The Experts below are selected from a list of 45 Experts worldwide ranked by ideXlab platform
Vasileios P. Kemerlis - One of the best experts on this subject based on the ideXlab platform.
-
EuroSys - kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse
Proceedings of the Twelfth European Conference on Computer Systems, 2017Co-Authors: Marios Pomonis, Angelos D. Keromytis, Michalis Polychronakis, Theofilos Petsios, Vasileios P. KemerlisAbstract:The abundance of memory corruption and disclosure vulnerabilities in Kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As more strict memory isolation mechanisms between the Kernel and user space, like Intel's SMEP, become commonplace, attackers increasingly rely on code reuse techniques to exploit Kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, such as web browsers, in Kernel Exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of certain code snippets and construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a "read XOR execute" (R^X) memory safety policy is an effective defense against the Exploitation of userland software, but so far this approach has not been applied for the protection of the Kernel itself. In this paper, we fill this gap by presenting kR^X: a Kernel hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR^X is readily applicable to the x86-64 Linux Kernel and can benefit from hardware support (e.g., MPX on modern Intel CPUs) to optimize performance. In full protection mode, kR^X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available.
-
kr x comprehensive Kernel protection against just in time code reuse
European Conference on Computer Systems, 2017Co-Authors: Marios Pomonis, Angelos D. Keromytis, Michalis Polychronakis, Theofilos Petsios, Vasileios P. KemerlisAbstract:The abundance of memory corruption and disclosure vulnerabilities in Kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As more strict memory isolation mechanisms between the Kernel and user space, like Intel's SMEP, become commonplace, attackers increasingly rely on code reuse techniques to exploit Kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, such as web browsers, in Kernel Exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of certain code snippets and construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a "read XOR execute" (R^X) memory safety policy is an effective defense against the Exploitation of userland software, but so far this approach has not been applied for the protection of the Kernel itself. In this paper, we fill this gap by presenting kR^X: a Kernel hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR^X is readily applicable to the x86-64 Linux Kernel and can benefit from hardware support (e.g., MPX on modern Intel CPUs) to optimize performance. In full protection mode, kR^X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available.
-
Protecting Commodity Operating Systems through Strong Kernel Isolation
2015Co-Authors: Vasileios P. KemerlisAbstract:Protecting Commodity Operating Systems through Strong Kernel Isolation Vasileios P. Kemerlis Today’s operating systems are large, complex, and plagued with vulnerabilities that allow perpetrators to exploit them for profit. The constant rise in the number of software weaknesses, coupled with the sophistication of modern adversaries, make the need for effective and adaptive defenses more critical than ever. In this dissertation, we develop a set of novel protection mechanisms, and introduce new concepts and techniques to secure commodity operating systems against attacks that exploit vulnerabilities in Kernel code. Modern OSes opt for a shared process/Kernel model to minimize the overhead of operations that cross protection domains. However, this design choice provides a unique vantage point to local attackers, as it allows them to control—both in terms of permissions and contents—part of the memory that is accessible by the Kernel, easily circumventing protections like Kernel-space ASLR and WˆX. Attacks that leverage the weak separation between user and Kernel space, characterized as return-to-user (ret2usr) attacks, have been the de facto Kernel Exploitation technique in virtually every major OS, while they are not limited to the x86 platform, but have also targeted ARM and others. Given the multi-OS and cross-architecture nature of ret2usr threats, we propose kGuard: a Kernel protection mechanism, realized as a cross-platform compiler extension, which can safeguard any 32or 64-bit OS Kernel from ret2usr attacks. kGuard enforces strong address space segregation by instrumenting exploitable control transfers with dynamic ControlFlow Assertions (CFAs). CFAs, a new confinement (inline monitoring) concept that we introduce, act as guards that prevent the unconstrained transition of privileged execution paths to user space. To thwart attacks against itself, kGuard also incorporates two novel code diversification techniques: code inflation and CFA motion. Both countermeasures randomize the location of the inline guards, creating a moving target for an attacker that tries to pinpoint their exact placement to evade kGuard. Evaluation results indicate that kGuard provides comprehensive ret2usr protection with negligible overhead (∼1%). Furthermore, we expose a set of additional Kernel design practices that trade stronger isolation for performance, all of which can be harnessed to deconstruct Kernel isolation. To demonstrate the significance of the problem, we introduce a new Kernel Exploitation technique, dubbed