Minos slides - UCSB Computer Science

advertisement
Minos: Control Data Attack
Prevention Orthogonal to
Memory Model
Jedidiah R. Crandall and Frederic T. Chong
Department of Computer Science
University of California at Davis
Outline
•
•
•
•
•
What is control data?
Motivation
Biba’s low-water-mark integrity policy
The Minos architecture
Security assessment
UMD 10/04
F. Chong - Minos
What is control data?
• Any data which is loaded into the program
counter on control flow transfer, or any
data used to calculate such data
• Executable code is not control data
UMD 10/04
F. Chong - Minos
A Control Data Vulnerability
typedef function();
function *f;
scanf(“%d”, (int *) &f);
f();
• More commonly: buffer
overflows, format string
attacks
UMD 10/04
F. Chong - Minos
Motivation
• Control data attacks cost users billions of
dollars a year
– Remote intrusions
– Cleaning up worms
– SPAM and DoS from botnets
• Without architectural support, every
memory corruption vulnerability is an
opportunity to hijack control flow
UMD 10/04
F. Chong - Minos
Securing commodity software
• Minos supports an untyped, linear address space
• Allows us to secure commodity software
– Supports code as data (dynamic libaries, JITs)
– Modification of source code is optional, but helpful
• Minos implements a simple, low-level security
policy that does not need to be customized to
each application.
UMD 10/04
F. Chong - Minos
Minos Security Goals
• Control data attacks constitute the
overwhelming majority of remote
intrusions
• Minos protects against remote control data
attacks
• Minos protects against local vulnerabilities
but only because the line between these
and remote vulnerabilities is not clear
UMD 10/04
F. Chong - Minos
Biba’s Low-water-mark
Integrity Policy
• Security properties
– Integrity
– Confidentiality
– Availability
• Tracks the “taintedness” of data
• Access controls are based on accesses a
subject has made in the past
UMD 10/04
F. Chong - Minos
Biba’s Low-water-mark
Integrity Policy (Formally)
• Any subject may modify any object if…
– The integrity of the object is not greater than
that of the subject
• Any subject may read any object
– The subject’s integrity is lowered to the
minimum of the object’s integrity and it’s own
• Notorious for its monotonic behavior
UMD 10/04
F. Chong - Minos
The Minos Architecture
• Integrity bit kept with
every word of L1
cache
• Integrity bits grouped
into words in L2
cache
• Integrity bits grouped
into pages in VM
UMD 10/04
F. Chong - Minos
Gratuitous Dante Quote
Minos the dreadful snarls at the gate, … and
wraps himself in his tail with as many turns
as levels down that shade will have to
dwell
UMD 10/04
F. Chong - Minos
Two Implementations
• Linux
• Windows Whistler and XP
• Full system emulation
– SPEC benchmarks are statically compiled
binaries that do not use the network
– A proof-of-concept was needed because of
the low-water-mark policy
UMD 10/04
F. Chong - Minos
OS Changes
• Read system call forces data low integrity
unless…
– The ctime and mtime of the inode are before
an establishment time …OR…
– The inode points to a pipe between
lightweight processes that share the same
address space
• Network sockets, readv()s, and pread()s
are forced low integrity unconditionally
UMD 10/04
F. Chong - Minos
OS Changes (Continued)
• Establishment time requirement applies to
mmap()ed files
• A static binary may be mounted and
executed if it is flushed to the disk first
• More user friendly methods of defining
trust could be developed
UMD 10/04
F. Chong - Minos
Quantitative Measures
• Stability
– Monotonic loss of system integrity?
• Virtual Memory Performance
– Hardware investment in cache system
– Slightly increased pressure on VM swapping
UMD 10/04
F. Chong - Minos
One Month of a Minos Web Server
UMD 10/04
F. Chong - Minos
SPEC2000 gcc
UMD 10/04
F. Chong - Minos
Virtual Memory Swapping
Memory
Swap drive
4kb Page w/ tags
Tags (128 bytes)
4kb Page w/ tags
UMD 10/04
F. Chong - Minos
4kb Page (no tags)
Virtual Memory Swapping
Experimental Methodology
•
•
•
•
•
Minos-enabled Linux vs. unmodified Linux
1.6 GHz Pentium 4 with 256 MB RAM
512 MB Swap Space
Used mlocks() to take away memory
4 SPEC2000 benchmarks
UMD 10/04
F. Chong - Minos
vpr
UMD 10/04
gcc
mcf
F. Chong - Minos
bzip2
Qualitative Measures
• Real attacks
– Many return pointer protection papers
erroneously cite Code Red as motivation
– Two attacks (innd and su-dtors) caused
changes to our original, simple policy
• We designed attacks specifically designed
to subvert Minos
UMD 10/04
F. Chong - Minos
How to catch worms…
22
Only one false positive…
23
Actually a “non-target pest”
24
Attacks tested on Minos
Real
Vulnerability?
Remote?
Vulnerability Type
Caught
?
rpc.statd
Yes
Remote
Format string
Yes
traceroute
Yes
Local
Double free()
Yes
su-dtors
Yes
Possibly remote
Format string
Yes
wu-ftpd
Yes
Remote
Format string
Yes
wu-ftpd
Yes
Remote
Heap globbing
Yes
innd
Yes
Remote
Buffer overflow
Yes
hannibal
Yes
Remote
Format string
Yes
Windows DCOM
Yes
Remote
Buffer overflow
Yes
Windows LSASS
Yes
Remote
Buffer overflow
Yes
tigger
No
Local
long_jmp() buffer
Yes
str2int
No
Local
Buffer overflow
Yes
offbyone
No
Local
Off-by-one buffer overflow
Yes
virt
No
Local
Virtual function pointers
Yes
envvar
No
Local
Environment variables
Yes
longstr
No
Local
Hypothetical format string
Yes
Attacks By Others
Attack
Known Remote
Exploit? ?
