SlideShare a Scribd company logo
1 of 30
Download to read offline
Lord of the X86 Rings: A Portable User Mode
Privilege Separation Architecture on X86
Memory Defense Paper Sharing(I) ccs 2018
Hojoon Lee, Chihyun Song, Brent
Byunghoon Kang
Presented by Xingman Chen
2018-10-09
In-Process Isolation
● Most attacks against
○ Control Flow
■ Control flow hijack/bending
○ Data Flow
■ Non-control data attack
2
In-Process Isolation
● Most attacks against
○ Control Flow
■ Control flow hijack/bending
○ Data Flow
■ Non-control data attack
● Sensitive data in memory
○ Cryptographic keys
○ Function table
○ Control flow intergrity mitigation metadata
○ (Un)trust libs
● Need to be protected
3
Motivations
● HeartBleed Vulnerability
○ A malicious memcpy(bp,pl,payload) in
openssl nearly bring down the HTTPs
○ Sensitive data: Private key
4
Motivations
● Metadata Protection
○ Shadow Stack
■ Backup return address to avoid ret based
control flow hijack
■ Sensitive data: backup return address
○ Code Pointer Intergrity
■ Move code pointer and indirect code
pointers to safe region
■ Sensitive data: safe region
5
Motivations
● Metadata Protection
○ Shadow Stack
■ Backup return address to avoid ret based
control flow hijack
■ Sensitive data: backup return address
○ Code Pointer Intergrity
■ Move code pointer and indirect code
pointers to safe region
■ Sensitive data: safe region
6
Motivations
● Untrusted Library
○ Blackhat’17 by Chaitin: Many Birds, One Stone: Exploiting a Single SQLite Vulnerability
Across Multiple Software
○ CVE-2015-7036
■ SQLite fts3_tokenizer Untrusted Pointer Remote Code Execution Vulnerability
7
In-Process Isolation: Approaches
● Software based
○ Randomization based
■ e.g. ASLR
○ Instrument non-sen code with bounds
checks prior to indirect memory
accesses
■ e.g. SFI
8
Application
Sen-Code
(Sensitive Data
Related Code)
Non Sen Code Non Sen Memory
Sen Memory
● Software based
○ Randomization based
■ e.g. ASLR
○ Instrument non-sen code with bounds
checks prior to indirect memory
accesses
■ e.g. Software Fault Isolation(SFI)
● OS/Hardware based
○ OS feature based: Paging or
Segmentation based appoarches
○ Hardware feature based
■ e.g. intel MPX(CFIXX), SGX, CET,
MPK; arm Memory
Domain(Shred)
In-Process Isolation: Approaches
9
Application
Sen-Code
(Sensitive Data
Related Code)
Non Sen Code Non Sen Memory
Sen Memory
Lord of the x86 Rings: A Portable User Mode Privilege
Separation Architecture on x86
● Presented LOTRx86, a novel approach that establishes a new user privilege
layer safeguards secure access sensitive data to achieve in-process privilege
separation
● OS Feature based
● Feature
○ No extra hardware feature needed
○ Fast: average of 30.40% overhead on Intel processor
10
Motivation
● Randomization based: Weak
● SFI: High overhead
● Hardware feature based: Not portable
● LOTRx86: Trade off
○ Portable approach based on segmentation & paging features
○ Harnesses the underused x86 intermediate Rings (Ring1 and Ring2)
11
Preliminaries: Addressing in x86
● Segmentation in x86(IA-32,386)
○ DPL(Description Priviliege Level): in GDT/LDT
○ CPL(Current Priviliege Level): 2bit in Segment
register(cs)
○ RPL(Request Privilege Level)
12
Preliminaries: Addressing in x86
● Pagging in x86
○ 2-level page table
■ User/Supervisor: priviliege
required for accessing this page
13
Preliminaries: Addressing in x64
● x64(x86_64,amd64/IA-32e, EM64T): Weakened Segmentation
14
Preliminaries: Addressing in x64
● x64(x86_64,amd64/IA-32e, EM64T): Weakened Segmentation
○ Treats the segment base of CS, DS, ES, SS as zero, creating a linear address
○ Used only for memory protection
○ CPL Remained
■ DPL: Valid for code segment descriptor, ignored for data segment descriptor
15
Preliminaries: Callgate
● Callgate: Privilege escalation &
de-escalation
○ Callgate Descriptor defined at
GDT/LDT
○ DPLg: minium priv requirement
○ Stack pivot after
escalation/decalation
16
Preliminaries: Inter-bitness control transfer
● Bitness(32/64): defined by the
currently active code segment
descriptor
○ L bit
○ callgate cannot target a 32-bit code
segment in long mode(64 bit)
17
Thread Model & Target
● Thread Model
○ Arbitary Code Execution
● Security Guarantee
○ User mode cannot directly access a
region protected
18
Application
Sen-Code
(Sensitive Data
Related Code)
Non Sen Code Non Sen Memory
Sen Memory
● Establishing PrivUser memory
space
○ M-SR1. User mode must not be able
to access PrivUser memory
■ set S-page PTE s-bit
Design
19
● Establishing PrivUser memory
space
○ M-SR1. User mode must not be able
to access PrivUser memory
■ set S-page PTE s-bit
○ M-SR2. PrivUser mode must not be
able to access kernel memory space
■ set privuser code page as
32-bit segmentation enabled
code segment
● run 32bit code with
special segment(cs)
Design
20
Design
● Challenges
○ Hardware constraint: 32-bit call gate is
disabled, a 64-bit call gate have to be
introduced
○ Potential risk: any non-ring3 64-bit code
can access kernel memory
■ if Privuser jump to 64-bit call gate
area instead of call gate entry, it
can access the kernel memory
21
Design
● Challenges
○ Hardware constraint: 32-bit call gate is
disabled, a 64-bit call gate have to be
introduced
○ Potential risk: any non-ring3 64-bit
code can access kernel memory
■ if Privuser jump to 64-bit call gate
area instead of call gate entry, it
can access the kernel memory
● Solution: Inescapable segmentation
enforcement
○ An ring-1 callgate(x64) with lret
22
Design
● Challenges
○ Hardware constraint: 32-bit call gate is
disabled, a 64-bit call gate have to be
introduced
○ Potential risk: any non-ring3 64-bit
code can access kernel memory
■ if Privuser jump to 64-bit call gate
area instead of call gate entry, it
can access the kernel memory
● Solution: Inescapable segmentation
enforcement
○ An ring-1 callgate(x64) with lret
23
Implementation
● Components
○ lotr-kmod: build PrivUser space
■ space size is fixed
■ generate LDT, init S-page PTE, init ring1 ring2
○ liblotr: util functions for calling initalize PrivUser space, entering, etc.
○ lotr-libc: private libc, no scalable
○ kernel modification: let mmap/mprotect bypass and return error
24
Implementation
● Components
○ lotr-build: create 32-bit machine code
25
Evaluation
● Micro-benchmark
○ compare with normal function
■ But why intel different with amd?
26
no cache
opt
Evaluation
● micro-Benchmark
○ compare with normal function
27
Evaluation
● LOTRx86 enabled web server
○ latency: response time
28
Discussion
● Portable but no scalable
○ e.g. Size, Libc, argument passing
● Low automation
● High Overhead: 35%
29
Thanks!
30