return-to-direct-mapped memory (ret2dir), which relies on inherent properties of the memory management (sub)system of modern OSes to bypass every ret2usr defense to date. To illustrate the effectiveness of ret2dir, we outline a principled methodology for constructing reliable exploits against hardened targets. We further apply it on real-world Kernel exploits for x86, x86-64, and ARM Linux, transforming them into ret2dir-equivalents that bypass deployed ret2usr protections, like Intel SMEP and ARM PXN. Finally, we introduce the concept of eXclusive Page Frame Ownership (XPFO): a memory management approach that prevents the implicit sharing of page frames among user processes and the Kernel, ensuring that user-controlled content can no longer be injected into Kernel space using ret2dir. We built XPFO on Linux and implemented a set of optimizations, related to TLB handling and page frame content sanitization, to minimize its performance penalty. Evaluation results show that our proposed defense offers effective protection against ret2dir attacks with low runtime overhead (
-
USENIX Security Symposium - ret2dir: rethinking Kernel isolation
2014Co-Authors: Vasileios P. Kemerlis, Michalis Polychronakis, Angelos D. KeromytisAbstract:Return-to-user (ret2usr) attacks redirect corrupted Kernel pointers to data residing in user space. In response, several Kernel-hardening approaches have been proposed to enforce a more strict address space separation, by preventing arbitrary control flow transfers and dereferences from Kernel to user space. Intel and ARM also recently introduced hardware support for this purpose in the form of the SMEP, SMAP, and PXN processor features. Unfortunately, although mechanisms like the above prevent the explicit sharing of the virtual address space among user processes and the Kernel, conditions of implicit sharing still exist due to fundamental design choices that trade stronger isolation for performance. In this work, we demonstrate how implicit page frame sharing can be leveraged for the complete circumvention of software and hardware Kernel isolation protections. We introduce a new Kernel Exploitation technique, called return-to-direct-mapped memory (ret2dir), which bypasses all existing ret2usr defenses, namely SMEP, SMAP, PXN, KERNEXEC, UDEREF, and kGuard. We also discuss techniques for constructing reliable ret2dir exploits against x86, x86-64, AArch32, and AArch64 Linux targets. Finally, to defend against ret2dir attacks, we present the design and implementation of an exclusive page frame ownership scheme for the Linux Kernel that prevents the implicit sharing of physical memory pages with minimal runtime overhead.
Marios Pomonis - One of the best experts on this subject based on the ideXlab platform.
-
kr x comprehensive Kernel protection against just in time code reuse
European Conference on Computer Systems, 2017Co-Authors: Marios Pomonis, Angelos D. Keromytis, Michalis Polychronakis, Theofilos Petsios, Vasileios P. KemerlisAbstract:The abundance of memory corruption and disclosure vulnerabilities in Kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As more strict memory isolation mechanisms between the Kernel and user space, like Intel's SMEP, become commonplace, attackers increasingly rely on code reuse techniques to exploit Kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, such as web browsers, in Kernel Exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of certain code snippets and construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a "read XOR execute" (R^X) memory safety policy is an effective defense against the Exploitation of userland software, but so far this approach has not been applied for the protection of the Kernel itself. In this paper, we fill this gap by presenting kR^X: a Kernel hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR^X is readily applicable to the x86-64 Linux Kernel and can benefit from hardware support (e.g., MPX on modern Intel CPUs) to optimize performance. In full protection mode, kR^X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available.
-
EuroSys - kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse
Proceedings of the Twelfth European Conference on Computer Systems, 2017Co-Authors: Marios Pomonis, Angelos D. Keromytis, Michalis Polychronakis, Theofilos Petsios, Vasileios P. KemerlisAbstract:The abundance of memory corruption and disclosure vulnerabilities in Kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As more strict memory isolation mechanisms between the Kernel and user space, like Intel's SMEP, become commonplace, attackers increasingly rely on code reuse techniques to exploit Kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, such as web browsers, in Kernel Exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of certain code snippets and construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a "read XOR execute" (R^X) memory safety policy is an effective defense against the Exploitation of userland software, but so far this approach has not been applied for the protection of the Kernel itself. In this paper, we fill this gap by presenting kR^X: a Kernel hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR^X is readily applicable to the x86-64 Linux Kernel and can benefit from hardware support (e.g., MPX on modern Intel CPUs) to optimize performance. In full protection mode, kR^X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available.
Angelos D. Keromytis - One of the best experts on this subject based on the ideXlab platform.
