Analyzing Kernel Security and Approaches for Improving it


Published on

This presentation gives a basic detail on kernel security and different approaches to improving it.

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Analyzing Kernel Security and Approaches for Improving it

  1. 1. Analyzing Kernel Security and Approaches for Improving It Milan Rajpara IT Systems and Network Security Gujarat Technological University C DAC Ahmedabad Pune
  2. 2. Agenda • Kernel Introduction • Necessity for Kernel Security • Kernel breach • Analyzing Kernel Security • Improving Approaches • Future Work Milan Rajpara October 8, 2013 2
  3. 3. What is Kernel ? • A computer program that manages input/output requests from software and translates them into data processing instructions for the central processing unit and other electronic components of a computer. [Wikipedia] • The kernel is a fundamental part of a modern computer's operating system. • OS rests on a outer ring, and application above that. Fig: Privilege rings for the x86 available in protected mode [Source: Wikipedia] Milan Rajpara October 8, 2013 3
  4. 4. Necessity for Kernel Security • Kernel, a vary basic (core) part of the Operating Systems • Single vulnerability will be exposes large number of systems • Increasing of Cloud Usage with Virtual Systems • Smartphones now is in every hand Milan Rajpara October 8, 2013 4
  5. 5. We talk on .. • Kernels for General Purpose Operating System • Some Linux flavor gives Server Optimized Kernel • Ex. Ubuntu older then 12.04, were gave this option. Since 12.04, linux-image-server is merged into linuximage-generic, there is no difference between Generic and Server kernel. [4] • Windows do not disclose. • Kernels which Constructed in C language • Almost kernels are in C • Improvement for Monolithic kernels • All work performed in Virtual environment • The Xen, and VMware used Milan Rajpara October 8, 2013 5
  6. 6. How Kernel Affected ? • By Kernel level rootkits • Manipulating pointers • Manipulating data • Direct Kernel Object Manipulation (DKOM) • By Boot-kits • Via hooking techniques • Direct Hardware or Firmware injection Milan Rajpara October 8, 2013 6
  7. 7. Effect of this Attacks • Escalate a process’ privileges by overwriting the process’ credentials • Hide itself by illicitly removing data structures identifying their presence from loaded drivers • Eliding task structures for the processes from the kernel’s process accounting list • Alter the overall behavior of OS without injecting any malicious code into the kernel address space, by just pointer manipulating. Milan Rajpara October 8, 2013 7
  8. 8. How to analyze the Kernel Security • Find the most critical objects of the kernel, without prior knowledge of the OS kernel data layout in memory • Identifying OS Kernel Objects for Run-time Security Analysis • Sort-out objects which are vulnerable to hijack • Do Kernel Data Disambiguation • This will make the system easy to analyze Milan Rajpara October 8, 2013 8
  9. 9. Most critical objects in Kernel • Windows and Linux, the core kernel part are mostly written in C • 40% inter-data structure relations are Pointer based • 35% of these are Generic Pointers • Pointers which defines at run time, no initial value or data type is associated • 28% kernel data structure are well known objects Milan Rajpara October 8, 2013 9
  10. 10. Generic Pointer Problem • It is the weak link in kernel security • Use of void pointers *, assists hackers to point somewhere else • Use of NULL pointers (to implements linklist), helps hackers to hide / change runtime objects. • Use of Casting in C • Enables the hackers to exploit data structure layout in physical memory Milan Rajpara October 8, 2013 10
  11. 11. To Find Critical Objects 1. Memory Mapping techniques • Travers address space from global variables via pointer dereferencing until reaching running object. • according to a predefined kernel data definition for each kernel version. 2. Value Invariant Approaches • Use the value invariants of certain fields or of a whole data structure as a signature to scan the memory for matching running instances. Ex. DeepScanner, DIMSIM • Drawbacks of this approaches - Not very accurate - Require a predefined definition of the kernel data layout - Not effective when memory mapping and object reachability information is not available. - High performance overhead Milan Rajpara October 8, 2013 11
  12. 12. To Find Critical Objects 3. DIGGER [1] • Uncover all system runtime objects without any prior knowledge of the OS kernel data layout in memory. • First it performs offline and constructs type-graph (which is used to enable systematic memory traversal of the object details). • Then it uses the 4-byte pool memory tagging schema (to uncover kernel runtime objects from the kernel address space.) • (+) • Accurate result • Low performance overhead • Fast and nearly complete coverage Milan Rajpara October 8, 2013 12
  13. 13. DIGGER & KDD • DIGGER uses the KDD (Kernel Data Disambiguator) to precisely models the direct and indirect relations between data structures. • KDD is a static analysis tool that operates offline on an OS kernel’s source code • Generates a type-graph for the kernel data with direct and indirect relations between structures, models data structures [2] • KDD disambiguates pointer-based relations (including generic pointers) • by performing static points-to analysis on the kernel’s source code. • Points-to analysis is the problem of determining statically a set of locations to which a given variable may point to at runtime. Milan Rajpara October 8, 2013 13
