TU Darmstadt / ULB / TUbiblio

OS-level Attacks and Defenses: from Software to Hardware-based Exploits

Gens, David (2019)
OS-level Attacks and Defenses: from Software to Hardware-based Exploits.
Technische Universität Darmstadt
Dissertation, Erstveröffentlichung

Kurzbeschreibung (Abstract)

Run-time attacks have plagued computer systems for more than three decades, with control-flow hijacking attacks such as return-oriented programming representing the long-standing state-of-the-art in memory-corruption based exploits. These attacks exploit memory-corruption vulnerabilities in widely deployed software, e.g., through malicious inputs, to gain full control over the platform remotely at run time, and many defenses have been proposed and thoroughly studied in the past. Among those defenses, control-flow integrity emerged as a powerful and effective protection against code-reuse attacks in practice. As a result, we now start to see attackers shifting their focus towards novel techniques through a number of increasingly sophisticated attacks that combine software and hardware vulnerabilities to construct successful exploits. These emerging attacks have a high impact on computer security, since they completely bypass existing defenses that assume either hardware or software adversaries. For instance, they leverage physical effects to provoke hardware faults or force the system into transient micro-architectural states. This enables adversaries to exploit hardware vulnerabilities from software without requiring physical presence or software bugs.

In this dissertation, we explore the real-world threat of hardware and software-based run-time attacks against operating systems. While memory-corruption-based exploits have been studied for more than three decades, we show that data-only attacks can completely bypass state-of-the-art defenses such as Control-Flow Integrity which are also deployed in practice. Additionally, hardware vulnerabilities such as Rowhammer, CLKScrew, and Meltdown enable sophisticated adversaries to exploit the system remotely at run time without requiring any memory-corruption vulnerabilities in the system’s software. We develop novel design strategies to defend the OS against hardware-based attacks such as Rowhammer and Meltdown to tackle the limitations of existing defenses. First, we present two novel data-only attacks that completely break current code-reuse defenses deployed in real-world software and propose a randomization-based defense against such data-only attacks in the kernel. Second, we introduce a compiler-based framework to automatically uncover memory-corruption vulnerabilities in real-world kernel code. Third, we demonstrate the threat of Rowhammer-based attacks in security-sensitive applications and how to enable a partitioning policy in the system’s physical memory allocator to effectively and efficiently defend against such attacks. We demonstrate feasibility and real-world performance through our prototype for the popular and widely used Linux kernel. Finally, we develop a side-channel defense to eliminate Meltdown-style cache attacks by strictly isolating the address space of kernel and user memory.

Typ des Eintrags: Dissertation
Erschienen: 2019
Autor(en): Gens, David
Art des Eintrags: Erstveröffentlichung
Titel: OS-level Attacks and Defenses: from Software to Hardware-based Exploits
Sprache: Englisch
Referenten: Sadeghi, Prof. Dr. Ahmad-Reza ; Holz, Prof. Dr. Thorsten
Publikationsjahr: 2019
Ort: Darmstadt
Datum der mündlichen Prüfung: 13 Februar 2019
URL / URN: https://tuprints.ulb.tu-darmstadt.de/8482
Kurzbeschreibung (Abstract):

Run-time attacks have plagued computer systems for more than three decades, with control-flow hijacking attacks such as return-oriented programming representing the long-standing state-of-the-art in memory-corruption based exploits. These attacks exploit memory-corruption vulnerabilities in widely deployed software, e.g., through malicious inputs, to gain full control over the platform remotely at run time, and many defenses have been proposed and thoroughly studied in the past. Among those defenses, control-flow integrity emerged as a powerful and effective protection against code-reuse attacks in practice. As a result, we now start to see attackers shifting their focus towards novel techniques through a number of increasingly sophisticated attacks that combine software and hardware vulnerabilities to construct successful exploits. These emerging attacks have a high impact on computer security, since they completely bypass existing defenses that assume either hardware or software adversaries. For instance, they leverage physical effects to provoke hardware faults or force the system into transient micro-architectural states. This enables adversaries to exploit hardware vulnerabilities from software without requiring physical presence or software bugs.

