Software Defense Mechanisms: PaX and the future past continuous.
-
Upload
christian-king -
Category
Documents
-
view
218 -
download
2
Transcript of Software Defense Mechanisms: PaX and the future past continuous.
![Page 1: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/1.jpg)
Software Defense Software Defense Mechanisms: PaX and the Mechanisms: PaX and the
futurefuture
past continuouspast continuous
![Page 2: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/2.jpg)
Who am I?Who am I?
NOT Brad Spengler – I have decent NOT Brad Spengler – I have decent earsears
Tiago Assumpção Tiago Assumpção <[email protected]><[email protected]> NOT an academicNOT an academic
An undisciplined curious person with lots of An undisciplined curious person with lots of energy to be spent on whatever is valued by energy to be spent on whatever is valued by his selfhis self
![Page 3: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/3.jpg)
Who am I? (cont.)Who am I? (cont.)
NOT a PaX developer… however…NOT a PaX developer… however… Have had delightful discussions with PaX Have had delightful discussions with PaX
Team about Team about whatever blows your hair backwhatever blows your hair back Have been Have been improving improving the project [2]the project [2] Have been Have been questioningquestioning the project [3] the project [3]
![Page 4: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/4.jpg)
In praise of hackingIn praise of hacking
““The speculations of Thales, The speculations of Thales, Anaximander, and Anaximenes are to be Anaximander, and Anaximenes are to be regarded as scientific hypotheses (...) regarded as scientific hypotheses (...) The questions they asked were good The questions they asked were good questions, and their vigour inspired questions, and their vigour inspired subsequent investigators.subsequent investigators.””
RUSSELL, Bertrand; RUSSELL, Bertrand; History of Western Philosophy - History of Western Philosophy - 1946. p. 371946. p. 37
![Page 5: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/5.jpg)
What is PaX?What is PaX?
Quite simply: the greatest advance in Quite simply: the greatest advance in system security in over a decade that system security in over a decade that you’ve never heard ofyou’ve never heard of
Less simply: It provides non-executable Less simply: It provides non-executable memory pages and full address space memory pages and full address space layout randomization (ASLR) for a wide layout randomization (ASLR) for a wide variety of architectures.variety of architectures.
– – Brad “grears” SpenglerBrad “grears” Spengler
![Page 6: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/6.jpg)
What is PaX?What is PaX?
Linux kernel patchLinux kernel patch Free-software & open-source is good for Free-software & open-source is good for
the general researcherthe general researcher Universal solutions: concepts easily Universal solutions: concepts easily
extentend to any modern platformextentend to any modern platform
![Page 7: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/7.jpg)
Why is PaX?Why is PaX?
Given a vector:Given a vector: Payload (code/data) injectionPayload (code/data) injection Context (memory/registers/etc.) Context (memory/registers/etc.)
manipulationmanipulation Intentional Control Flow modificationIntentional Control Flow modification
![Page 8: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/8.jpg)
OutlineOutline
PaXPaX SEGMEXECSEGMEXEC PAGEEXECPAGEEXEC KERNEXECKERNEXEC ASLRASLR
RANDMMAPRANDMMAP RANDKSTACKRANDKSTACK PIEPIE
UDEREFUDEREF
![Page 9: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/9.jpg)
Outline (cont.)Outline (cont.)
PaX’ FactsPaX’ Facts Past ContinuousPast Continuous
Control Flow VerificationControl Flow Verification KERNSEAL KERNSEAL
![Page 10: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/10.jpg)
PaX - SEGMEXECPaX - SEGMEXEC
SEGMEXEC is PaX’s implementation SEGMEXEC is PaX’s implementation of per-page non-executable user of per-page non-executable user pages using the segmentation logic pages using the segmentation logic of IA-32 (Intel x86 architecture) and of IA-32 (Intel x86 architecture) and virtual memory area mirroring virtual memory area mirroring (developed by PaX).(developed by PaX).
![Page 11: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/11.jpg)
PaX – SEGMEXEC (cont.)PaX – SEGMEXEC (cont.)
The segmentation logic is fairly The segmentation logic is fairly straightforward:straightforward: Data Segment (DS)Data Segment (DS) Code Segment (CS)Code Segment (CS)
There exist these two segments for user pages There exist these two segments for user pages as well as kernel pages.as well as kernel pages.
PaX splits the address space down the middle: PaX splits the address space down the middle: the bottom half for data, the top for code.the bottom half for data, the top for code.
