Minos: Control Data Attack Prevention Orthogonal to Memory Model

Minos: Control Data Attack Prevention Orthogonal to Memory Model

Minos: Control Data Attack Prevention Orthogonal to Memory Model Jedidiah R. Crandall and Frederic T. Chong Computer Science Department University of California, Davis Presented at MICRO-37 in Portland, Oregon on 7 December 2004 Outline What is control data? Motivation Bibas low-water-mark integrity policy The Minos architecture Security assessment What is control data? Any data which is loaded into the program

counter on control flow transfer, or any data used to calculate such data Executable code is not control data Motivation Control Data Attacks Buffer overflows, format string attacks, double free()s, , much more These attacks cost users billions of dollars a year Remote

intrusions Cleaning up worms SPAM and DoS from botnets Minos Security Claims Control data attacks constitute the overwhelming majority of remote intrusions Minos protects against remote control data attacks Minos protects against local vulnerabilities but only because the line between these and remote vulnerabilities is not clear Securing Commodity Software Flat memory model is ubiquitous Minos supports code as data

JITs Dynamic library linking No program-specific policies, recompilation, or binary rewriting Bibas Low-water-mark Integrity Policy Security policies Integrity Confidentiality Availability

Tracks the taintedness of data Access controls are based on accesses a subject has made in the past Bibas Low-water-mark Integrity Policy (Formally) Any subject may modify any object if The integrity of the object is not greater than that of the subject Any subject may read any object

The subjects integrity is lowered to the minimum of the objects integrity and its own Notorious for its monotonic behavior The Minos Architecture Tag bits in L1 and L2 cache DRAM

VM details are in the paper Other Tag Bits The bit in [C. Weaver, J. Emer, S. S. Mukherjee, S. K. Reinhardt. Techniques to Reduce the Soft Error Rate of a HighPerformance Microprocessor. ISCA 2004.] NaT bits in the Itanium 2. Gratuitous Dante Quote Minos the dreadful snarls at the gate, and wraps himself in his tail with as many turns as levels down that shade will have to dwell Two Implementations

Linux Windows Whistler and XP Full system emulation SPEC benchmarks are statically compiled binaries that do not use the network A proof-of-concept was needed because of the low-water-mark policy OS Changes Read system call forces data low integrity unless The

ctime and mtime of the inode are before an establishment time OR The inode points to a pipe between lightweight processes that share the same address space Network sockets, readv()s, and pread()s are forced low integrity unconditionally OS Changes (Continued) Establishment time requirement applies to mmap()ed files A static binary may be mounted and executed if it is flushed to the disk first More user friendly methods of defining trust could be developed One Month of a Minos Web Server

SPEC2000 gcc Security Assessment Real attacks Many return pointer protection papers erroneously cite Code Red as motivation Two attacks (innd and su-dtors) caused changes to our original, simple policy Attacks specifically designed to subvert Minos Attacks We Attacked Minos With

Real Vulnerability? Remote? Vulnerability Type Caught? rpc.statd Yes Remote Format string Yes traceroute

Yes Local Double free() Yes su-dtors Yes Possibly remote Format string Yes

wu-ftpd Yes Remote Format string Yes wu-ftpd Yes Remote Heap globbing Yes

innd Yes Remote Buffer overflow Yes hannibal Yes Remote Format string

Yes Windows DCOM Yes Remote Buffer overflow Yes Windows LSASS Yes Remote Buffer overflow

Yes tigger No Local long_jmp() buffer Yes str2int No Local

Buffer overflow Yes offbyone No Local Off-by-one buffer overflow Yes virt No Local

Virtual function pointers Yes envvar No Local Environment variables Yes longstr No

Local Hypothetical format string Yes Attacks By Others Attack Known Remote? Exploit? Vulnerability Caught? Linux wu-ftpd No

Remote Heap globbing Yes Code Red II Yes Remote Buffer overflow in ASCII->UNICODE Yes Remote

Buffer overflow in authentication Yes SQL Server 2000 No A Fundamental Tradeoff Can only do one of these Check the integrity of addresses used for 32-bit loads or Check the integrity of both operands to an operation stores

chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | prev_size of previous chunk (if p=1) | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | size of chunk, in bytes |p| mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | User data starts here... . . . . (malloc_usable_space() bytes) . . |

nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | size of chunk | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Related Works G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure Program Execution via Dynamic Information Flow Tracking, ASPLOS XI. Makes an exception for addition of the base and offset of a pointer James Newsome and Dawn Song. Dynamic Taint Analysis, NDSS 2005. Default policy does not check the addresses of any loads/stores

Specific Concerns for Minos Arbitrary copy primitives (because the integrity of addresses for 32-bit loads/stores are not checked) Sandboxed Dangling pointers Need PLT arbitrary copy primitive