  14. 14. KDD Operation Source: Ref [2] AST: Abstract Syntax Tree (high-level intermediate representation for the source code ) Milan Rajpara October 8, 2013 14
  15. 15. KDD Operation • Interprocedural Analysis 1: Takes AST and differentiate it • Gets: Variables, Procedure definition, Procedure call, etc.. . • Interprocedural Analysis 2: Do points-to analysis across different files to perform whole-program analysis. • Context Sensitive Analysis: • It uses Procedure Dependency Graph (PDG) consists of nodes representing the statements of the data dependency in the program. • context-sensitive analysis solves two problems: the calling context and the indirect (implicit) relations between nodes. Milan Rajpara October 8, 2013 15
  16. 16. Soundness and Precision of KDD • The points-to analysis algorithm is sound if the points-to set for each variable contains all its actual runtime targets, and is imprecise if the inferred set is larger than necessary. • Check on C programs from the SPEC2000 and SPEC2006 benchmark suites. • Achieved a high level of precision and 100% of soundness. • And 96% precision on Windows (WRK*, Vista) and Linux kernel (v3.0.22). [2] *WRK – Windows Research Kernel, the only available code from windows [6] Milan Rajpara October 8, 2013 16
  17. 17. DIGGER Approach Source: Ref [1] Milan Rajpara October 8, 2013 17
  18. 18. DIGGER Approach • Static Analysis Component: from KDD • Signature Extraction Component: • When the object manager allocates a memory pool block, it associates with a pool tag (pool tag is a unique four-byte tag for each object type.) Uses this tag to uncover the kernel objects running instances, and they are static and cannot be changed during object runtime. • Dynamic Memory Analysis Component: Extract the object details, • From Pool Tag, it gets the pool block start memory address and the object’s start address. Milan Rajpara October 8, 2013 18
  19. 19. Analyzing Kernel through DIGGER Gives … • Disambiguate the points-to relations between data structures, all without any prior knowledge of the OS kernel data layout. • Robust and quite small signature size to uncover runtime objects, enhancing performance • Able to keep track of all critical objects of kernel Milan Rajpara October 8, 2013 19
  20. 20. Protection of Kernel • Protect the generic pointers. • Microsoft added a feature PatchGuard, which blocks kernel mode drivers from altering sensitive parts of the Windows kernel. • But TDL (rootkit) manages to circumvent this protection as well, by altering a machine's MBR so that it can intercept Windows startup routines. [7] • One approach is use of “Object Partitioning” to protect kernel data structure. [3] • Uses Sentry, that creates access control protections for security-critical kernel data. Milan Rajpara October 8, 2013 20
  21. 21. Sentry Architecture • Sentry protects critical data and enforces data access restrictions based upon the origin of the access within the code of the kernel and its modules or drivers. [3] • The data integrity model is straightforward and matches that of the Biba ring policy [9] • The malicious code that modifies privileges by directly writing to memory is in a loaded module and not in the core kernel code, so Sentry will prevent the write Milan Rajpara October 8, 2013 21
  22. 22. Kernel Memory Access Control • Protect data structure from DCOM • Sentry’s design uses a hypervisor to remain isolated from an untrusted kernel • To keep the overhead low, Sentry uses memory partitioning to lay out sensitive data on separate memory pages and protects those pages using the hypervisor • The policy enforcer mediates attempted writes to protected data and uses the policy to determine when writes should be permitted. Milan Rajpara October 8, 2013 22
  23. 23. Working of Sentry • Identifying Security-Critical Members • Activation of mediated access • Instruction emulation • Secure execution history extraction Milan Rajpara October 8, 2013 23
  24. 24. Evaluation of Sentry • Performance • Low performance overhead • more performance van be achieved by memory layout optimization • False Positive Analysis • There were no instances when security-critical kernel data protected by Sentry was directly modified by a benign driver. • Sentry provided a 100% detection rate for DKOM rootkits Milan Rajpara October 8, 2013 24
  25. 25. Future Work • Detect all kernel data structures automatically, beyond the kernel version • The DIGGER can only be used to analyze Windows Kernels. • The current prototype of Sentry only protects two key structures. • Other kernel data structures may also require similar protection. • This may gives versatile performance of Sentry, (if more data structure included) Milan Rajpara October 8, 2013 25
  26. 26. References [1] Amani S. Ibrahim, James Hamlyn-Harris, John Grundy, Mohamed Almorsy, "Identifying OS Kernel Objects for Run-Time Security Analysis", DOI: 10.1007/978-3-642-34601-9_6 [2] Amani S. Ibrahim, John Grundy, James Hamlyn-Harris, Mohamed Almorsy, "Operating System Kernel Data Disambiguation to Support Security Analysis", DOI: 10.1007/978-3-642-34601-9_20 [3] Abhinav Srivastava, Jonathon Giffin, "Efficient Protection of Kernel Data Structures via Object Partitioning", DOI: 10.1145/2420950.2421012 [4] RFC: Linux kernel merging. [5] Rootkits detail by Symantec [6] Windows Research Kernel [7] TDL Rootkit: [8] Windows hooks: [9] K. J. Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, Mitre, Apr. 1977 Milan Rajpara October 8, 2013 26
  27. 27. Thank you  Questions __________________________ - Milan Rajpara 27