《操作系统20140512lecture21内核安全与静态整数错误检测》由会员分享,可在线阅读,更多相关《操作系统20140512lecture21内核安全与静态整数错误检测(49页珍藏版)》请在金锄头文库上搜索。
1、内核安全与静态整数错误检测,Lecture 21,主要内容,内核安全和缓冲区溢出 整数溢出 整数溢出分析 整数溢出自动检测 Kint设计与实现 Kint应用 Kint改进,Famous Buffer Overflow Attacks,Morris worm (1988): overflow in fingerd 6,000 machines infected (10% of existing Internet) CodeRed (2001): overflow in MS-IIS server 300,000 machines infected in 14 hours SQL Slammer
2、(2003): overflow in MS-SQL server 75,000 machines infected in 10 minutes (!) Sasser (2004): overflow in Windows LSASS Around 500,000 machines infected Conficker (2008-09): overflow in Windows Server Around 10 million machines infected (estimates vary),Responsible for user authentication in Windows,B
3、uffer is a data storage area inside computer memory (stack or heap) Intended to hold pre-defined amount of data If executable code is supplied as “data”, victims machine may be fooled into executing it Code will self-propagate or give attacker control over machine Attack can exploit any memory opera
4、tion Pointer assignment, format strings, memory allocation and de-allocation, function pointers, calls to library routines via offset tables,Memory Exploits,slide 5,Stack Buffers,Suppose Web server contains this function void func(char *str) char buf126; strcpy(buf,str); When this function is invoke
5、d, a new frame with local variables is pushed onto the stack,Allocate local buffer (126 bytes reserved on stack),Copy argument into local buffer,Top of stack,Stack grows this way,buf,sfp,ret addr,str,Local variables,Frame of the calling function,Execute code at this address after func() finishes,Arg
6、uments,Pointer to previous frame,Executing Attack Code,Suppose buffer contains attacker-created string For example, *str contains a string received from the network as input to some network service daemon When function exits, code in the buffer will be executed, giving attacker a shell Root shell if
7、 the victim program is setuid root,code,str,Frame of the calling function,ret,Attacker puts actual assembly instructions into his input string, e.g., binary code of execve(“/bin/sh”),In the overflow, a pointer back into the buffer appears in the location where the system expects to find return addre
8、ss,Top of stack,int foo (void (*funcp)() char* ptr = point_to_an_array; char buf128; gets (buf); strncpy(ptr, buf, 8); (*funcp)(); ,String grows,Stack grows,int bar (int val1) int val2; foo (a_function_pointer); ,Contaminated memory,Most popular target,Stack Corruption (Redux),slide 7,Attack code,Ch
9、ange the return address to point to the attack code. After the function returns, control is transferred to the attack code or return-to-libc: use existing instructions in the code segment such as system(), exec(), etc. as the attack code, set stack pointers to return to a dangerous library function,
10、“/bin/sh”,system(),Attack: Return Address,slide 8,Steps for Buffer Overflow Attack,Intent Arbitrary code execution Spawn a remote shell or infect with worm/virus Denial of service Cause software to crash Steps Inject attack code into buffer Overflow return address Redirect control flow to attack cod
11、e Execute attack code,主要内容,内核安全和缓冲区溢出 整数溢出 整数溢出分析 整数溢出自动检测 Kint设计与实现 Kint应用 Kint改进,整数溢出的定义,计算机 数学 位数,符号 人类的角度 计算机运算结果 != 数学运算结果,slide 12,Twos Complement,Binary representation of negative integers Represent X (where X0) as 2N-|X| N is word size (e.g., 32 bits on x86 architecture),0,0,0,0,0,1,0,1,1,1,
12、1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,0,0,0,0,1,231-1,-1,-2,-231,231 ?,Integer Overflow,static int getpeername1(p, uap, compat) / In FreeBSD kernel, retrieves address of peer to which a socket is connected struct sockaddr *sa; len = MIN(len, sa-sa_len); copyout(sa, (caddr_t)uap-asa, (u_int)len); ,Checks t
13、hat “len” is not too big,Copies “len” bytes from kernel memory to user space,Negative “len” will always pass this check, interpreted as a huge unsigned integer here, will copy up to 4G of kernel memory,主要内容,内核安全和缓冲区溢出 整数溢出 整数溢出分析 整数溢出自动检测 Kint设计与实现 Kint应用 Kint改进,整数溢出的类型,分类依据: 整数运算类型 符号 用途,溢出条件,溢出条件,
14、溢出判断条件,溢出判断条件,溢出判断条件,特点: 位运算 简洁高效,主要内容,内核安全和缓冲区溢出 整数溢出 整数溢出分析 整数溢出自动检测 Kint设计与实现 Kint应用 Kint改进,Mitigating allocation size overflow,kmalloc( n * size ) Frequently used in the Linux kernel Can lead to buffer overflow kmalloc_array(n, size) Return NULL if n * size overflows Since Linux 3.4rc1,Verbose m
15、anual check (had 3 bugs),NaN integer example,主要内容,内核安全和缓冲区溢出 整数溢出 整数溢出分析 整数溢出自动检测 Kint设计与实现 Kint应用 Kint改进,Kint简介,MIT,王曦博士,OSDI12 Improving Integer Security for Systems with KINT 静态检测工具 针对C语言 基于LLVM&Clang,总体设计结构,Kint检测整数溢出的特点,函数级分析 插入溢出标记 代码优化 简化溢出检测语法 简化指针运算 范围分析 约束表达式,Kint实现分析,基本实现原理,LLVM&Clang LLV
16、M IR PASS,define i32 sub(i32 %x, i32 %y) nounwind uwtable entry: %x.addr = alloca i32, align 4 %y.addr = alloca i32, align 4 store i32 %x, i32* %x.addr, align 4 store i32 %y, i32* %y.addr, align 4 %0 = load i32* %x.addr, align 4 %1 = load i32* %y.addr, align 4 %sub = sub nsw i32 %0, %1 ret i32 %sub ,Kint核心pass介绍,主要内容,内核安全和缓冲区溢出 整数溢出 整数溢出分析 整数溢出自动检测 Kint设计与实现 Kint应用 Kint改进,三个实验,功能检测实验 简单的整数溢出测试 综合检测实验 具体程序下的整数溢出测试 应用检测实
