Slide 1

Slide 1 text

ADDRESS SPACE LAYOUT RANDOMIZATION DENI BACIC

Slide 2

Slide 2 text

// full-nelson.c static int __attribute__((regparm(3))) getroot(void * file, void * vma) { commit_creds(prepare_kernel_cred(0)); return -1; } // https://blog.plenz.com/2013-02/privilege-escalation-kernel-exploit.html int privesc(struct sk_buff *skb, struct nlmsghdr *nlh) { commit_creds(prepare_kernel_cred(0)); return 0; }

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

kernel ext4 iptable_nat ahci kernel ext4 iptable_nat ahci memory address space boot 1 boot 2

Slide 5

Slide 5 text

$ cat /proc/kallsyms | grep ' commit_creds\| prepare_kernel' 0000000000000000 T commit_creds 0000000000000000 T prepare_kernel_cred $ sudo cat /proc/kallsyms | grep ' commit_creds\| prepare_kernel' ffffffff81099ab0 T commit_creds ffffffff81099f90 T prepare_kernel_cred $ sudo cat /proc/kallsyms | grep ' commit_creds\| prepare_kernel' ffffffff8108ca70 T commit_creds ffffffff8108ce50 T prepare_kernel_cred user super user boot 1 super user boot 2

Slide 6

Slide 6 text

ADOPTION STATUS Jang, Yeongjin, Sangho Lee, and Taesoo Kim. "Breaking Kernel Address Space Layout Randomization with Intel TSX." Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016.

Slide 7

Slide 7 text

KASLR ATTACKING ? ‣InfO vulnerability? ‣TIMING SIDE-CHANNel ‣memory ADDRESS access

Slide 8

Slide 8 text

‣UNmapped == more TIME ‣Mapped == less TIME KASLR ATTACKING ?

Slide 9

Slide 9 text

unmapped mapped Hund, Ralf, Carsten Willems, and Thorsten Holz. "Practical timing side channel attacks against kernel space ASLR." Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013. ?

Slide 10

Slide 10 text

user cpu TLB OS exception handling user OS Noise TLB = translation lookaside buffer time ->

Slide 11

Slide 11 text

user cpu TLB OS exception handling user OS Noise OS Noise TLB TLB = translation lookaside buffer time ->

Slide 12

Slide 12 text

‣DrK ATTACK ‣EXPLOITS INTEL TSX IMPROVE CAN WE IT?

Slide 13

Slide 13 text

time -> user cpu TLB OS exception handling user user cpu TLB user OS Noise OS Noise TLB time ->

Slide 14

Slide 14 text

Jang, Yeongjin, Sangho Lee, and Taesoo Kim. "Breaking Kernel Address Space Layout Randomization with Intel TSX." Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016. unmapped mapped Hund, Ralf, Carsten Willems, and Thorsten Holz. "Practical timing side channel attacks against kernel space ASLR." Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013. ? std ~40 std ~10

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

EVEN FROM VIRTUAL MACHINE VM OS https://github.com/felixwilhelm/mario_baslr

Slide 17

Slide 17 text

APPROACHES MITIGATION ? ‣coarse-grined timer ‣fake mapping

Slide 18

Slide 18 text

APPROACHES MITIGATION ? ‣monitoring ‣live re-randomization

Slide 19

Slide 19 text

?