Segmentation is a “window” into the address Segmentation is a “window” into the address spacespace
No performance hitNo performance hit
![Page 12: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/12.jpg)
PaX – SEGMEXEC (cont.)PaX – SEGMEXEC (cont.)
UserCode & Data
Segments
3GB
Without SEGMEXEC
UserCode
Segment
1.5GB
UserData
Segment
1.5GB
With SEGMEXEC
![Page 13: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/13.jpg)
PaX – SEGMEXEC (cont.)PaX – SEGMEXEC (cont.)
PaX’s VMA mirroring involves duplicating PaX’s VMA mirroring involves duplicating every executable page in the lower half every executable page in the lower half of the address space into the upper half.of the address space into the upper half.
Instruction fetch attempts at addresses Instruction fetch attempts at addresses located in the data segment that don’t located in the data segment that don’t have any code located at its mirrored have any code located at its mirrored address will cause a page fault. PaX address will cause a page fault. PaX handles this page fault and kills the task.handles this page fault and kills the task.
![Page 14: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/14.jpg)
PaX – SEGMEXEC (cont.)PaX – SEGMEXEC (cont.)
08048000-0804c000 r-xp /home/bradly/cat0804c000-0804d000 rw-p /home/bradly/cat0804d000-08079000 rw-p 20000000-20014000 r-xp /lib/ld-2.3.2.so20014000-20015000 rw-p /lib/ld-2.3.2.so20015000-20016000 rw-p 2001e000-20145000 r-xp /lib/libc-2.3.2.so20145000-2014a000 rw-p /lib/libc-2.3.2.so2014a000-2014c000 rw-p 2014c000-202d1000 r--p /usr/lib/locale/locale-archive5ffff000-60000000 rw-p 68048000-6804c000 r-xp /home/bradly/cat80000000-80014000 r-xp /lib/ld-2.3.2.so8001e000-80145000 r-xp /lib/libc-2.3.2.so
08048000-0804c000 r-xp /home/bradly/cat0804c000-0804d000 rw-p /home/bradly/cat0804d000-08073000 rw-p 40000000-40014000 r-xp /lib/ld-2.3.2.so40014000-40015000 rw-p /lib/ld-2.3.2.so40015000-40016000 rw-p 4001e000-40145000 r-xp /lib/libc-2.3.2.so40145000-4014a000 rw-p /lib/libc-2.3.2.so4014a000-4014c000 rw-p 4014c000-402d1000 r--p /usr/lib/locale/locale-archivebfffe000-c0000000 rw-p
Without SEGMEXEC
With SEGMEXEC
![Page 15: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/15.jpg)
PaX – SEGMEXEC (cont.)PaX – SEGMEXEC (cont.)
Instruction fetch attempt at 0x08049000
Segmentation logic translates 0x08049000 into 0x68049000
Does 0x68049000 belong to any mapping?
Success
Violation, process is terminated
YES
NO
![Page 16: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/16.jpg)
PaX - PAGEEXECPaX - PAGEEXEC
PAGEEXEC was PaX’s first implementation PAGEEXEC was PaX’s first implementation of non-executable pages.of non-executable pages.
Because of SEGMEXEC, it’s not used Because of SEGMEXEC, it’s not used anymore on x86 (so I won’t discuss the anymore on x86 (so I won’t discuss the implementation).implementation).
Platforms which support the executable bit Platforms which support the executable bit in hardware are implemented under in hardware are implemented under PAGEEXEC (currently alpha, ppc, parisc, PAGEEXEC (currently alpha, ppc, parisc, sparc, sparc64, amd64, and ia64)sparc, sparc64, amd64, and ia64)
![Page 17: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/17.jpg)
PaX - KERNEXECPaX - KERNEXEC
KERNEXEC is PaX’s implementation of KERNEXEC is PaX’s implementation of proper page protection in the kernelproper page protection in the kernel ‘‘const’ finally means read only in the kernelconst’ finally means read only in the kernel Read-only system call tableRead-only system call table Read-only interrupt descriptor table (IDT)Read-only interrupt descriptor table (IDT) Read-only global descriptor table (GDT)Read-only global descriptor table (GDT) Data is non-executableData is non-executable Uses the same concept of segmentation as Uses the same concept of segmentation as
SEGMEXEC SEGMEXEC Cannot co-exist with module support (currently)Cannot co-exist with module support (currently)
![Page 18: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/18.jpg)
PaX - ASLRPaX - ASLR
Full ASLR randomizes the locations of Full ASLR randomizes the locations of the following memory objects:the following memory objects: Executable imageExecutable image Brk-managed heapBrk-managed heap Library imagesLibrary images Mmap-managed heapMmap-managed heap User space stackUser space stack Kernel space stackKernel space stack
![Page 19: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/19.jpg)
PaX – ASLR (cont.)PaX – ASLR (cont.)