In this dissertation, we explore the real-world threat of hardware and software-based run-time attacks against operating systems. While memory-corruption-based exploits have been studied for more than three decades, we show that data-only attacks can completely bypass state-of-the-art defenses such as Control-Flow Integrity which are also deployed in practice. Additionally, hardware vulnerabilities such as Rowhammer, CLKScrew, and Meltdown enable sophisticated adversaries to exploit the system remotely at run time without requiring any memory-corruption vulnerabilities in the system’s software. We develop novel design strategies to defend the OS against hardware-based attacks such as Rowhammer and Meltdown to tackle the limitations of existing defenses. First, we present two novel data-only attacks that completely break current code-reuse defenses deployed in real-world software and propose a randomization-based defense against such data-only attacks in the kernel. Second, we introduce a compiler-based framework to automatically uncover memory-corruption vulnerabilities in real-world kernel code. Third, we demonstrate the threat of Rowhammer-based attacks in security-sensitive applications and how to enable a partitioning policy in the system’s physical memory allocator to effectively and efficiently defend against such attacks. We demonstrate feasibility and real-world performance through our prototype for the popular and widely used Linux kernel. Finally, we develop a side-channel defense to eliminate Meltdown-style cache attacks by strictly isolating the address space of kernel and user memory.

Alternatives oder übersetztes Abstract:
Alternatives AbstractSprache

Softwarebasierte Laufzeitangriffe stellen Rechnerplattformen seit mehr als drei Jahrzehnten vor große Sicherheitsprobleme. In Form weit verbreiteter Offensivtechniken wie Return-Oriented Programming, die Programmierfehler durch bösartige Eingaben gezielt ausnutzen, können Angreifer im Extremfall so die vollständige Kontrolle über die Plattform erlangen. Daher wurden über die Jahre eine Vielzahl von Defensivmaßnahmen wie Control-Flow Integrity und Fine-Grained Randomization vorgeschlagen und die Effektivität dieser Schutzmechanismen war lange Zeit Gegenstand intensiver Forschungsarbeit. In jüngster Zeit wurden jedoch eine Reihe zunehmend ausgefeilterer Angriffe auf Hardwareschwachstellen aus Software heraus vorgestellt, die bei Beibehaltung des Angreifersmodells zur kompletten Kompromittierung dieser Systeme führen können. Diese neuartige Entwicklung stellt bestehende Verteidigungen, die traditionelle Softwareangriffe annehmen, somit in der Praxis vor große Herausforderungen.

Diese Dissertation erforscht eine Reihe solcher neuartigen Angriffsszenarien, um die reale Bedrohung auf das Betriebssystem trotz bestehender Verteidigungsmechanismen abschätzen zu können. Insbesondere geht die Arbeit im ersten Teil auf die Problematik sogenannter Data-Only Angriffe im Kontext von Defensivmaßnahmen wie Control-Flow Integrity ein und demonstriert, wie diese unter Ausnutzung von Softwarefehlern vollständig ausgehebelt werden können. Der zweite Teil erforscht die Bedrohung von Laufzeitangriffen durch Hardwarefehler, auch in Abwesenheit von Softwarefehlern auf welche sich bisherige Verteidigungen beschränken. Um die bisherigen Problem in den vorhandenen Schutzmechanismen anzugehen wurden neue Designstrategien entwickelt, mit Hilfe derer sich das Betriebssystem vor solch weiterführenden Angriffen durch geeignete Maßnahmen in Software schützen kann. Zunächst demonstrieren wir eine randomisierungsbasierte Verteidigung gegen Data-Only Angriffe auf Seitentabellen. Des weiteren wird ein Framework zur automatisierten Identifikation von Softwarefehlern im Betriebssystem anhand des Quelltexts auf Basis des LLVM Compilers vorgestellt. Außerdem erforscht die Arbeit eine Absicherung des Betriebbsystems vor Seitenkanalangriffen durch geeignete Isolation des Addressraumes. Ferner entwickeln wir eine Schutzmaßnahme vor Rowhammer-basierten Angriffen auf das OS, indem der physische Speicherallokator des Systems um eine Partitionierungsstrategie erweitert wird.

Deutsch
URN: urn:nbn:de:tuda-tuprints-84825
Sachgruppe der Dewey Dezimalklassifikatin (DDC): 000 Allgemeines, Informatik, Informationswissenschaft > 004 Informatik
Fachbereich(e)/-gebiet(e): 20 Fachbereich Informatik
20 Fachbereich Informatik > Systemsicherheit
Hinterlegungsdatum: 24 Mär 2019 20:55
Letzte Änderung: 24 Mär 2019 20:55
PPN:
Referenten: Sadeghi, Prof. Dr. Ahmad-Reza ; Holz, Prof. Dr. Thorsten
Datum der mündlichen Prüfung / Verteidigung / mdl. Prüfung: 13 Februar 2019
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen