TU Darmstadt / ULB / TUbiblio

OS-level Attacks and Defenses: from Software to Hardware-based Exploits

Gens, David (2019):
OS-level Attacks and Defenses: from Software to Hardware-based Exploits.
Darmstadt, Technische Universität, [Online-Edition: https://tuprints.ulb.tu-darmstadt.de/8482],
[Ph.D. Thesis]

Abstract

Run-time attacks have plagued computer systems for more than three decades, with control-flow hijacking attacks such as return-oriented programming representing the long-standing state-of-the-art in memory-corruption based exploits. These attacks exploit memory-corruption vulnerabilities in widely deployed software, e.g., through malicious inputs, to gain full control over the platform remotely at run time, and many defenses have been proposed and thoroughly studied in the past. Among those defenses, control-flow integrity emerged as a powerful and effective protection against code-reuse attacks in practice. As a result, we now start to see attackers shifting their focus towards novel techniques through a number of increasingly sophisticated attacks that combine software and hardware vulnerabilities to construct successful exploits. These emerging attacks have a high impact on computer security, since they completely bypass existing defenses that assume either hardware or software adversaries. For instance, they leverage physical effects to provoke hardware faults or force the system into transient micro-architectural states. This enables adversaries to exploit hardware vulnerabilities from software without requiring physical presence or software bugs.

In this dissertation, we explore the real-world threat of hardware and software-based run-time attacks against operating systems. While memory-corruption-based exploits have been studied for more than three decades, we show that data-only attacks can completely bypass state-of-the-art defenses such as Control-Flow Integrity which are also deployed in practice. Additionally, hardware vulnerabilities such as Rowhammer, CLKScrew, and Meltdown enable sophisticated adversaries to exploit the system remotely at run time without requiring any memory-corruption vulnerabilities in the system’s software. We develop novel design strategies to defend the OS against hardware-based attacks such as Rowhammer and Meltdown to tackle the limitations of existing defenses. First, we present two novel data-only attacks that completely break current code-reuse defenses deployed in real-world software and propose a randomization-based defense against such data-only attacks in the kernel. Second, we introduce a compiler-based framework to automatically uncover memory-corruption vulnerabilities in real-world kernel code. Third, we demonstrate the threat of Rowhammer-based attacks in security-sensitive applications and how to enable a partitioning policy in the system’s physical memory allocator to effectively and efficiently defend against such attacks. We demonstrate feasibility and real-world performance through our prototype for the popular and widely used Linux kernel. Finally, we develop a side-channel defense to eliminate Meltdown-style cache attacks by strictly isolating the address space of kernel and user memory.

Item Type: Ph.D. Thesis
Erschienen: 2019
Creators: Gens, David
Title: OS-level Attacks and Defenses: from Software to Hardware-based Exploits
Language: English
Abstract:

Run-time attacks have plagued computer systems for more than three decades, with control-flow hijacking attacks such as return-oriented programming representing the long-standing state-of-the-art in memory-corruption based exploits. These attacks exploit memory-corruption vulnerabilities in widely deployed software, e.g., through malicious inputs, to gain full control over the platform remotely at run time, and many defenses have been proposed and thoroughly studied in the past. Among those defenses, control-flow integrity emerged as a powerful and effective protection against code-reuse attacks in practice. As a result, we now start to see attackers shifting their focus towards novel techniques through a number of increasingly sophisticated attacks that combine software and hardware vulnerabilities to construct successful exploits. These emerging attacks have a high impact on computer security, since they completely bypass existing defenses that assume either hardware or software adversaries. For instance, they leverage physical effects to provoke hardware faults or force the system into transient micro-architectural states. This enables adversaries to exploit hardware vulnerabilities from software without requiring physical presence or software bugs.

