Protecting Commodity Operating System Kernels from Vulnerable
Download
Report
Transcript Protecting Commodity Operating System Kernels from Vulnerable
Shakeel Butt @ Rutgers University
Vinod Ganapathy @ Rutgers University
Michael M. Swift @ University of Wisconsin-Madison
Chih-Cheng Chang @ Rutgers University
ACSAC 2009
Introduction
Background and scope
Design
Implementation
Evaluation
Related Work
Summary
Device drivers execute with kernel privilege in most
commodity operating systems and have unrestricted
access to kernel data structure.
Propose a security architecture that offers commodity
operating systems the benefits of executing device
drivers in user mode without affecting common-case
performance
Threats at the kernel/driver interface
Kernel data structures are routinely updated by device
drivers, and the kernel impose no restrictions on the
memory regions accessible to drivers or devices.
Threats at the driver/device interface
A compromised driver can maliciously modify the state
of the device
Goals
Kernel data structure integrity
Good common-case performance
Compatibility
Architecture
Microdriver
Consist of k-driver & u-driver
Microdriver runtime
Communication
Object tracking
RPC monitor
Monitor data transfer
Monitor control transfer
Background on Microdrivers
Microdriver split tool - DriverSlicer
Splitter
Code generator
Invariant inference tool – Daikon
Front end
Inference engine
Monitoring kernel data structure updates
Training phace
Inferring data structure integrity constraints
Constancy of scalars and pointers
Relationships between variables
Ranges/sets of values
Linked list invariants
Enforcement phase
Enforcing data structure integrity constraints
Invariant table
Vault table
Monitoring control transfers
Extracting control transfer policies
Static analysis
Enforcing control transfer policies
Upcall
Downcall
Conduct on four drivers
RealTek RTL-8139 (8139too)
RealTek RTL-8139C+ (8139cp)
Ensoniq sound card (ens1371)
USB interface (uhci-hcd)
Privilege separation
Ability to prevent attacks
Control hijacking via injected downcalls
Control hijacking via modified function pointers
Non-control data attacks
False positives and negatives
Performance
TCP receive and send buffer sizes of 87KB and 16KB,
respectively.
Copy a 140MB file into a USB disk
Play a 256-Kbps MP3
Hardware-based isolation techniques
Virtual machine-based techniques
Language-based mechanisms
Microkernels
User-mode driver frameworks
Better isolate kernel data from device drivers without
sacrificing performance.
Compatible with commodity operating system.