Notes on amount of randomization:Notes on amount of randomization: The following values are for 32bit architectures. The following values are for 32bit architectures.
They are larger on 64bit architectures, though They are larger on 64bit architectures, though not twice as large (since they generally don’t not twice as large (since they generally don’t use 64 bits for the address space).use 64 bits for the address space).
Stack – 24 bits (28 bits for argument/environment Stack – 24 bits (28 bits for argument/environment pages)pages)
Mmap – 16 bitsMmap – 16 bits Executable – 16 bitsExecutable – 16 bits Heap – 12 bits (or 24 bits if executable is randomized Heap – 12 bits (or 24 bits if executable is randomized
also)also)
![Page 20: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/20.jpg)
PaX – ASLR (cont.)PaX – ASLR (cont.)
The randomizations applied to each memory The randomizations applied to each memory region are independent of each otherregion are independent of each other Because PaX guarantees no arbitrary code Because PaX guarantees no arbitrary code
execution, exploits will most likely need to execution, exploits will most likely need to access different memory regions.access different memory regions.
So, if the exploit needs access to libraries and So, if the exploit needs access to libraries and the stack, the bits that must be guessed are the the stack, the bits that must be guessed are the sum of the two regions: 40 bits (or 44). The sum of the two regions: 40 bits (or 44). The chance of such an attack succeeding while chance of such an attack succeeding while depending on hard coded addresses is depending on hard coded addresses is effectively zero.effectively zero.
![Page 21: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/21.jpg)
PaX – ASLR (cont.)PaX – ASLR (cont.)08048000-0804c000 r-xp /home/bradly/cat0804c000-0804d000 rw-p /home/bradly/cat0804d000-08078000 rw-p 4edaa000-4edbe000 r-xp /lib/ld-2.3.2.so4edbe000-4edbf000 rw-p /lib/ld-2.3.2.so4edbf000-4edc0000 rw-p 4edc8000-4eeef000 r-xp /lib/libc-2.3.2.so4eeef000-4eef4000 rw-p /lib/libc-2.3.2.so4eef4000-4eef6000 rw-p4eef6000-4f07b000 r--p /usr/lib/locale/locale-archivebf3dc000-bf3dd000 rw-p
08048000-0804c000 r-xp /home/bradly/cat0804c000-0804d000 rw-p /home/bradly/cat0804d000-08070000 rw-p43d8c000-43da0000 r-xp /lib/ld-2.3.2.so43da0000-43da1000 rw-p /lib/ld-2.3.2.so43da1000-43da2000 rw-p43daa000-43ed1000 r-xp /lib/libc-2.3.2.so43ed1000-43ed6000 rw-p /lib/libc-2.3.2.so43ed6000-43ed8000 rw-p43ed8000-4405d000 r--p /usr/lib/locale/locale-archiveb54f9000-b54fa000 rw-p
Two runs of a binary with stack, mmap, and heap randomization
![Page 22: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/22.jpg)
PaX – ASLR (cont.)PaX – ASLR (cont.)
RANDKSTACKRANDKSTACK Randomizes the kernel’s stackRandomizes the kernel’s stack Randomized on each system call, so Randomized on each system call, so
info-leaking the randomization is uselessinfo-leaking the randomization is useless Randomizes 5 bits of the stack. Brute Randomizes 5 bits of the stack. Brute
forcing generally shouldn’t be possible, forcing generally shouldn’t be possible, as each attempt will most likely crash as each attempt will most likely crash the kernel.the kernel.
![Page 23: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/23.jpg)
PaX – ASLR (cont.)PaX – ASLR (cont.)
PIEPIE Special type of ELF binary (the same used for Special type of ELF binary (the same used for
shared libraries)shared libraries) Position independent code (PIC)Position independent code (PIC) Allows for relocation of the binary at a random Allows for relocation of the binary at a random
locationlocation Needed to achieve Full ASLRNeeded to achieve Full ASLR Requires a recompile and re-link of applicationsRequires a recompile and re-link of applications
![Page 24: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/24.jpg)
PaX – Dangling PointersPaX – Dangling Pointers
““Dangling pointers and wild pointers Dangling pointers and wild pointers in computer programming are in computer programming are pointers that do not point to a valid pointers that do not point to a valid object of the appropriate type, or to object of the appropriate type, or to a distinguished null pointer value in a distinguished null pointer value in languages which support this”languages which support this”
WikipediaWikipedia
![Page 25: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/25.jpg)
PaX – Dangling Pointers PaX – Dangling Pointers (cont.)(cont.)
