Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Presentation - Prof. Ravi Sandhu

advertisement 
Towards a VMM-based Usage Control
Framework for OS Kernel Integrity Protection
Min Xu
George Mason University
Ravi Sandhu
University of Texas at
San Antonio
Xuxian Jiang
George Mason University
Xinwen Zhang
Samsung Information
Systems of America
SACMAT 2007
Motivations


Ensuring the integrity of kernel resources is a
fundamental goal of OS security
Exploiting a vulnerability allows the attacker to
modify the kernel and core system utilities, hence
compromising the integrity of the entire system

Malware: Worms, Keyloggers, Rootkits …
2
Threat Example: Rootkits



“A rootkit is a set of programs and code that allows a
permanent or consistent, undetectable presence on a
computer”—Rootkits:Subeverting the Windows Kernel
Goals:

Hide malicious resources (e.g., processes, files, registry keys, open

Provide hidden backdoor access
ports, etc.)
Techniques: modifying kernel resources (integrity
violation)

Loadable Kernel Modules (most popular method)


Modify system call table, kernel text, Interrupt Descriptor Table (IDT)
Patching the running kernel (memory modification)

Modify /dev/kmem
3
Existing Approaches

Existing Models: MAC (Biba, Bell-LaPadula, Chinese Wall)




Clear goal
Too restrictive, coarse-grained
No ongoing check
Existing Enforcement Mechanisms:

User-Level




OS Kernel (SELinux)



Good performance
No isolation
Easily compromised
No isolation
Too many polices (50,000 +policies in Linux 2.6.18)
Hardware-based Coprocessor (Copliot)


Isolation
Needing another PCI card, no real time prevention
4
Our Approach

Virtual Machine Monitor (VMM) based Architecture




Strong Isolation: Compromised guest OS cannot disable
protection mechanism in VMM
Introspection: VMM can see hardware states
Interposition: VMM can enforce memory access, NIC …
VMM can monitor and enforce events
happening in a guest VM.
UCON


Decision continuity and attribute mutability
Previous work has shown policy specification flexibility of
UCON
5
Outline

Policy and Model:






UCONKI model for OS kernel integrity
Event-based logic model for UCONKI policy
specification
VMM-based Enforcement Architecture
Prototype
Evaluation
Conclusion and Future Work
6
UCON Model (Park and Sandhu 2004)
Continuity of
Decisions
Rights
(R)
Subjects
(S)
pre-decision
Objects
(O)
Usage
Decisions
Subject Attributes (SA)
Object Attributes (OA)
Authoriz
ations
(A)
Obliga
tions
(B)
Condi
tions
(C)
ongoing-decisions
before usage
ongoing usage
pre-updates
ongoing updates
after usage
post-updates
Mutability of
Attributes


Three phases of a usage process
Decision in first two phases
 pre-decision
 ongoing-decisions: repeatedly
check during ongoing usage phase


Decision Continuity
Attributes can be updated as side-effects of a usage:
 pre, ongoing, and post updates
 Persistent and mutable attributes

Attribute Mutability
7
UCONKI Model for OS Kernel Integrity

Subjects (S):


Objects (O):


Addresses, types, status of objects
Rights (ATT (R)):


Text hash values of subjects
Object attributes (ATT (O)):


Kernel memory spaces, disk devices, and registers
Subject attributes (ATT(S)):


Active processes and loadable kernel modules (LKMs)
Generic actions such as read and write
Authorizations:

Functional predicates that have to be evaluated for usage decisions
8
Event-based Policy Model for UCONKI

A UCONKI policy is a well-typed policy rule of the
form:
(e1 …  ei) causes (act1…  actj) if (p1 …  pk)
where e1 ,…, ei are events, act1 ,…, actj are actions, and
p1 ,…, pk are predicates.