Information Flow Problems Information Flow Problems if (LowIntegrityData == 5) HighIntegrityData = 5; HighIntegrityData = HighIntegrityLookupTable[LowIntegrityData]; HighIntegrityData = 0; while (LowIntegrityData--) HighIntegrityData++; Policies All 8- and 16-bit immediates are low integrity All 8- and 16-bit loads/stores have the integrity of the addresses used checked

Misaligned 32-bit loads/stores are assumed low integrity Current Best Practices Non-executable pages StackGuard Random placement of library routines Hannibal Format string vulnerability in wu-ftpd Our goal: Upload a binary called jailbreak via anonymous

FTP Switch rename(char *, char *) with execv(char *, char **) Request to rename jailbreak becomes execv(/jailbreak, {/jailbreak, NULL}) JIT Compatibility Sun Java SDK must be run in compatibility mode: All 8-bit and 16-bit immediates are high integrity Setuid programs run in compatibility mode will be squashed similar to a ptrace For security reasons, the JIT should be

slightly modified Conclusion Modifications of the library code and the linking mechanisms could secure a Minos system with a high degree of assurance by Taking away the power of arbitrary copy primitives with an SPLT Avoiding code that gives attackers abilities like a controlled increment The fundamental tradeoff could possibly be overcome with architectural support

Questions? http://minos.cs.ucdavis.edu If you can break into it please leave a *.txt file in the /root directory explaining how. Acknowledgments This work was supported by NSF ITR grant CCR-0113418, an NSF CAREER award and UC Davis Chancellor's fellowship to Fred Chong, and a United States Department of Education Government Assistance in Areas of National Need (DOE-GAANN) grant #P200A010306 as well as a 2004 Summer Research Assistantship Award from the U.C. Davis

Graduate Student Association for Jed Crandall. Virtual Memory Swapping Memory Swap drive 4kb Page w/ tags Tags (128 bytes) 4kb Page w/ tags 4kb Page (no tags) Virtual Memory Swapping Experimental Methodology Minos-enabled Linux vs. unmodified Linux

1.6 GHz Pentium 4 with 256 MB RAM 512 MB Swap Space Used mlocks() to take away memory 4 SPEC2000 benchmarks vpr mcf gcc bzip2 DMA and Port I/O All DMA and Port I/O is assumed high integrity

Any data off the network will be read and forced low integrity It will stay low integrity because of the establishment time requirement Consider the alternative

Recently Viewed Presentations

  • The Great Gatsby: How is the story told in chapter 4?

    The Great Gatsby: How is the story told in chapter 4?

    The Great Gatsby: How is the story told in chapter 4?. Destination: What story is being told in chapter 4, and what is its significance to the text as a whole? Plot outline/sequence of events
  • THE HOLOCAUST 19391945 The War Years Prewar European

    THE HOLOCAUST 19391945 The War Years Prewar European

    Jewish Resistance . In some ghettos, Jews resisted and staged armed uprisings. The largest of these was the Warsaw ghetto uprising (April 19 - May 16, 1943) Though German forces broke the organized military resistance within a few days of...
  • Chapter 2

    Chapter 2

    Boolean algebra is a mathematical system for the manipulation of variables that can have one of two values. ... This is a block diagram for a decoder. 3.5 Combinational Circuits. This is what a 2-to-4 decoder looks like on the...
  • "Systemic Evaluation in the making: A Case Study"

    "Systemic Evaluation in the making: A Case Study"

    VTT 2018. Our case evaluationfocused on Sitra'sstrategic objective area "Towards renewing and inclusive economy". Sitra's goals are large, systemic changes that involve multiple actors, thus impacts are predominantly indirect and dependent on the actions of other actors.
  • Helping students transistion from high school to college

    Helping students transistion from high school to college

    Helping students transition from high school to college ... - Vincent Tinto. Campus Resources Especially for First-Year Students. Student Academic Support Services. ... Appleby, D. (2001). The Teaching-Advising Connection. The Mentor.
  • LECTURE 9: INTEGRATION OF SYNAPTIC INPUTS (Ionotropic Receptors)

    LECTURE 9: INTEGRATION OF SYNAPTIC INPUTS (Ionotropic Receptors)

    THE IPSP DETECTED IN MOTOR NEURON BY INPUT FROM INTERNEURON TWO FUNCTIONS OF IPSPs IPSPs counteract EPSPs to reduce or abolish neural firing triggered by excitatory synaptic inputs. IPSPs can interfere with the rhythmic spontaneous firing of neurons.
  • Look at Havisham and 3 other poems. Compare

    Look at Havisham and 3 other poems. Compare

    Look at 'Havisham' and 3 other poems. Compare how the poets treat the theme of revenge.
  • Assistant Race Officer Training

    Assistant Race Officer Training

    Certification Four levels Assistant race officer Club race officer National race officer Senior National race officer Certification as Asst Race Officer attend this course no prerequisite required Basic principles * Safety no more "human against the sea" sailing is a...