Most i386 OSs don't separate the Most i386 OSs don't separate the userland virtual address space from userland virtual address space from that of the kernel. that of the kernel.
Linux 2.6 has per-cpu GDTs; LDTs are Linux 2.6 has per-cpu GDTs; LDTs are untoucheduntouched
BSDs creates flat per-process LDTsBSDs creates flat per-process LDTs Windows creates flat per-process LDTsWindows creates flat per-process LDTs
![Page 26: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/26.jpg)
PaX – Dangling Pointers PaX – Dangling Pointers (cont.)(cont.)
Thence, whenever userland can make Thence, whenever userland can make the kernel (unexpectedly) dereference the kernel (unexpectedly) dereference a pointer within its range of control, it a pointer within its range of control, it holds ability to controlling the data holds ability to controlling the data (and, possibly, code) flow of the kernel (and, possibly, code) flow of the kernel by virtue of providing the attack by virtue of providing the attack elements in its own address space.elements in its own address space.
Real-life [4]Real-life [4]
![Page 27: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/27.jpg)
PaX – UDEREFPaX – UDEREF
Kernel & UserSegments
4GB
Without UDEREFKernel
Segments
1GB
UserSegments
3GB
With UDEREF
![Page 28: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/28.jpg)
PaX – UDEREF (cont.)PaX – UDEREF (cont.)
Segment selectors are properly setSegment selectors are properly set Few modifications are done Few modifications are done
regarding user/kernel, kernel/kernel regarding user/kernel, kernel/kernel system callssystem calls
![Page 29: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/29.jpg)
FactsFacts
PaXPaX 24/28 bit stack 24/28 bit stack
randomizationrandomization 16 bit mmap 16 bit mmap
randomizationrandomization Completely Completely
implemented in the implemented in the kernel. Can be kernel. Can be implemented implemented transparently and retain transparently and retain binary compatibility binary compatibility with all distributions.with all distributions.
![Page 30: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/30.jpg)
Facts (cont.)Facts (cont.)
PaXPaX Cuts usable address Cuts usable address
space in half (though space in half (though this can be changed if it this can be changed if it becomes a problem)becomes a problem)
Support for non-Support for non-executable and read-executable and read-only kernel pages on only kernel pages on i386i386
![Page 31: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/31.jpg)
PaXPaX Per-system call kernel Per-system call kernel
stack randomizationstack randomization Brk-managed heap Brk-managed heap
randomizationrandomization Ability to enable/disable Ability to enable/disable
all features on a per all features on a per binary basisbinary basis
Annihilates the Annihilates the possibility of exploiting possibility of exploiting kernel dereferencing kernel dereferencing pointer vulnerabilitiespointer vulnerabilities
Facts (cont.)Facts (cont.)
![Page 32: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/32.jpg)
PaXPaX Supports the same user Supports the same user
space features on i386, space features on i386, alpha, ppc, parisc, alpha, ppc, parisc, sparc, sparc64, amd64, sparc, sparc64, amd64, and ia64and ia64
Supports a per-page Supports a per-page implementation of non-implementation of non-executable pages on executable pages on ppcppc
Facts (cont.)Facts (cont.)
