 22
  • 23. Design ● Challenges ○ Hardware constraint: 32-bit call gate is disabled, a 64-bit call gate have to be introduced ○ Potential risk: any non-ring3 64-bit code can access kernel memory ■ if Privuser jump to 64-bit call gate area instead of call gate entry, it can access the kernel memory ● Solution: Inescapable segmentation enforcement ○ An ring-1 callgate(x64) with lret 23
  • 24. Implementation ● Components ○ lotr-kmod: build PrivUser space ■ space size is fixed ■ generate LDT, init S-page PTE, init ring1 ring2 ○ liblotr: util functions for calling initalize PrivUser space, entering, etc. ○ lotr-libc: private libc, no scalable ○ kernel modification: let mmap/mprotect bypass and return error 24
  • 26. Evaluation ● Micro-benchmark ○ compare with normal function ■ But why intel different with amd? 26 no cache opt
  • 28. Evaluation ● LOTRx86 enabled web server ○ latency: response time 28
  • 29. Discussion ● Portable but no scalable ○ e.g. Size, Libc, argument passing ● Low automation ● High Overhead: 35% 29