-
EuroSys - kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse
Proceedings of the Twelfth European Conference on Computer Systems, 2017Co-Authors: Marios Pomonis, Angelos D. Keromytis, Michalis Polychronakis, Theofilos Petsios, Vasileios P. KemerlisAbstract:The abundance of memory corruption and disclosure vulnerabilities in Kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As more strict memory isolation mechanisms between the Kernel and user space, like Intel's SMEP, become commonplace, attackers increasingly rely on code reuse techniques to exploit Kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, such as web browsers, in Kernel Exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of certain code snippets and construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a "read XOR execute" (R^X) memory safety policy is an effective defense against the Exploitation of userland software, but so far this approach has not been applied for the protection of the Kernel itself. In this paper, we fill this gap by presenting kR^X: a Kernel hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR^X is readily applicable to the x86-64 Linux Kernel and can benefit from hardware support (e.g., MPX on modern Intel CPUs) to optimize performance. In full protection mode, kR^X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available.
-
kr x comprehensive Kernel protection against just in time code reuse
European Conference on Computer Systems, 2017Co-Authors: Marios Pomonis, Angelos D. Keromytis, Michalis Polychronakis, Theofilos Petsios, Vasileios P. KemerlisAbstract:The abundance of memory corruption and disclosure vulnerabilities in Kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As more strict memory isolation mechanisms between the Kernel and user space, like Intel's SMEP, become commonplace, attackers increasingly rely on code reuse techniques to exploit Kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, such as web browsers, in Kernel Exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of certain code snippets and construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a "read XOR execute" (R^X) memory safety policy is an effective defense against the Exploitation of userland software, but so far this approach has not been applied for the protection of the Kernel itself. In this paper, we fill this gap by presenting kR^X: a Kernel hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR^X is readily applicable to the x86-64 Linux Kernel and can benefit from hardware support (e.g., MPX on modern Intel CPUs) to optimize performance. In full protection mode, kR^X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available.
-
USENIX Security Symposium - ret2dir: rethinking Kernel isolation
2014Co-Authors: Vasileios P. Kemerlis, Michalis Polychronakis, Angelos D. KeromytisAbstract:Return-to-user (ret2usr) attacks redirect corrupted Kernel pointers to data residing in user space. In response, several Kernel-hardening approaches have been proposed to enforce a more strict address space separation, by preventing arbitrary control flow transfers and dereferences from Kernel to user space. Intel and ARM also recently introduced hardware support for this purpose in the form of the SMEP, SMAP, and PXN processor features. Unfortunately, although mechanisms like the above prevent the explicit sharing of the virtual address space among user processes and the Kernel, conditions of implicit sharing still exist due to fundamental design choices that trade stronger isolation for performance. In this work, we demonstrate how implicit page frame sharing can be leveraged for the complete circumvention of software and hardware Kernel isolation protections. We introduce a new Kernel Exploitation technique, called return-to-direct-mapped memory (ret2dir), which bypasses all existing ret2usr defenses, namely SMEP, SMAP, PXN, KERNEXEC, UDEREF, and kGuard. We also discuss techniques for constructing reliable ret2dir exploits against x86, x86-64, AArch32, and AArch64 Linux targets. Finally, to defend against ret2dir attacks, we present the design and implementation of an exclusive page frame ownership scheme for the Linux Kernel that prevents the implicit sharing of physical memory pages with minimal runtime overhead.
Michalis Polychronakis - One of the best experts on this subject based on the ideXlab platform.
-
EuroSys - kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse
Proceedings of the Twelfth European Conference on Computer Systems, 2017Co-Authors: Marios Pomonis, Angelos D. Keromytis, Michalis Polychronakis, Theofilos Petsios, Vasileios P. KemerlisAbstract:The abundance of memory corruption and disclosure vulnerabilities in Kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As more strict memory isolation mechanisms between the Kernel and user space, like Intel's SMEP, become commonplace, attackers increasingly rely on code reuse techniques to exploit Kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, such as web browsers, in Kernel Exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of certain code snippets and construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a "read XOR execute" (R^X) memory safety policy is an effective defense against the Exploitation of userland software, but so far this approach has not been applied for the protection of the Kernel itself. In this paper, we fill this gap by presenting kR^X: a Kernel hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR^X is readily applicable to the x86-64 Linux Kernel and can benefit from hardware support (e.g., MPX on modern Intel CPUs) to optimize performance. In full protection mode, kR^X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available.
