Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Â
Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 (CCS'18)
1. Lord of the X86 Rings: A Portable User Mode
Privilege Separation Architecture on X86
Memory Defense Paper Sharing(I) ccs 2018
Hojoon Lee, Chihyun Song, Brent
Byunghoon Kang
Presented by Xingman Chen
2018-10-09
2. In-Process Isolation
â Most attacks against
â Control Flow
â Control flow hijack/bending
â Data Flow
â Non-control data attack
2
3. In-Process Isolation
â Most attacks against
â Control Flow
â Control flow hijack/bending
â Data Flow
â Non-control data attack
â Sensitive data in memory
â Cryptographic keys
â Function table
â Control flow intergrity mitigation metadata
â (Un)trust libs
â Need to be protected
3
5. Motivations
â Metadata Protection
â Shadow Stack
â Backup return address to avoid ret based
control flow hijack
â Sensitive data: backup return address
â Code Pointer Intergrity
â Move code pointer and indirect code
pointers to safe region
â Sensitive data: safe region
5
6. Motivations
â Metadata Protection
â Shadow Stack
â Backup return address to avoid ret based
control flow hijack
â Sensitive data: backup return address
â Code Pointer Intergrity
â Move code pointer and indirect code
pointers to safe region
â Sensitive data: safe region
6
7. Motivations
â Untrusted Library
â Blackhatâ17 by Chaitin: Many Birds, One Stone: Exploiting a Single SQLite Vulnerability
Across Multiple Software
â CVE-2015-7036
â SQLite fts3_tokenizer Untrusted Pointer Remote Code Execution Vulnerability
7
8. In-Process Isolation: Approaches
â Software based
â Randomization based
â e.g. ASLR
â Instrument non-sen code with bounds
checks prior to indirect memory
accesses
â e.g. SFI
8
Application
Sen-Code
(Sensitive Data
Related Code)
Non Sen Code Non Sen Memory
Sen Memory
9. â Software based
â Randomization based
â e.g. ASLR
â Instrument non-sen code with bounds
checks prior to indirect memory
accesses
â e.g. Software Fault Isolation(SFI)
â OS/Hardware based
â OS feature based: Paging or
Segmentation based appoarches
â Hardware feature based
â e.g. intel MPX(CFIXX), SGX, CET,
MPK; arm Memory
Domain(Shred)
In-Process Isolation: Approaches
9
Application
Sen-Code
(Sensitive Data
Related Code)
Non Sen Code Non Sen Memory
Sen Memory
10. Lord of the x86 Rings: A Portable User Mode Privilege
Separation Architecture on x86
â Presented LOTRx86, a novel approach that establishes a new user privilege
layer safeguards secure access sensitive data to achieve in-process privilege
separation
â OS Feature based
â Feature
â No extra hardware feature needed
â Fast: average of 30.40% overhead on Intel processor
10
11. Motivation
â Randomization based: Weak
â SFI: High overhead
â Hardware feature based: Not portable
â LOTRx86: Trade off
â Portable approach based on segmentation & paging features
â Harnesses the underused x86 intermediate Rings (Ring1 and Ring2)
11
12. Preliminaries: Addressing in x86
â Segmentation in x86(IA-32,386)
â DPL(Description Priviliege Level): in GDT/LDT
â CPL(Current Priviliege Level): 2bit in Segment
register(cs)
â RPL(Request Privilege Level)
12
13. Preliminaries: Addressing in x86
â Pagging in x86
â 2-level page table
â User/Supervisor: priviliege
required for accessing this page
13
15. Preliminaries: Addressing in x64
â x64(x86_64,amd64/IA-32e, EM64T): Weakened Segmentation
â Treats the segment base of CS, DS, ES, SS as zero, creating a linear address
â Used only for memory protection
â CPL Remained
â DPL: Valid for code segment descriptor, ignored for data segment descriptor
15
16. Preliminaries: Callgate
â Callgate: Privilege escalation &
de-escalation
â Callgate Descriptor defined at
GDT/LDT
â DPLg: minium priv requirement
â Stack pivot after
escalation/decalation
16
17. Preliminaries: Inter-bitness control transfer
â Bitness(32/64): defined by the
currently active code segment
descriptor
â L bit
â callgate cannot target a 32-bit code
segment in long mode(64 bit)
17
18. Thread Model & Target
â Thread Model
â Arbitary Code Execution
â Security Guarantee
â User mode cannot directly access a
region protected
18
Application
Sen-Code
(Sensitive Data
Related Code)
Non Sen Code Non Sen Memory
Sen Memory
19. â Establishing PrivUser memory
space
â M-SR1. User mode must not be able
to access PrivUser memory
â set S-page PTE s-bit
Design
19
20. â Establishing PrivUser memory
space
â M-SR1. User mode must not be able
to access PrivUser memory
â set S-page PTE s-bit
â M-SR2. PrivUser mode must not be
able to access kernel memory space
â set privuser code page as
32-bit segmentation enabled
code segment
â run 32bit code with
special segment(cs)
Design
20
21. Design
â Challenges
â Hardware constraint: 32-bit call gate is
disabled, a 64-bit call gate have to be
introduced
â Potential risk: any non-ring3 64-bit code
can access kernel memory
â if Privuser jump to 64-bit call gate
area instead of call gate entry, it
can access the kernel memory
21
22. Design
â Challenges
â Hardware constraint: 32-bit call gate is
disabled, a 64-bit call gate have to be
introduced
â Potential risk: any non-ring3 64-bit
code can access kernel memory
â if Privuser jump to 64-bit call gate
area instead of call gate entry, it
can access the kernel memory
â Solution: Inescapable segmentation
enforcement
â An ring-1 callgate(x64) with lret
22
23. Design
â Challenges
â Hardware constraint: 32-bit call gate is
disabled, a 64-bit call gate have to be
introduced
â Potential risk: any non-ring3 64-bit
code can access kernel memory
â if Privuser jump to 64-bit call gate
area instead of call gate entry, it
can access the kernel memory
â Solution: Inescapable segmentation
enforcement
â An ring-1 callgate(x64) with lret
23
24. Implementation
â Components
â lotr-kmod: build PrivUser space
â space size is fixed
â generate LDT, init S-page PTE, init ring1 ring2
â liblotr: util functions for calling initalize PrivUser space, entering, etc.
â lotr-libc: private libc, no scalable
â kernel modification: let mmap/mprotect bypass and return error
24