A UCONKI policy specifies that when events e1 ,…,
ei occur, actions act1 ,…, actj must be performed
by the system if predicates p1 ,…, pk are
satisfied.
9
Subjects events and system actions
Subject Events
ongoingaccess* endaccess
tryaccess
Before
permitaccess
or
denyaccess
preupdate
Usage
onupdate*
After
revokeaccess
postupdate
System Actions
* means repetition
10
Example Policies specified by EPA

Pre-Authorization

Mutability
11
Policy Decision
Point(PDP)
Proces1
System
objects
Process2
Policy Database
Architecture
Kernel
G
u
e
s
t
V
M
6
9
1
8
4
3
Attributes
Repository(AR)
2
10
7
VM Enforcer
6
5
11
Access Vector
Cache(AVC)
H
o
w
s
iE
thtO
x
VS
te
M
n
M
s
io
n
12
Subject generates an access request
event from the guest VM and intercepted
by VME (step 1)

VME contacts AR and retrieves the
subjects and objects attributes (steps 2
and 3)

VME queries AVC (step 4)

If AVC has valid entry and S & O
attributes not changed, gives yes (step 5)
and goes to step 8, otherwise gives no
and goes to step6

VME pushes S & O attributes to PDP
(step 6)

PDP makes access control decision
according to policy and S & O attributes
(step 7)

The decision is forwarded to VME and
enforced in the VM (step 8)
Proces1
Process2
Policy Decision
Point(PDP)

Policy Database
Architecture
System
objects
Kernel
G
u
e
st
V
M
6
1
8
4
3
Attributes
Repository(AR)
2
7
VM Enforcer
6
5
Access Vector
Cache(AVC)
H
wos
t
EithO
xtVS
eM
nM
si
o
n
13
Architecture
 VME gets the new attributes
from the guest VM (step 9)
 New subject/object
attributes are pushed back to
AR (step 10)

e.g. update system call
table address after legitimate
process modified it

Update the decision cache

VME pushes the decision
along with subject and
object’s attributes to AVC
after usage (step11)
Proces1
System
objects
Process2
Policy Database
Update of attributes
(Mutability)
Policy Decision
Point(PDP)

Kernel
G
u
e
st
V
M
9
Attributes
Repository(AR)
Access Vector
Cache(AVC)
VM Enforcer
10
11
H
wos
t
EithO
xtVS
eM
nM
si
o
n
14
Prototype Implementation


An OS kernel integrity
protection system
 Bochs IA-32 Emulator
 Guest VM: Red hat7.2
(Linux 2.4.7-10)
Example policy: kernel text,
system call table, IDT table
and virtual file system
dispatch table cannot be
modified
Symbol
Use
_text
_etext
_sys_call_table
idt_tabe
proc_root_opera
tions
Beginning of kernel text
End of kernel text
system call table
Interrupt Descriptor
Table
Root File System Ops
Interesting symbols found
from /boot/system.map
15
Prototype
0xc00000000
0xc0100000
Kernel Text
0xc023d600
0xc023e13c
System call table
sys_exit
sys_fork
sys_read
sys_write
0xc023e53c
0xc028f000
0xc028f800
Interrupt Description
Table
sys_execve
…
Virtual file system
0xc0241d20
0xd0838560
proc_root_ops
root_dir_ops
0xfe0000000
Runtime addresses collected from a Redhat 7.2 Linux system (2.4.7-10)
16
Evaluation

Evaluation results with 18 real-world kernel rootkits
17
Example Rootkits
“Adore” rootkit
“Adore-ng” rootkit
“suckit” rootkit
18
Possible Extensions


UCONKI Extensions
 Attributes Management
 Conditions
 Obligations
Policy Enforcement
19
Conclusions


We have proposed a VMM-based usage
framework for OS kernel integrity
protection
We have subjected our prototype to 18
real-world kernel rootkits to validate its
practicality and effectiveness
20
Ongoing and Future Work


Extending our framework for general
OS security
Porting to other VMM platforms, like
XEN
21
Thank You!
Email: mxu@gmu.edu
URL: http://www.list.gmu.edu/mxu
Related documents
Abstract
Abstract
CI04-Week8
CI04-Week8
Domain Invariant Transfer Kernel Learning Abstract: Domain
Domain Invariant Transfer Kernel Learning Abstract: Domain
doc
doc
Office hrs: CII 5217 Thursday 10:00
Office hrs: CII 5217 Thursday 10:00
Worksheet
Worksheet
Week Eight Quiz and Answers
Week Eight Quiz and Answers
HW7CS273Awinter11
HW7CS273Awinter11
Download
advertisement