Adaptive defenses for commodity software through virtual application partitioning

Geneiatakis, Dimitris; Portokalidis, Georgios; Kemerlis, Vasileios P.; Keromytis, Angelos D.

doi:10.1145/2382196.2382214

Cited by 17 publications

(11 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Note that although kR ∧ X requires patching the OS kernel and (re)compiling with custom GCC plugins, it supports mixed code: that is, both protected and unprotected modules. This design not only allows for incremental deployment and adoption but also facilitates selective hardening [60].…”

Section: Methodsmentioning

confidence: 99%

Untitled

2019

TOPS

View full text Add to dashboard Cite

The abundance of memory corruption and disclosure vulnerabilities in kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As stricter memory isolation mechanisms between the kernel and user space become commonplace, attackers increasingly rely on code reuse techniques to exploit kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, as in web browsers, in kernel exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of code snippets in order to construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a "read XOR execute" (R ∧ X) memory safety policy is an effective defense against the exploitation of userland software, but so far this approach has not been applied for the protection of the kernel itself.In this article, we fill this gap by presenting kR ∧ X: a kernel-hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR ∧ X is readily applicable to x86 Linux kernels (both 32b and 64b) and can benefit from hardware support (segmentation on x86, MPX on x86-64) to optimize performance. In full protection mode, kR ∧ X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available, and 1.32% when memory segmentation is in use. 5:2M. Pomonis et al. INTRODUCTIONThe deployment of standard kernel-hardening schemes, such as address space layout randomization (KASLR) [50] and non-executable memory [91], has prompted a shift from legacy code injection (in kernel space) to return-to-user (ret2usr) attacks [80]. Due to the weak separation between kernel and user space-as a result of the kernel being mapped inside the (upper part of the) address space of every user process for performance reasons-in ret2usr attacks, the kernel control/dataflow is hijacked and redirected to code/data residing in user space, effectively bypassing KASLR and (kernel-space) W ∧ X. Fortunately, however, recent software [38,69,80,116] and hardware [35,77] kernel protection mechanisms mitigate ret2usr threats by enforcing a more stringent address space separation. Alas, mirroring the co-evolution of attacks and defenses in user space, kernel exploits have started to rely on code-reuse techniques, such as return-oriented programming (ROP) [134,144]; old ret2usr exploits [14] are converted to use ROP payloads instead of shellcode [18], while modern jailbreak and privilege escalation exploits rely solely on code reuse [2,129,152].At the same time, the security community started developing protections against code-reuse attacks: control-flow integrity (CFI) [7] and code-diversification [44,72,87,112,149] schemes have been applied both in the user and kernel settings [42,58,64,94]. Unfortunately, the...

show abstract

Section: Methodsmentioning

confidence: 99%

Untitled

2019

TOPS

View full text Add to dashboard Cite

show abstract

“…Robustness & Security: Following this direction of improving scalability and performance, another line of research is on application partitioning. Proposed approaches [28] try to dissect each application in coherent sections with each one having different security requirements. In these works, the goal is to improve the precision of security measures that mitigate the reduced attack vector that each partition might have.…”

Section: A Security Requirements and Current State In Remote Single-dementioning

confidence: 99%

Secure Edge Computing with Lightweight Control-Flow Property-based Attestation

Koutroumpouchos

Ntantogian

Menesidou

et al. 2019

2019 IEEE Conference on Network Softwarization (NetSoft)

View full text Add to dashboard Cite

The Internet of Things (IoT) is rapidly evolving, while introducing several new challenges regarding security, resilience and operational assurance. In the face of an increasing attack landscape, it is necessary to cater for the provision of efficient mechanisms to collectively verify software-and deviceintegrity in order to detect run-time modifications. Towards this direction, remote attestation has been proposed as a promising defense mechanism. It allows a third party, the verifier, to ensure the integrity of a remote device, the prover. However, this family of solutions do not capture the real-time requirements of industrial IoT applications and suffer from scalability and efficiency issues. In this paper, we present a lightweight dynamic control-flow property-based attestation architecture (CFPA) that can be applied on both resource-constrained edge and cloud devices and services. It is a first step towards a new line of security mechanisms that enables the provision of control-flow attestation of only those specific, critical software components that are comparatively small, simple and limited in function, thus, allowing for a much more efficient verication. Our goal is to enhance run-time software integrity and trustworthiness with a scalable and decentralized solution eliminating the need for federated infrastructure trust. Based on our findings, we posit open issues and challenges, and discuss possible ways to address them, so that security do not hinder the deployment of intelligent edge computing systems.

show abstract

“…An alternative method to using isolation to protect secrets and mitigate the exploitation of vulnerabilities is through monitoring the execution of the software. Geneiatakos et al suggest using virtual application partitioning to dynamically adapt the software defences based on the current execution partition of the application [45]. The main focus of their work is identifying authentication points and 'sensitive' data in binary applications using techniques such as instruction set randomisation and dynamic taint analysis on the different partitions of the application.…”

Section: Related Workmentioning

confidence: 99%

A framework for application partitioning using trusted execution environments

Atamli-Reineh

Paverd

Petracca

et al. 2017

Concurrency and Computation

View full text Add to dashboard Cite

Summary The size and complexity of modern applications are the underlying causes of numerous security vulnerabilities. In order to mitigate the risks arising from such vulnerabilities, various techniques have been proposed to isolate the execution of sensitive code from the rest of the application and from other software on the platform (such as the operating system). New technologies, notably Intel's Software Guard Extensions (SGX), are becoming available to enhance the security of partitioned applications. SGX provides a trusted execution environment (TEE), called an enclave, that protects the integrity of the code and the confidentiality of the data inside it from other software, including the operating system (OS). However, even with these partitioning techniques, it is not immediately clear exactly how they can and should be used to partition applications. How should a particular application be partitioned? How many TEEs should be used? What granularity of partitioning should be applied? To some extent, this is dependent on the capabilities and performance of the partitioning technology in use. However, as partitioning becomes increasingly common, there is a need for systematisation in the design of partitioning schemes. To address this need, we present a novel framework consisting of four overarching types of partitioning schemes through which applications can make use of TEEs. These schemes range from coarse‐grained partitioning, in which the whole application is included in a single TEE, through to ultra‐fine partitioning, in which each piece of security‐sensitive code and data is protected in an individual TEE. Although partitioning schemes themselves are application specific, we establish application‐independent relationships between the types we have defined. Because these relationships have an impact on both the security and performance of the partitioning scheme, we envisage that our framework can be used by software architects to guide the design of application partitioning schemes. To demonstrate the applicability of our framework, we have carried out case studies on two widely used software packages, the Apache Web server and the OpenSSL library. In each case study, we provide four high‐level partitioning schemes—one for each of the types in our framework. We also systematically review the related work on hardware‐enforced partitioning by categorising previous research efforts according to our framework. Copyright © 2017 John Wiley & Sons, Ltd.

show abstract

Adaptive defenses for commodity software through virtual application partitioning

Cited by 17 publications

References 30 publications

Untitled

Untitled

Secure Edge Computing with Lightweight Control-Flow Property-based Attestation

A framework for application partitioning using trusted execution environments

Contact Info

Product

Resources

About