![Page 33: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/33.jpg)
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification Basic blocksBasic blocks
A basic block is a sequence of statements A basic block is a sequence of statements that is always entered at the beginning and that is always entered at the beginning and exited at the end, that is:exited at the end, that is:
The first statement is a LABELThe first statement is a LABEL The last statement is a JUMP or a CJUMPThe last statement is a JUMP or a CJUMP There are no other LABELs, JUMPs, or JUMPsThere are no other LABELs, JUMPs, or JUMPs
APPEL, Andrew W.; APPEL, Andrew W.; Modern Compiler Implementation in ML- Modern Compiler Implementation in ML- 2004. p. 2004. p. 180180
![Page 34: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/34.jpg)
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification Control Flow Graph (CFG)Control Flow Graph (CFG)
““In computer science, a control flow graph In computer science, a control flow graph (CFG) is a representation, using graph (CFG) is a representation, using graph notation, of all paths that might be traversed notation, of all paths that might be traversed through a program during its execution. through a program during its execution. Each node in the graph represents a basic Each node in the graph represents a basic block, block, (…)”(…)”
WikipediaWikipedia
![Page 35: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/35.jpg)
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification
![Page 36: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/36.jpg)
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification Call graphsCall graphs
““A call graph (also known as a call A call graph (also known as a call multigraph) is a directed graph that multigraph) is a directed graph that represents calling relationship among represents calling relationship among subroutines in a computer programsubroutines in a computer program””
WikipediaWikipedia
![Page 37: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/37.jpg)
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification
![Page 38: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/38.jpg)
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification Static analysisStatic analysis
Build call graph for program Build call graph for program PP Build set Build set SS of callers of callers Build set Build set Q Q of calleesof callees Build set Build set RR of relationships between of relationships between S S and and QQ, ,
creating creating magicmagic value for each value for each
![Page 39: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/39.jpg)
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification Code generationCode generation
Create proper prologues for every member Create proper prologues for every member of of SS
Create proper epilogues for every member Create proper epilogues for every member of of QQ
Magic ValuesMagic Values Hard to predict by exhaustive search values Hard to predict by exhaustive search values
kept within safe memory regions, they are kept within safe memory regions, they are verified in run-timeverified in run-time
![Page 40: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/40.jpg)
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verificationcalleecalleeepilogue:epilogue: mov register,[esp]mov register,[esp]
cmp [register+1],MAGICcmp [register+1],MAGICjnz .1jnz .1retnretn
.1: jmp esp.1: jmp esp
caller:caller:call calleecall calleetest eax,MAGICtest eax,MAGIC
![Page 41: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/41.jpg)
PaX – Past ContinuousPaX – Past Continuous
Control Flow Verification: Control Flow Verification: NondeterminismNondeterminism Branch tables: run-time environmentBranch tables: run-time environment OO virtual methods and function OO virtual methods and function
pointerspointers
![Page 42: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/42.jpg)
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification
GOT entriesGOT entries Made read-only by tweaking the static and the Made read-only by tweaking the static and the
dynamic linkerdynamic linker .ctors/.dtors.ctors/.dtors
Made read-only by modifying the link-editor scriptMade read-only by modifying the link-editor script
![Page 43: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/43.jpg)
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification
Are of a dynamic natureAre of a dynamic nature atexit() handlersatexit() handlers malloc() callbacksmalloc() callbacks linuxthread callbacks (atfork() handlers)linuxthread callbacks (atfork() handlers)
![Page 44: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/44.jpg)
PaX – Past Continuous PaX – Past Continuous (cont.)(cont.)
Control Flow Verification: ResultsControl Flow Verification: Results Breaks my attack [3] – Breaks my attack [3] – brief brief
explanation? explanation? – and anything that rely on – and anything that rely on the following premissesthe following premisses
execute existing code out of original execute existing code out of original program orderprogram order
execute existing code in original program execute existing code in original program order with arbitrary dataorder with arbitrary data
![Page 45: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/45.jpg)
PaX – Past Continuous PaX – Past Continuous (cont.)(cont.)
Control Flow Verification: ResultsControl Flow Verification: Results Opens a wide range of possibilities for Opens a wide range of possibilities for
improving systemic securityimproving systemic security Call graph trust relationship ensures that (in Call graph trust relationship ensures that (in
most cases) all control flow (including intra-most cases) all control flow (including intra-procedural) can’t be broken with a very low procedural) can’t be broken with a very low performance impactperformance impact
Call graph trust relationship allows data Call graph trust relationship allows data integrity verification (KERNSEAL)integrity verification (KERNSEAL)
![Page 46: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/46.jpg)
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL Liveness AnalysisLiveness Analysis
““We say a variable is We say a variable is livelive if it holds a value if it holds a value that may be needed in the future, so this that may be needed in the future, so this analysis is called analysis is called livenessliveness analysis”analysis”
APPEL, Andrew W.; APPEL, Andrew W.; Modern Compiler Implementation in ML- Modern Compiler Implementation in ML- 2004. p. 2004. p. 211211
![Page 47: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/47.jpg)
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL The set of live variables at line L2 is {b, The set of live variables at line L2 is {b,
c}, but the set of live variables at line L1 c}, but the set of live variables at line L1 is only {b} since variable c is updated in is only {b} since variable c is updated in line 2. The value of variable a is never line 2. The value of variable a is never used, so the variable is never live.used, so the variable is never live.