More Related Content

What's hot

What's hot (20)

CCNA : Intro to Cisco IOS - Part 1
CCNA :  Intro to Cisco IOS - Part 1CCNA :  Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for Monitoring
 
BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE
 
Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
 
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on Mikrotik
 
LAS16-504: Secure Storage updates in OP-TEE
LAS16-504: Secure Storage updates in OP-TEELAS16-504: Secure Storage updates in OP-TEE
LAS16-504: Secure Storage updates in OP-TEE
 
Best Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for SecurityBest Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for Security
 
BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2 BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2
 
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1
 
CCNA : Intro to Cisco IOS - Part 2
CCNA : Intro to Cisco IOS - Part 2CCNA : Intro to Cisco IOS - Part 2
CCNA : Intro to Cisco IOS - Part 2
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOS
 
Up and Running SSH Service - Part 1
Up and Running SSH Service - Part 1Up and Running SSH Service - Part 1
Up and Running SSH Service - Part 1
 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-Dive
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed Hashing
 
Telecommunication Evolution
Telecommunication EvolutionTelecommunication Evolution
Telecommunication Evolution
 

Similar to Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 (CCS'18)

Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
Tamas K Lengyel
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 

Similar to Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 (CCS'18) (20)

Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Go
 
Linux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
Linux Stammtisch Munich: Ceph - Overview, Experiences and OutlookLinux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
Linux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
 
A Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsA Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm Basebands
 
Advanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona ServerAdvanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona Server
 
cachegrand: A Take on High Performance Caching
cachegrand: A Take on High Performance Cachingcachegrand: A Take on High Performance Caching
cachegrand: A Take on High Performance Caching
 
Security issues in FPGA based systems.
Security issues in FPGA based systems.Security issues in FPGA based systems.
Security issues in FPGA based systems.
 
