Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ASLR - Address Space Layout Randomization

33ef5d91f533572132d545eb068504ed?s=47 b4d
November 09, 2016

ASLR - Address Space Layout Randomization

Talk for 2016 ISP course on Faculty of Computer and Information Science, Ljubljana.

Address Space Layout Randomization (ASLR) is a computer security technique that provides protection from buffer overflow attacks. ASLR randomizes address space positions of key data of a process, thus making it difficult for an attacker to reliably jump to a particular exploited function in memory. In this paper we study limitations of ASLR and present viable exploitation options that can circumvent kernel space ASLR on current operating systems. We also discuss mitigation strategies against some of the attacks with their strengths and weaknesses revealed.

33ef5d91f533572132d545eb068504ed?s=128

b4d

November 09, 2016
Tweet

Transcript

  1. ADDRESS SPACE LAYOUT RANDOMIZATION DENI BACIC

  2. // full-nelson.c static int __attribute__((regparm(3))) getroot(void * file, void *

    vma) { commit_creds(prepare_kernel_cred(0)); return -1; } // https://blog.plenz.com/2013-02/privilege-escalation-kernel-exploit.html int privesc(struct sk_buff *skb, struct nlmsghdr *nlh) { commit_creds(prepare_kernel_cred(0)); return 0; }
  3. None
  4. kernel ext4 iptable_nat ahci kernel ext4 iptable_nat ahci memory address

    space boot 1 boot 2
  5. $ cat /proc/kallsyms | grep ' commit_creds\| prepare_kernel' 0000000000000000 T

    commit_creds 0000000000000000 T prepare_kernel_cred $ sudo cat /proc/kallsyms | grep ' commit_creds\| prepare_kernel' ffffffff81099ab0 T commit_creds ffffffff81099f90 T prepare_kernel_cred $ sudo cat /proc/kallsyms | grep ' commit_creds\| prepare_kernel' ffffffff8108ca70 T commit_creds ffffffff8108ce50 T prepare_kernel_cred user super user boot 1 super user boot 2
  6. ADOPTION STATUS Jang, Yeongjin, Sangho Lee, and Taesoo Kim. "Breaking

    Kernel Address Space Layout Randomization with Intel TSX." Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016.
  7. KASLR ATTACKING ? ‣InfO vulnerability? ‣TIMING SIDE-CHANNel ‣memory ADDRESS access

  8. ‣UNmapped == more TIME ‣Mapped == less TIME KASLR ATTACKING

    ?
  9. unmapped mapped Hund, Ralf, Carsten Willems, and Thorsten Holz. "Practical

    timing side channel attacks against kernel space ASLR." Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013. ?
  10. user cpu TLB OS exception handling user OS Noise TLB

    = translation lookaside buffer time ->
  11. user cpu TLB OS exception handling user OS Noise OS

    Noise TLB TLB = translation lookaside buffer time ->
  12. ‣DrK ATTACK ‣EXPLOITS INTEL TSX IMPROVE CAN WE IT?

  13. time -> user cpu TLB OS exception handling user user

    cpu TLB user OS Noise OS Noise TLB time ->
  14. Jang, Yeongjin, Sangho Lee, and Taesoo Kim. "Breaking Kernel Address

    Space Layout Randomization with Intel TSX." Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016. unmapped mapped Hund, Ralf, Carsten Willems, and Thorsten Holz. "Practical timing side channel attacks against kernel space ASLR." Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013. ? std ~40 std ~10
  15. None
  16. EVEN FROM VIRTUAL MACHINE VM OS https://github.com/felixwilhelm/mario_baslr

  17. APPROACHES MITIGATION ? ‣coarse-grined timer ‣fake mapping

  18. APPROACHES MITIGATION ? ‣monitoring ‣live re-randomization

  19. ?