L1: b := 3;L2: c := 5;L3: a := b + c;goto L1;
![Page 48: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/48.jpg)
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL Liveness Analysis: Dataflow equationsLiveness Analysis: Dataflow equations
““Liveness of variables ‘flows’ around the Liveness of variables ‘flows’ around the edges of the control-flow graph; determining edges of the control-flow graph; determining the live range of each variable is na the live range of each variable is na example of a example of a dataflow dataflow problem”problem”
APPEL, Andrew W.; APPEL, Andrew W.; Modern Compiler Implementation in ML- Modern Compiler Implementation in ML- 2004. p. 2004. p. 213213
![Page 49: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/49.jpg)
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL Liveness Analysis: TerminologyLiveness Analysis: Terminology
Out-edgesOut-edges: nodes leading to successor nodes: nodes leading to successor nodes In-edges: In-edges: nodes coming from predecesor nodes coming from predecesor
nodesnodes
predpred[n], holding the set of predecessors of [n], holding the set of predecessors of node node nn
succsucc[n], holding the set of successors of node [n], holding the set of successors of node nn
![Page 50: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/50.jpg)
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL Liveness Analysis: TerminologyLiveness Analysis: Terminology
UsesUses: the set of variables : the set of variables in usein use at a given at a given nodenode
Defs:Defs: the set of variables the set of variables assigned assigned at a at a given nodegiven node
![Page 51: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/51.jpg)
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL Liveness Analysis: TerminologyLiveness Analysis: Terminology
LivenessLiveness: “: “A variable is A variable is livelive on an edge if there on an edge if there is a directed path from tha edge to a is a directed path from tha edge to a useuse of of the variable that does not go through any the variable that does not go through any defdef. . A variable is A variable is live-inlive-in at a node if it is live on any at a node if it is live on any of the in-edges of that node; it is of the in-edges of that node; it is live-outlive-out at a at a node if it is live on any of the out-edges of the node if it is live on any of the out-edges of the node.”node.”
APPEL, Andrew W.; APPEL, Andrew W.; Modern Compiler Implementation in ML- Modern Compiler Implementation in ML- 2004. p. 2132004. p. 213
![Page 52: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/52.jpg)
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL Liveness Analysis: Liveness Analysis:
The dataflow equations used for a given basic The dataflow equations used for a given basic block s and exiting block block s and exiting block ff in live variable analysis in live variable analysis
WikipediaWikipedia
![Page 53: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/53.jpg)
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL Liveness AnalysisLiveness Analysis
Allows access control of specific code Allows access control of specific code procedures – known procedures – known a priori a priori – towards– towards sensitive data (kernel data)sensitive data (kernel data)
Process structuresProcess structures Object CredentialsObject Credentials Kernel Function PointersKernel Function Pointers And othersAnd others
![Page 54: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/54.jpg)
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL DesignDesign
Unreadablememory pages
Read-onlymemory pages
Read-writememory pages
![Page 55: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/55.jpg)
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL Example: Example: protect user credentials infoprotect user credentials info
Perform liveness analysis for deriving Perform liveness analysis for deriving specific code blocks that may have legit specific code blocks that may have legit read/write access to itread/write access to it
Set memory properties holding the data Set memory properties holding the data structures to read-onlystructures to read-only
Embed (through instrumentation) Embed (through instrumentation) write-key write-key procedure to allowing legit code to access procedure to allowing legit code to access the structurethe structure
![Page 56: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/56.jpg)
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL ResultsResults
Strengthen of Trusted Computing Base Strengthen of Trusted Computing Base (TCB)(TCB)
Defense in Depth: even if compromised, Defense in Depth: even if compromised, kernel operations towards sensitive memory kernel operations towards sensitive memory areas are restricted by natureareas are restricted by nature
Provides strong trust-relationship Provides strong trust-relationship infrastructure to creating several other infrastructure to creating several other protection mechanisms in different layers of protection mechanisms in different layers of the kernel as well as of the user spacethe kernel as well as of the user space
![Page 58: Software Defense Mechanisms: PaX and the future past continuous.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e935503460f94b98ac6/html5/thumbnails/58.jpg)
ReferencesReferences
[1] [1] http://pax.grsecurity.net [2] [2] http://www.phrack.org/issues.html?issue=63&id=4 [3] [3]
http://assumpcao.org/content/publications/Breaking_PaX_ASLR.ppt [4] [4]
http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html