In this dissertation, we explore the real-world threat of hardware and software-based run-time attacks against operating systems. While memory-corruption-based exploits have been studied for more than three decades, we show that data-only attacks can completely bypass state-of-the-art defenses such as Control-Flow Integrity which are also deployed in practice. Additionally, hardware vulnerabilities such as Rowhammer, CLKScrew, and Meltdown enable sophisticated adversaries to exploit the system remotely at run time without requiring any memory-corruption vulnerabilities in the system’s software. We develop novel design strategies to defend the OS against hardware-based attacks such as Rowhammer and Meltdown to tackle the limitations of existing defenses. First, we present two novel data-only attacks that completely break current code-reuse defenses deployed in real-world software and propose a randomization-based defense against such data-only attacks in the kernel. Second, we introduce a compiler-based framework to automatically uncover memory-corruption vulnerabilities in real-world kernel code. Third, we demonstrate the threat of Rowhammer-based attacks in security-sensitive applications and how to enable a partitioning policy in the system’s physical memory allocator to effectively and efficiently defend against such attacks. We demonstrate feasibility and real-world performance through our prototype for the popular and widely used Linux kernel. Finally, we develop a side-channel defense to eliminate Meltdown-style cache attacks by strictly isolating the address space of kernel and user memory.

Place of Publication: Darmstadt
Divisions: 20 Department of Computer Science
20 Department of Computer Science > System Security Lab
Date Deposited: 24 Mar 2019 20:55
Official URL: https://tuprints.ulb.tu-darmstadt.de/8482
URN: urn:nbn:de:tuda-tuprints-84825
Referees: Sadeghi, Prof. Dr. Ahmad-Reza and Holz, Prof. Dr. Thorsten
Refereed / Verteidigung / mdl. Prüfung: 13 February 2019
Alternative Abstract:
Alternative abstract Language
Softwarebasierte Laufzeitangriffe stellen Rechnerplattformen seit mehr als drei Jahrzehnten vor große Sicherheitsprobleme. In Form weit verbreiteter Offensivtechniken wie Return-Oriented Programming, die Programmierfehler durch bösartige Eingaben gezielt ausnutzen, können Angreifer im Extremfall so die vollständige Kontrolle über die Plattform erlangen. Daher wurden über die Jahre eine Vielzahl von Defensivmaßnahmen wie Control-Flow Integrity und Fine-Grained Randomization vorgeschlagen und die Effektivität dieser Schutzmechanismen war lange Zeit Gegenstand intensiver Forschungsarbeit. In jüngster Zeit wurden jedoch eine Reihe zunehmend ausgefeilterer Angriffe auf Hardwareschwachstellen aus Software heraus vorgestellt, die bei Beibehaltung des Angreifersmodells zur kompletten Kompromittierung dieser Systeme führen können. Diese neuartige Entwicklung stellt bestehende Verteidigungen, die traditionelle Softwareangriffe annehmen, somit in der Praxis vor große Herausforderungen. Diese Dissertation erforscht eine Reihe solcher neuartigen Angriffsszenarien, um die reale Bedrohung auf das Betriebssystem trotz bestehender Verteidigungsmechanismen abschätzen zu können. Insbesondere geht die Arbeit im ersten Teil auf die Problematik sogenannter Data-Only Angriffe im Kontext von Defensivmaßnahmen wie Control-Flow Integrity ein und demonstriert, wie diese unter Ausnutzung von Softwarefehlern vollständig ausgehebelt werden können. Der zweite Teil erforscht die Bedrohung von Laufzeitangriffen durch Hardwarefehler, auch in Abwesenheit von Softwarefehlern auf welche sich bisherige Verteidigungen beschränken. Um die bisherigen Problem in den vorhandenen Schutzmechanismen anzugehen wurden neue Designstrategien entwickelt, mit Hilfe derer sich das Betriebssystem vor solch weiterführenden Angriffen durch geeignete Maßnahmen in Software schützen kann. Zunächst demonstrieren wir eine randomisierungsbasierte Verteidigung gegen Data-Only Angriffe auf Seitentabellen. Des weiteren wird ein Framework zur automatisierten Identifikation von Softwarefehlern im Betriebssystem anhand des Quelltexts auf Basis des LLVM Compilers vorgestellt. Außerdem erforscht die Arbeit eine Absicherung des Betriebbsystems vor Seitenkanalangriffen durch geeignete Isolation des Addressraumes. Ferner entwickeln wir eine Schutzmaßnahme vor Rowhammer-basierten Angriffen auf das OS, indem der physische Speicherallokator des Systems um eine Partitionierungsstrategie erweitert wird.German
Export:

Optionen (nur für Redakteure)

View Item View Item