-
kr x comprehensive Kernel protection against just in time code reuse
European Conference on Computer Systems, 2017Co-Authors: Marios Pomonis, Angelos D. Keromytis, Michalis Polychronakis, Theofilos Petsios, Vasileios P. KemerlisAbstract:The abundance of memory corruption and disclosure vulnerabilities in Kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As more strict memory isolation mechanisms between the Kernel and user space, like Intel's SMEP, become commonplace, attackers increasingly rely on code reuse techniques to exploit Kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, such as web browsers, in Kernel Exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of certain code snippets and construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a "read XOR execute" (R^X) memory safety policy is an effective defense against the Exploitation of userland software, but so far this approach has not been applied for the protection of the Kernel itself. In this paper, we fill this gap by presenting kR^X: a Kernel hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR^X is readily applicable to the x86-64 Linux Kernel and can benefit from hardware support (e.g., MPX on modern Intel CPUs) to optimize performance. In full protection mode, kR^X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available.
-
USENIX Security Symposium - ret2dir: rethinking Kernel isolation
2014Co-Authors: Vasileios P. Kemerlis, Michalis Polychronakis, Angelos D. KeromytisAbstract:Return-to-user (ret2usr) attacks redirect corrupted Kernel pointers to data residing in user space. In response, several Kernel-hardening approaches have been proposed to enforce a more strict address space separation, by preventing arbitrary control flow transfers and dereferences from Kernel to user space. Intel and ARM also recently introduced hardware support for this purpose in the form of the SMEP, SMAP, and PXN processor features. Unfortunately, although mechanisms like the above prevent the explicit sharing of the virtual address space among user processes and the Kernel, conditions of implicit sharing still exist due to fundamental design choices that trade stronger isolation for performance. In this work, we demonstrate how implicit page frame sharing can be leveraged for the complete circumvention of software and hardware Kernel isolation protections. We introduce a new Kernel Exploitation technique, called return-to-direct-mapped memory (ret2dir), which bypasses all existing ret2usr defenses, namely SMEP, SMAP, PXN, KERNEXEC, UDEREF, and kGuard. We also discuss techniques for constructing reliable ret2dir exploits against x86, x86-64, AArch32, and AArch64 Linux targets. Finally, to defend against ret2dir attacks, we present the design and implementation of an exclusive page frame ownership scheme for the Linux Kernel that prevents the implicit sharing of physical memory pages with minimal runtime overhead.
Theofilos Petsios - One of the best experts on this subject based on the ideXlab platform.
-
kr x comprehensive Kernel protection against just in time code reuse
European Conference on Computer Systems, 2017Co-Authors: Marios Pomonis, Angelos D. Keromytis, Michalis Polychronakis, Theofilos Petsios, Vasileios P. KemerlisAbstract:The abundance of memory corruption and disclosure vulnerabilities in Kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As more strict memory isolation mechanisms between the Kernel and user space, like Intel's SMEP, become commonplace, attackers increasingly rely on code reuse techniques to exploit Kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, such as web browsers, in Kernel Exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of certain code snippets and construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a "read XOR execute" (R^X) memory safety policy is an effective defense against the Exploitation of userland software, but so far this approach has not been applied for the protection of the Kernel itself. In this paper, we fill this gap by presenting kR^X: a Kernel hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR^X is readily applicable to the x86-64 Linux Kernel and can benefit from hardware support (e.g., MPX on modern Intel CPUs) to optimize performance. In full protection mode, kR^X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available.
-
EuroSys - kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse
Proceedings of the Twelfth European Conference on Computer Systems, 2017Co-Authors: Marios Pomonis, Angelos D. Keromytis, Michalis Polychronakis, Theofilos Petsios, Vasileios P. KemerlisAbstract:The abundance of memory corruption and disclosure vulnerabilities in Kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As more strict memory isolation mechanisms between the Kernel and user space, like Intel's SMEP, become commonplace, attackers increasingly rely on code reuse techniques to exploit Kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, such as web browsers, in Kernel Exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of certain code snippets and construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a "read XOR execute" (R^X) memory safety policy is an effective defense against the Exploitation of userland software, but so far this approach has not been applied for the protection of the Kernel itself. In this paper, we fill this gap by presenting kR^X: a Kernel hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR^X is readily applicable to the x86-64 Linux Kernel and can benefit from hardware support (e.g., MPX on modern Intel CPUs) to optimize performance. In full protection mode, kR^X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available.
