Post on 23-Dec-2015
Minos: Control Data Attack Prevention Orthogonal to
Memory Model
Jedidiah R. Crandall and Frederic T. Chong
Department of Computer Science
University of California at Davis
F. Chong - MinosUMD 10/04
Outline
• What is control data?• Motivation• Biba’s low-water-mark integrity policy• The Minos architecture• Security assessment
F. Chong - MinosUMD 10/04
What is control data?
• Any data which is loaded into the program counter on control flow transfer, or any data used to calculate such data
• Executable code is not control data
F. Chong - MinosUMD 10/04
A Control Data Vulnerability
typedef function();function *f;scanf(“%d”, (int *) &f);f();
• More commonly: buffer overflows, format string attacks
F. Chong - MinosUMD 10/04
Motivation
• Control data attacks cost users billions of dollars a year– Remote intrusions– Cleaning up worms– SPAM and DoS from botnets
• Without architectural support, every memory corruption vulnerability is an opportunity to hijack control flow
F. Chong - MinosUMD 10/04
Securing commodity software
• Minos supports an untyped, linear address space• Allows us to secure commodity software
– Supports code as data (dynamic libaries, JITs)– Modification of source code is optional, but helpful
• Minos implements a simple, low-level security policy that does not need to be customized to each application.
F. Chong - MinosUMD 10/04
Minos Security Goals
• Control data attacks constitute the overwhelming majority of remote intrusions
• Minos protects against remote control data attacks
• Minos protects against local vulnerabilities but only because the line between these and remote vulnerabilities is not clear
F. Chong - MinosUMD 10/04
Biba’s Low-water-mark Integrity Policy
• Security properties– Integrity– Confidentiality– Availability
• Tracks the “taintedness” of data• Access controls are based on accesses a
subject has made in the past
F. Chong - MinosUMD 10/04
Biba’s Low-water-mark Integrity Policy (Formally)
• Any subject may modify any object if…– The integrity of the object is not greater than
that of the subject• Any subject may read any object
– The subject’s integrity is lowered to the minimum of the object’s integrity and it’s own
• Notorious for its monotonic behavior
F. Chong - MinosUMD 10/04
The Minos Architecture
• Integrity bit kept with every word of L1 cache
• Integrity bits grouped into words in L2 cache
• Integrity bits grouped into pages in VM
F. Chong - MinosUMD 10/04
Gratuitous Dante Quote
Minos the dreadful snarls at the gate, … and wraps himself in his tail with as many turns as levels down that shade will have to dwell
F. Chong - MinosUMD 10/04
Two Implementations
• Linux• Windows Whistler and XP• Full system emulation
– SPEC benchmarks are statically compiled binaries that do not use the network
– A proof-of-concept was needed because of the low-water-mark policy
F. Chong - MinosUMD 10/04
OS Changes
• Read system call forces data low integrity unless…– The ctime and mtime of the inode are before
an establishment time …OR…– The inode points to a pipe between
lightweight processes that share the same address space
• Network sockets, readv()s, and pread()s are forced low integrity unconditionally
F. Chong - MinosUMD 10/04
OS Changes (Continued)
• Establishment time requirement applies to mmap()ed files
• A static binary may be mounted and executed if it is flushed to the disk first
• More user friendly methods of defining trust could be developed
F. Chong - MinosUMD 10/04
Quantitative Measures
• Stability– Monotonic loss of system integrity?
• Virtual Memory Performance– Hardware investment in cache system– Slightly increased pressure on VM swapping
F. Chong - MinosUMD 10/04
One Month of a Minos Web Server
F. Chong - MinosUMD 10/04
SPEC2000 gcc
F. Chong - MinosUMD 10/04
Virtual Memory Swapping
Memory Swap drive
4kb Page w/ tags
Tags (128 bytes)
4kb Page w/ tags
4kb Page (no tags)
F. Chong - MinosUMD 10/04
Virtual Memory Swapping Experimental Methodology
• Minos-enabled Linux vs. unmodified Linux• 1.6 GHz Pentium 4 with 256 MB RAM• 512 MB Swap Space• Used mlocks() to take away memory• 4 SPEC2000 benchmarks
F. Chong - MinosUMD 10/04 gcc bzip2
vpr mcf
F. Chong - MinosUMD 10/04
Qualitative Measures
• Real attacks– Many return pointer protection papers
erroneously cite Code Red as motivation– Two attacks (innd and su-dtors) caused
changes to our original, simple policy• We designed attacks specifically designed
to subvert Minos
22
How to catch worms…
23
Only one false positive…
24
Actually a “non-target pest”
Attacks tested on MinosReal Vulnerability?
Remote? Vulnerability Type Caught?
rpc.statd Yes Remote Format string Yes
traceroute Yes Local Double free() Yes
su-dtors Yes Possibly remote Format string Yes
wu-ftpd Yes Remote Format string Yes
wu-ftpd Yes Remote Heap globbing Yes
innd Yes Remote Buffer overflow Yes
hannibal Yes Remote Format string Yes
Windows DCOM Yes Remote Buffer overflow Yes
Windows LSASS Yes Remote Buffer overflow Yes
tigger No Local long_jmp() buffer Yes
str2int No Local Buffer overflow Yes
offbyone No Local Off-by-one buffer overflow Yes
virt No Local Virtual function pointers Yes
envvar No Local Environment variables Yes
longstr No Local Hypothetical format string Yes
F. Chong - MinosUMD 10/04
Attacks By OthersAttack Known
Exploit?Remote?
