Transcript Enhanced Operating System Security Through Efficient and Fine

System Security
Through Efficient and
Fine-grained
Address Space
Randomization
Cristiano Giuffrida
Anton Kuijsten
Andrew S. Tanenbaum
Usenix Security 2012
Introduction
• Kernel-level Exploitation
• Existing Countermeasures
• Preserving kernel code integrity [SecVisor, NICKLE, hvmHarvard].
• Kernel hook protection [HookSafe, HookScout, Indexed hooks].
• Control-ow integrity [SBCFI].
• No comprehensive memory error protection.
• Virtualization support required, high overhead.
Address Space Randomization
• Well-established defense mechanism against memory error
exploits.
• Application-level support in all the major operating systems.
• The operating system itself typically not randomized at all.
• Only recent Windows releases perform basic text
randomization.
• Goal: Fine-grained ASR for operating systems
Challenges
• Instrumentation
• Lightweight
• Information leakage
• Fine-grain and rerandomization
• Brute force
• Crash kernel
A Design for OS-level ASR
• Make both location and layout of memory objects
unpredictable.
• LLVM-based link-time transformations for safe and effcient
ASR.
• Minimal amount of untrusted code exposed to the runtime.
• Live rerandomization to maximize unobservability of the
system.
• No changes in the software distribution model.
Discussion
• Not tested on real kernel exploit, to provide evaluation on the
performance
• How to check the interval of rerandomization
• Hard to do, need threat model and per-component based testing
• Good for tuning for unpatched kernel
Discussion
• Rerandomization failure
• Make sure this rerandomization process can start
• Corrupt state can affect the migration
• Time out and abort
• Multicore
• Synchronize the states, per-components replica
• Future work
Discussion
• Rerandomization can be improved
• Need to care about the randomization, as the entropy.
Randomization pool can be used up.
• More questions?
Discussion
• Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained
Address Space Layout Randomization
• Kevin Z. Snow et al.
• 2013 IEEE Symposium on Security and Privacy
• Evaluation