Kernel Control Flow Attacks and Defenses

Transcript

1. Kernel Control Flow Attacks and Defenses Bryan D. Payne School

   of Computer Science Georgia Institute of Technology

2. Kernel Control Flow Attacks and Defenses, TIW 2009 !"#$" %&'()*%+,-%

   %,%./%,01% %,%./%23% %,%./%+,01-4+,01-!,!1% %,%./%,01% %,%./%5% %,%./%6% %,%./%70,% %,%./%2% %,%./%24,% %,%./%,!2% %,%./%6% %,%./%5% %7%./%1% %'*89%+,-% ,/3 ,/33 ,/33 ,/33 7/1 x 25 x 3 x 4 x 2 x 3 x 4 *,:" y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 true false false true false true false false true true Kernel Control Flow int add_if(int a, int b){ int result = 0; if (a == b){ result = add_equal(a); } else if (a > b){ result = add_greater(a, b); } else{ result = add_lesser(a, b); } return result; } int add_equal(int a){ return a * 2; } int add_greater(int a, int b){ return a + b; } int add_lesser(int a, int b){ return b + a; } 1 2 a = 5, b = 4 3 4 5

3. Kernel Control Flow Attacks and Defenses, TIW 2009 Kernel Control

   Flow Attack Definition: Altering the execution path of the operating system with malicious intent. (Note that this excludes data-driven attacks such as Direct Kernel Object Manipulation)

4. Kernel Control Flow Attacks and Defenses, TIW 2009 Background Information

   Control Flow Attacks Overview of Defenses Summary

5. Kernel Control Flow Attacks and Defenses, TIW 2009 Three Control

   Flow Attack (CFA) Techniques: 1) Persistent Call Hooks 2) Dynamic Patching 3) Transient Soft-Timer Attacks

6. Kernel Control Flow Attacks and Defenses, TIW 2009 CFA Technique

   #1: Persistent Call Hooks G Hoglund and J Butler. Rootkits: Subverting the Windows Kernel. Addison-Wesley, 2005.

7. Kernel Control Flow Attacks and Defenses, TIW 2009 Hooking Opportunities

   SSDT: System Service Descriptor Table - function pointers to system calls IDT: Interrupt Descriptor Table - function pointers to interrupt handlers IRP: I/O Request Packets - function pointers to driver I/O handlers User Kernel User Program KiSystemService INT 2E / SYSENTER SSDT 0x804cd21b 0x80ca425e 0x8056dd2c 0x80434acd 0x803f53b1 System Call Routine CALL 0x804cd21b

8. Kernel Control Flow Attacks and Defenses, TIW 2009 How Call

   Hooks Work User Kernel User Program KiSystemService INT 2E / SYSENTER SSDT 0x804cd21b 0x80ca425e 0x8056dd2c 0x80434acd 0x803f53b1 System Call Routine CALL 0x804cd21b User Kernel User Program KiSystemService INT 2E / SYSENTER SSDT 0x80ff41a6 0x80ca425e 0x8056dd2c 0x80434acd 0x803f53b1 System Call Routine CALL 0x804cd21b Malicious Routine CALL 0x80ff41a6

9. Kernel Control Flow Attacks and Defenses, TIW 2009 Call Hook

   CFA Examples Process Hiding - filter the results of ZwQuerySystemInformation - uses an SSDT hook Keylogger - hook the interrupt service routine for the keyboard - uses an IDT hook Hiding Active Network Ports - hook device control function in TCPIP.SYS driver - uses an IRP hook

10. Kernel Control Flow Attacks and Defenses, TIW 2009 CFA Technique

    #2: Dynamic Patching G Hoglund and J Butler. Rootkits: Subverting the Windows Kernel. Addison-Wesley, 2005.

11. Kernel Control Flow Attacks and Defenses, TIW 2009 Dynamic Patching

    Key Idea: Modify instructions within a function to call a malicious function, and then return to the original function Kernel Function NonPagedPool Memory User Kernel FAR JMP FAR JMP Orig. Code Malicious Function Microsoft Detours Instrumentation Library: http://research.microsoft.com/en-us/projects/detours/

12. Kernel Control Flow Attacks and Defenses, TIW 2009 Dynamic Patching

    Details Kernel Function NonPagedPool Memory User Kernel FAR JMP FAR JMP Orig. Code Malicious Function 55 8B EC 53 33 DB 38 5D 24 PUSH PUSH MOV XOR CMP Original function bytes EA AA AA AA AA 08 00 FAR JMP What we wish to insert CMP EA AA AA AA AA 08 00 FAR JMP The required patch 90 90 NOP NOP Example from Figure 5-2 In: G Hoglund and J Butler. Rootkits: Subverting the Windows Kernel. Addison-Wesley, 2005.

13. Kernel Control Flow Attacks and Defenses, TIW 2009 Dynamic Patching

    CFA Examples Limited Only By Your Imagination Bypass Access Permissions Hide Processes Hide Network Activity Exfiltrate Sensitive Information Setup “Back Doors” Launch Attacks Hide CPU Cycles Log Keystrokes Take Screen Captures Crash the System

14. Kernel Control Flow Attacks and Defenses, TIW 2009 CFA Technique

    #3: Transient Soft-Timer Attacks J Wei et al. Soft-Timer Driven Transient Kernel Control Flow Attacks. In Proceedings of the 24th Annual Computer Security Applications Conference (ACSAC), 2008.