Vulnerability Caught?
Linux wu-ftpd No Remote Heap globbing Yes
Code Red II Yes Remote Buffer overflow in ASCII->UNICODE Yes
SQL Server 2000 No Remote Buffer overflow in authentication Yes
F. Chong - MinosUMD 10/04
More info
• Minos architecture [Crandall, Chong, Micro 2004]
• Minos security assessment [Crandall, Chong, WASSA 2004]
http://minos.cs.ucdavis.edu
• Minos emulated system• If you break it, please leave a text file in
/root
F. Chong - MinosUMD 10/04
Minos Issues
• Bit-width conversions are problematic– Code Red vs. Sun SDK
• Load/store addresses are problematic• Procedure Linkage Table (PLT)• Controlled increment
F. Chong - MinosUMD 10/04
Bit-Width Policies
• All 8- and 16-bit immediates are low integrity
• All 8- and 16-bit loads/stores have the integrity of the addresses used checked(possible because no 8- and 16-bit ptrs)
• Misaligned 32-bit loads/stores are assumed low integrity
• Code Red exploits ASCII->Unicode bit conversion
F. Chong - MinosUMD 10/04
JIT Compatibility
• Sun Java SDK must be run in compatibility mode:– All 8-bit and 16-bit immediates are high
integrity– Could allow arbitrary 32-bit high integrity
control data– For security reasons, the JIT should be
slightly modified
F. Chong - MinosUMD 10/04
A fundamental tradeoff
• Can only do one of:1) Check addresses for control data 32-bit
loads/stores
2) Check all operands to an operation• Else many false positives
– Size argument for heap malloc from user– Entire heap becomes low integrity
F. Chong - MinosUMD 10/04
Breaking Minos
• We couldn’t break Minos• So we looked at current best practices
– Non-executable pages– StackGuard – Random placement of library routines
• But Minos is in theory vulnerable
F. Chong - MinosUMD 10/04
Hannibal
• Exploits format string vulnerability in wu-ftpd– Upload a binary called jailbreak via anonymous FTP– Switch rename() with execv() in PLT using a
format string attack– Request to rename jailbreak becomes execv()
• (Not really this simple…)
F. Chong - MinosUMD 10/04
Information Flow Problems
if (LowIntegrityData == 5)HighIntegrityData = 5;
HighIntegrityData = HighIntegrityLookupTable[LowIntegrityData];
HighIntegrityData = 0;while (LowIntegrityData--)
HighIntegrityData++;
F. Chong - MinosUMD 10/04
Minos is “securable”
• Modifications of the library code and the linking mechanisms could secure a Minos system with a high degree of assurance by– Taking away the power of arbitrary copy
primitives with an Secure PLT– Avoiding code that gives attackers abilities
like a controlled increment
F. Chong - MinosUMD 10/04
Related Work
• Capability systems – AS/400, iAPX 432• M Machine, Mondriaan• Dynamic Information Flow (MIT)• Buffer Overflow Protection (UCSD)
Minos is distinguished by its simple policy
F. Chong - MinosUMD 10/04
Future Work
• Nearly the same HW as soft-error detection [Weaver,Emer,Mukherjee ISCA04]
• Similar to NAT bit for speculation on Itanium
• Leverage tag bit on PowerPC AS used for microcode
F. Chong - MinosUMD 10/04
Collaborative Network Defense
• Minos “honeypot” detect worms• DACODA analysis tool creates filter• Buttercup network hardware protects all hosts
F. Chong - MinosUMD 10/04
DMA and Port I/O
• All DMA and Port I/O is assumed high integrity– Any data off the network will be read and
forced low integrity– It will stay low integrity because of the
establishment time requirement• Consider the alternative
F. Chong - MinosUMD 10/04
Specific Concerns for Minos
• Arbitrary copy primitives– Sandboxed PLT
• Format string attacks using long strings rather than size specifiers– Minos does stop the longstr attack
• Dangling pointers– Need arbitrary copy primitive
F. Chong - MinosUMD 10/04
Security Comparison
• Minos• G. Edward Suh, Jae W. Lee, and Srinivas
Devadas. “Secure Program Execution via Dynamic Information Flow Tracking”, ASPLOS XI– Two different policies
• Current best practices
F. Chong - MinosUMD 10/04
Three Classes of Control Data Attacks
a) Overwrite control data with untrusted data
b) Cause control data to be loaded/stored to/from the wrong place
c) Cause control data to be loaded from the right place but at the wrong time
F. Chong - MinosUMD 10/04
Minos
• Protection against (a) is explicit• Protection against (b) only for 8- and 16-bit
data• Arbitrary copy primitive needed for (c)
F. Chong - MinosUMD 10/04
Information Flow Tracking
• Policy 1 does not fully protect against (a)• Both policies protect against (b) by
checking the integrity of addresses used for all loads and stores
• Policy 1 does not fully protect against (c)
F. Chong - MinosUMD 10/04
A Fundamental Tradeoffchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | prev_size of previous chunk (if p=1) | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | size of chunk, in bytes |p|mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | User data starts here... . . . . (malloc_usable_space() bytes) . . |nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | size of chunk | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+