Advanced microprocessor
Advanced microprocessorAdvanced microprocessor
Advanced microprocessor
 
One Stone, Three Birds_ Finer-Grained Encryption with Apache Parquet @ Large ...
One Stone, Three Birds_ Finer-Grained Encryption with Apache Parquet @ Large ...One Stone, Three Birds_ Finer-Grained Encryption with Apache Parquet @ Large ...
One Stone, Three Birds_ Finer-Grained Encryption with Apache Parquet @ Large ...
 
An Introduction to Apache Cassandra
An Introduction to Apache CassandraAn Introduction to Apache Cassandra
An Introduction to Apache Cassandra
 
Improving Scalability of Xen: The 3,000 Domains Experiment
Improving Scalability of Xen: The 3,000 Domains ExperimentImproving Scalability of Xen: The 3,000 Domains Experiment
Improving Scalability of Xen: The 3,000 Domains Experiment
 
Operation Unthinkable – Software Defined Storage @ Booking.com (Peter Buschman)
Operation Unthinkable – Software Defined Storage @ Booking.com (Peter Buschman)Operation Unthinkable – Software Defined Storage @ Booking.com (Peter Buschman)
Operation Unthinkable – Software Defined Storage @ Booking.com (Peter Buschman)
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
 
Do you know what your digital pins are "really" saying
Do you know what your digital pins are "really" sayingDo you know what your digital pins are "really" saying
Do you know what your digital pins are "really" saying
 
Bluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case StudyBluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case Study
 
Study on 32-bit Cortex - M3 Powered MCU: STM32F101
Study on 32-bit Cortex - M3 Powered MCU: STM32F101Study on 32-bit Cortex - M3 Powered MCU: STM32F101
Study on 32-bit Cortex - M3 Powered MCU: STM32F101
 
Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee   sysadmins days 2019Kubernetes from scratch at veepee   sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019
 
module01.ppt
module01.pptmodule01.ppt
module01.ppt
 
Lect 1 Into.pptx
Lect 1 Into.pptxLect 1 Into.pptx
Lect 1 Into.pptx
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 (CCS'18)

