Transcript Protecting Commodity Operating System Kernels from Vulnerable

Shakeel Butt @ Rutgers University
Vinod Ganapathy @ Rutgers University
Michael M. Swift @ University of Wisconsin-Madison
Chih-Cheng Chang @ Rutgers University
ACSAC 2009
 Introduction
 Background and scope
 Design
 Implementation
 Evaluation
 Related Work
 Summary
 Device drivers execute with kernel privilege in most
commodity operating systems and have unrestricted
access to kernel data structure.
 Propose a security architecture that offers commodity
operating systems the benefits of executing device
drivers in user mode without affecting common-case
performance
 Threats at the kernel/driver interface
 Kernel data structures are routinely updated by device
drivers, and the kernel impose no restrictions on the
memory regions accessible to drivers or devices.
 Threats at the driver/device interface
 A compromised driver can maliciously modify the state
of the device
 Goals
 Kernel data structure integrity
 Good common-case performance
 Compatibility
 Architecture
 Microdriver
 Consist of k-driver & u-driver
 Microdriver runtime
 Communication
 Object tracking
 RPC monitor
 Monitor data transfer
 Monitor control transfer
 Background on Microdrivers
 Microdriver split tool - DriverSlicer
 Splitter
 Code generator
 Invariant inference tool – Daikon
 Front end
 Inference engine
 Monitoring kernel data structure updates
 Training phace
 Inferring data structure integrity constraints
 Constancy of scalars and pointers
 Relationships between variables
 Ranges/sets of values
 Linked list invariants
 Enforcement phase
 Enforcing data structure integrity constraints
 Invariant table
 Vault table
 Monitoring control transfers
 Extracting control transfer policies
 Static analysis
 Enforcing control transfer policies
 Upcall
 Downcall
 Conduct on four drivers
 RealTek RTL-8139 (8139too)
 RealTek RTL-8139C+ (8139cp)
 Ensoniq sound card (ens1371)
 USB interface (uhci-hcd)
 Privilege separation
 Ability to prevent attacks
 Control hijacking via injected downcalls
 Control hijacking via modified function pointers
 Non-control data attacks
 False positives and negatives
 Performance
 TCP receive and send buffer sizes of 87KB and 16KB,
respectively.
 Copy a 140MB file into a USB disk
 Play a 256-Kbps MP3
 Hardware-based isolation techniques
 Virtual machine-based techniques
 Language-based mechanisms
 Microkernels
 User-mode driver frameworks
 Better isolate kernel data from device drivers without
sacrificing performance.
 Compatible with commodity operating system.