Vulnerability
Caught?
Linux wu-ftpd
No
Remote
Heap globbing
Yes
Code Red II
Yes
Remote
Buffer overflow in ASCII->UNICODE
Yes
Remote
Buffer overflow in authentication
Yes
SQL Server 2000 No
UMD 10/04
F. Chong - Minos
More info
• Minos architecture [Crandall, Chong, Micro 2004]
• Minos security assessment
[Crandall, Chong, WASSA 2004]
http://minos.cs.ucdavis.edu
• Minos emulated system
• If you break it, please leave a text file in
/root 
UMD 10/04
F. Chong - Minos
Minos Issues
• Bit-width conversions are problematic
– Code Red vs. Sun SDK
• Load/store addresses are problematic
• Procedure Linkage Table (PLT)
• Controlled increment
UMD 10/04
F. Chong - Minos
Bit-Width Policies
• All 8- and 16-bit immediates are low
integrity
• All 8- and 16-bit loads/stores have the
integrity of the addresses used checked
(possible because no 8- and 16-bit ptrs)
• Misaligned 32-bit loads/stores are
assumed low integrity
• Code Red exploits ASCII->Unicode bit
conversion
UMD 10/04
F. Chong - Minos
JIT Compatibility
• Sun Java SDK must be run in compatibility
mode:
– All 8-bit and 16-bit immediates are high
integrity
– Could allow arbitrary 32-bit high integrity
control data
– For security reasons, the JIT should be
slightly modified
UMD 10/04
F. Chong - Minos
A fundamental tradeoff
•
Can only do one of:
1) Check addresses for control data 32-bit
loads/stores
2) Check all operands to an operation
•
Else many false positives
– Size argument for heap malloc from user
– Entire heap becomes low integrity
UMD 10/04
F. Chong - Minos
Breaking Minos
• We couldn’t break Minos
• So we looked at current best practices
– Non-executable pages
– StackGuard
– Random placement of library routines
• But Minos is in theory vulnerable
UMD 10/04
F. Chong - Minos
Hannibal
• Exploits format string vulnerability in wu-ftpd
– Upload a binary called jailbreak via anonymous FTP
– Switch rename() with execv() in PLT using a
format string attack
– Request to rename jailbreak becomes execv()
• (Not really this simple…)
UMD 10/04
F. Chong - Minos
Information Flow Problems
if (LowIntegrityData == 5)
HighIntegrityData = 5;
HighIntegrityData =
HighIntegrityLookupTable[LowIntegrityData];
HighIntegrityData = 0;
while (LowIntegrityData--)
HighIntegrityData++;
UMD 10/04
F. Chong - Minos
Minos is “securable”
• Modifications of the library code and the
linking mechanisms could secure a Minos
system with a high degree of assurance by
– Taking away the power of arbitrary copy
primitives with an Secure PLT
– Avoiding code that gives attackers abilities
like a controlled increment
UMD 10/04
F. Chong - Minos
Related Work
•
•
•
•
Capability systems – AS/400, iAPX 432
M Machine, Mondriaan
Dynamic Information Flow (MIT)
Buffer Overflow Protection (UCSD)
Minos is distinguished by its simple policy
UMD 10/04
F. Chong - Minos
Future Work
• Nearly the same HW as soft-error
detection [Weaver,Emer,Mukherjee ISCA04]
• Similar to NAT bit for speculation on
Itanium
• Leverage tag bit on PowerPC AS used for
microcode
UMD 10/04
F. Chong - Minos
Collaborative Network Defense
• Minos “honeypot” detect worms
• DACODA analysis tool creates filter
• Buttercup network hardware protects all hosts
UMD 10/04
F. Chong - Minos
DMA and Port I/O
• All DMA and Port I/O is assumed high
integrity
– Any data off the network will be read and
forced low integrity
– It will stay low integrity because of the
establishment time requirement
• Consider the alternative
UMD 10/04
F. Chong - Minos
Specific Concerns for Minos
• Arbitrary copy primitives
– Sandboxed PLT
• Format string attacks using long strings
rather than size specifiers
– Minos does stop the longstr attack
• Dangling pointers
– Need arbitrary copy primitive
UMD 10/04
F. Chong - Minos
Security Comparison
• Minos
• G. Edward Suh, Jae W. Lee, and Srinivas
Devadas. “Secure Program Execution via
Dynamic Information Flow Tracking”,
ASPLOS XI
– Two different policies
• Current best practices
UMD 10/04
F. Chong - Minos
Three Classes of Control Data
Attacks
a) Overwrite control data with untrusted
data
b) Cause control data to be loaded/stored
to/from the wrong place
c) Cause control data to be loaded from the
right place but at the wrong time
UMD 10/04
F. Chong - Minos
Minos
• Protection against (a) is explicit
• Protection against (b) only for 8- and 16-bit
data
• Arbitrary copy primitive needed for (c)
UMD 10/04
F. Chong - Minos
Information Flow Tracking
• Policy 1 does not fully protect against (a)
• Both policies protect against (b) by
checking the integrity of addresses used
for all loads and stores
• Policy 1 does not fully protect against (c)
UMD 10/04
F. Chong - Minos
A Fundamental Tradeoff
chunk->
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| prev_size of previous chunk (if p=1)
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| size of chunk, in bytes
|p|
mem->
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| User data starts here...
.
.
.
. (malloc_usable_space() bytes)
.
.
|
nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| size of chunk
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
UMD 10/04
F. Chong - Minos
Download