  • 1. Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 Memory Defense Paper Sharing(I) ccs 2018 Hojoon Lee, Chihyun Song, Brent Byunghoon Kang Presented by Xingman Chen 2018-10-09
  • 2. In-Process Isolation ● Most attacks against ○ Control Flow ■ Control flow hijack/bending ○ Data Flow ■ Non-control data attack 2
  • 3. In-Process Isolation ● Most attacks against ○ Control Flow ■ Control flow hijack/bending ○ Data Flow ■ Non-control data attack ● Sensitive data in memory ○ Cryptographic keys ○ Function table ○ Control flow intergrity mitigation metadata ○ (Un)trust libs ● Need to be protected 3
  • 4. Motivations ● HeartBleed Vulnerability ○ A malicious memcpy(bp,pl,payload) in openssl nearly bring down the HTTPs ○ Sensitive data: Private key 4
  • 5. Motivations ● Metadata Protection ○ Shadow Stack ■ Backup return address to avoid ret based control flow hijack ■ Sensitive data: backup return address ○ Code Pointer Intergrity ■ Move code pointer and indirect code pointers to safe region ■ Sensitive data: safe region 5
  • 6. Motivations ● Metadata Protection ○ Shadow Stack ■ Backup return address to avoid ret based control flow hijack ■ Sensitive data: backup return address ○ Code Pointer Intergrity ■ Move code pointer and indirect code pointers to safe region ■ Sensitive data: safe region 6
  • 7. Motivations ● Untrusted Library ○ Blackhat’17 by Chaitin: Many Birds, One Stone: Exploiting a Single SQLite Vulnerability Across Multiple Software ○ CVE-2015-7036 ■ SQLite fts3_tokenizer Untrusted Pointer Remote Code Execution Vulnerability 7
  • 8. In-Process Isolation: Approaches ● Software based ○ Randomization based ■ e.g. ASLR ○ Instrument non-sen code with bounds checks prior to indirect memory accesses ■ e.g. SFI 8 Application Sen-Code (Sensitive Data Related Code) Non Sen Code Non Sen Memory Sen Memory
  • 9. ● Software based ○ Randomization based ■ e.g. ASLR ○ Instrument non-sen code with bounds checks prior to indirect memory accesses ■ e.g. Software Fault Isolation(SFI) ● OS/Hardware based ○ OS feature based: Paging or Segmentation based appoarches ○ Hardware feature based ■ e.g. intel MPX(CFIXX), SGX, CET, MPK; arm Memory Domain(Shred) In-Process Isolation: Approaches 9 Application Sen-Code (Sensitive Data Related Code) Non Sen Code Non Sen Memory Sen Memory
  • 10. Lord of the x86 Rings: A Portable User Mode Privilege Separation Architecture on x86 ● Presented LOTRx86, a novel approach that establishes a new user privilege layer safeguards secure access sensitive data to achieve in-process privilege separation ● OS Feature based ● Feature ○ No extra hardware feature needed ○ Fast: average of 30.40% overhead on Intel processor 10
  • 11. Motivation ● Randomization based: Weak ● SFI: High overhead ● Hardware feature based: Not portable ● LOTRx86: Trade off ○ Portable approach based on segmentation & paging features ○ Harnesses the underused x86 intermediate Rings (Ring1 and Ring2) 11
  • 12. Preliminaries: Addressing in x86 ● Segmentation in x86(IA-32,386) ○ DPL(Description Priviliege Level): in GDT/LDT ○ CPL(Current Priviliege Level): 2bit in Segment register(cs) ○ RPL(Request Privilege Level) 12
  • 13. Preliminaries: Addressing in x86 ● Pagging in x86 ○ 2-level page table ■ User/Supervisor: priviliege required for accessing this page 13
  • 14. Preliminaries: Addressing in x64 ● x64(x86_64,amd64/IA-32e, EM64T): Weakened Segmentation 14
  • 15. Preliminaries: Addressing in x64 ● x64(x86_64,amd64/IA-32e, EM64T): Weakened Segmentation ○ Treats the segment base of CS, DS, ES, SS as zero, creating a linear address ○ Used only for memory protection ○ CPL Remained ■ DPL: Valid for code segment descriptor, ignored for data segment descriptor 15
  • 16. Preliminaries: Callgate ● Callgate: Privilege escalation & de-escalation ○ Callgate Descriptor defined at GDT/LDT ○ DPLg: minium priv requirement ○ Stack pivot after escalation/decalation 16
  • 17. Preliminaries: Inter-bitness control transfer ● Bitness(32/64): defined by the currently active code segment descriptor ○ L bit ○ callgate cannot target a 32-bit code segment in long mode(64 bit) 17
  • 18. Thread Model & Target ● Thread Model ○ Arbitary Code Execution ● Security Guarantee ○ User mode cannot directly access a region protected 18 Application Sen-Code (Sensitive Data Related Code) Non Sen Code Non Sen Memory Sen Memory
  • 19. ● Establishing PrivUser memory space ○ M-SR1. User mode must not be able to access PrivUser memory ■ set S-page PTE s-bit Design 19
  • 20. ● Establishing PrivUser memory space ○ M-SR1. User mode must not be able to access PrivUser memory ■ set S-page PTE s-bit ○ M-SR2. PrivUser mode must not be able to access kernel memory space ■ set privuser code page as 32-bit segmentation enabled code segment ● run 32bit code with special segment(cs) Design 20
  • 21. Design ● Challenges ○ Hardware constraint: 32-bit call gate is disabled, a 64-bit call gate have to be introduced ○ Potential risk: any non-ring3 64-bit code can access kernel memory ■ if Privuser jump to 64-bit call gate area instead of call gate entry, it can access the kernel memory 21
  • 22. Design ● Challenges ○ Hardware constraint: 32-bit call gate is disabled, a 64-bit call gate have to be introduced ○ Potential risk: any non-ring3 64-bit code can access kernel memory ■ if Privuser jump to 64-bit call gate area instead of call gate entry, it can access the kernel memory ● Solution: Inescapable segmentation enforcement ○ An ring-1 callgate(x64) with lret 22
  • 23. Design ● Challenges ○ Hardware constraint: 32-bit call gate is disabled, a 64-bit call gate have to be introduced ○ Potential risk: any non-ring3 64-bit code can access kernel memory ■ if Privuser jump to 64-bit call gate area instead of call gate entry, it can access the kernel memory ● Solution: Inescapable segmentation enforcement ○ An ring-1 callgate(x64) with lret 23
  • 24. Implementation ● Components ○ lotr-kmod: build PrivUser space ■ space size is fixed ■ generate LDT, init S-page PTE, init ring1 ring2 ○ liblotr: util functions for calling initalize PrivUser space, entering, etc. ○ lotr-libc: private libc, no scalable ○ kernel modification: let mmap/mprotect bypass and return error 24
  • 25. Implementation ● Components ○ lotr-build: create 32-bit machine code 25
  • 26. Evaluation ● Micro-benchmark ○ compare with normal function ■ But why intel different with amd? 26 no cache opt
  • 28. Evaluation ● LOTRx86 enabled web server ○ latency: response time 28
  • 29. Discussion ● Portable but no scalable ○ e.g. Size, Libc, argument passing ● Low automation ● High Overhead: 35% 29