15. Kernel Control Flow Attacks and Defenses, TIW 2009 Hook /

    Patch Drawbacks Call Hook Detection Is Sometimes “Easy” - certain pointer tables are static (e.g., SSDT, IDT) - security tool can compare hash against known good Dynamic Patch Detection Isn’t Much Harder - kernel code shouldn’t change at runtime* - hashes of known good kernel code can reveal changes *One notable exception is self-modifying code. Control flow integrity useful for detection in general cases

16. Kernel Control Flow Attacks and Defenses, TIW 2009 Kernel Soft

    Timers next function data expires ... next function data expires ... next function data expires ... ... tvec_bases dev_watchdog STIR: Soft Timer Interrupt Request - Sometimes called “dynamic timers” - A dynamic, schedulable queue in the kernel - Can be used to inject transient control flows

17. Kernel Control Flow Attacks and Defenses, TIW 2009 Transient Soft

    Timer Attack Soft Timer Queue Engine function data expires function data expires function data expires Soft Timer Queue timer->function(timer->data) { ... } Legitimate Driver Legitimate Driver Malicious Code Registered Functions 2. Wait 3. Callback 4. Run 1. Schedule Call Function Pointer

18. Kernel Control Flow Attacks and Defenses, TIW 2009 Transient CFA

    Examples Process Hiding - trigger a context switch from STIR call back function - no changes in run queue or all tasks list Keylogger - extract keystroke info with each STIR - no changes required to existing kernel code Stealthy Denial of Service - hide CPU intensive computation - effective because cause is hard to trace

19. Kernel Control Flow Attacks and Defenses, TIW 2009 Background Information

    Control Flow Attacks Overview of Defenses Summary

20. Kernel Control Flow Attacks and Defenses, TIW 2009 Preventing CFAs

    Is Hard B Payne et al. Lares: An Architecture for Secure Active Monitoring Using Virtualization. In Proceedings of the IEEE Symposium on Security and Privacy (OAKLAND), 2008. - Stopping a CFA for an SSDT hook is challenging - The general case requires a specialized approach IDTR IDT Syscall dispatcher System Call Routine SSDT hook GDTR + GDT + Paging structures A5 A4 A2 A1 A3

21. Kernel Control Flow Attacks and Defenses, TIW 2009 Control Flow

    Integrity (CFI) M Abadi et al. Control-Flow Integrity: Principles, Implementations, and Applications. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), 2005. !"#$" %&'()*%+,-% %,%./%,01% %,%./%23% %,%./%+,01-4+,01-!,!1% %,%./%,01% %,%./%5% %,%./%6% %,%./%70,% %,%./%2% %,%./%24,% %,%./%,!2% %,%./%6% %,%./%5% %7%./%1% %'*89%+,-% ,/3 ,/33 ,/33 ,/33 7/1 x 25 x 3 x 4 x 2 x 3 x 4 *,:" y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 true false false true false true false false true true Procedure 1) Build a control flow graph (CFG) 2) Instrument code at the source and destination of every possible control flow transfer point 3) Validate transfers based on CFG Test Results & Applicability - 8% increase in executable size (on average) - 0% to 45% performance penalty - Key assumptions break with kernel code

22. Kernel Control Flow Attacks and Defenses, TIW 2009 State Based

    CFI (SBCFI) N Petroni and M Hicks. Automated Detection of Persistent Kernel Control-Flow Attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), 2007. Key Differences from CFI - Designed specifically to work for kernels - Infers CFG by checking the runtime kernel state - Only catches persistent control flow changes - Can work with an external monitor User Application Target Virtual Machine Target Kernel Security Virtual Machine OS Kernel SBCFI Monitor Hypervisor Test Results - Tiny performance penalty - Detects a wide range of kernel threats (rootkits, etc)

23. Kernel Control Flow Attacks and Defenses, TIW 2009 Transient CFA

    Detection J Wei et al. Soft-Timer Driven Transient Kernel Control Flow Attacks. In Proceedings of the 24th Annual Computer Security Applications Conference (ACSAC), 2008. Figure 3: Overall processing of the STIR summary signatures !"#"#" $%&'()*)+,-./+0121, We first consider the collection of legitimate STIR callback functions, which we call LegitTimer- STIR Analyzer Linux Kernel Source Symbolic STIR Signatures Runtime symbol information Resolved STIR Signature Database STIR Symbol Resolver STIR Symbol Mapper Guest VM Security VM Initialization Time Compile Time STIR Checker STIR Dispatcher Evaluation Time - Determine allowable STIR functions using kernel source - Validate STIR functions and data prior to execution - Less than 7% performance overhead

24. Kernel Control Flow Attacks and Defenses, TIW 2009 Background Information

    Control Flow Attacks Overview of Defenses Summary

25. Kernel Control Flow Attacks and Defenses, TIW 2009 Summary Widespread

    Attack Technique - CFAs are used by nearly all kernel-level malware - No reason to expect this trend to change Defensive Techniques - Powerful techniques detect many types of CFAs - CFI has large performance impact - SBCFI and STIR attack detection requires 1) source code 2) external monitor - Do we have complete coverage?

26. Kernel Control Flow Attacks and Defenses, TIW 2009 Questions? Bryan

    D. Payne [email protected]