Efficient Protection of Kernel Data Structures via Object PartitioningAbhinav Srivastava, Jonathon GiffinAT&T Labs-Research, HP Fortify

ACSAC 2012

Outline• Introduction• Related Work• Sentry System• Implementation• Evaluation• Conclusion

Introduction• Kernel-level malicious malware often uses DKOM(Direct

Kernel Object Manipulation) to hide the process from the kernel’s process accounting list.

• They may also escalate a process’ privileges by overwriting the process’ credentials with those for a root or administrative user

• We present a system called Sentry that creates access control protections for security-critical kernel data.

Related Work• Petroni et al. detect process which reachable in scheduler

but not in process accounting list.• Cannot detect the list of loaded kernel modules, which do not offer

multiple views.

• XFI and BGI guarded write instructions subject to access control policy constraints.• Require all kernel drivers and modules to use this system• Low performance.

Sentry System• Page-level Granularity: use hardware’s page read/write

protection to enforce access control policy

• Partitioning: to separate kernel data structure into regions which have different access control policies

• Based on VM: to get full control to hardware page-fault handling and management

Sentry System

Page-level Granularity• Old methods• Applying policy checking is to check all possible write operation to

kernel data Slow performance• Protecting a single security-critical member requires whole page to be

protected Low memory utility

• Sentry use structure partitioning and page write protection to apply access control policies

Page-level Granularity (Cont.)• How page write protection protect the data?

• Simply using the write flag in page data structure• If someone tries to write to a protected page, a page fault

happen, and a function sh_page_fault in XEN hypervisor is called to handle this event

• Sentry changes the handling function to add a policy check:• If write is valid, then ignore this page fault and perform write

operation• If write is invalid, then the write operation is denied

Partitioning• Structures such as task_struct and module contains a mix

of security-critical and not-critical fields

• Structure Division• Structure Alignment

Partitioning - Structure Division• Split original Obj by creating a new data structure insecure_Obj containing non-critical fields

uid_t uid, euid, suid

gid_t gid, egid, sgid

u64 acct_rss_mem1

u64 acct_vm_mem1

struct list_head tasks

void *journal_info

unsigned long personality

struct audit_context *audit_context

char comm[16]

...

struct task_struct struct task_struct

struct insecure_task_struct

uid_t uid, euid, suid

gid_t gid, egid, sgid

struct list_head tasks

char comm[16]

u64 acct_rss_mem1

u64 acct_vm_mem1

void *journal_info

unsigned long personality

struct audit_context *audit_context

insecure_task_struct *insecure

Partitioning - Structure Alignment• Add a buffer to original Obj to separate security-critical

members and non-critical members away• This can be done by using compiler options to insert or

remove the alignment buffer

struct module

enum module_state state

struct list_head list

char name[MODULE_NAME_LEN]

const char *version

const char *srcversion

...

struct module

enum module_state state

struct list_head list

char name[MODULE_NAME_LEN]

const char *version

const char *srcversion

...

char buffer[BIG_SPACE]

Page Size

PolicyA valid write operation can be performed by:

• Trusted core kernel, such as core kernel code from symbol _text to _etext, kernel boot code from symbol __init_begin to __init_end• Trusted Upgraders: Alteration reachable from most

exported kernel functions, such as API provided by the Kernel

Page Creation & Registration• When creating a new instance of protected structure, Obj

and insecure_Obj are put into a page frame separately, and add page write protection on the page containing Obj

• The page frame number(PFN) then send to Sentry system using VMCALL, a method to pass data to hypervisor, to tell which page frame needs mediation

Implementation• Use Linux 2.6 and Xen hypervisor

• Change task_struct and module structure using division and alignment respectively

• Change Linux source code where use those structures into correct variable• current->journal_info current->insecure->journal_info• Alter 0.036%(2536/7041452) SLOC(Source Line of Code) in Linux

2.6• This can be done by source-to-source transformation techniques, such

as provided by CIL

Implementation (Cont.)• Structure Division• Apply on task_struct structure only• Categorized 28 of 122 members as critical• Change structure creation function kmem_cache_alloc into get_free_pages and kmalloc

• Structure Alignment• Apply on module structure only• Categorized 2 of 29 members as critical• Only a recompilation of the kernel

Implementation (Cont.)• APIs to communicate to hypervisor• addPFNtoDB, removePFNfromDB, checkPFNinDB

• Modify __sh_propagate to make a shadow of memory of guest operating system for monitor

• Sentry check write operation’s vaildity by the eip register when sh_page_fault is called, and traverse the stack frame using ebp to get full call trace

Evaluation• Attack Prevention and Detection

Evaluation (Cont.)• Performance on loading and unloading modules• Normal: no kernel memory protection• Protected: protection without partitioning• Sentry: both memory protection and partitioning

Evaluation (Cont.)• Performance on file system read/write

• Memory page utility• A partitioned kernel used 6502 pages as compared to 6302 pages

used by the unpartitioned kernel

Evaluation (Cont.)• Performance on real world jobs

• Performance on process data structure• 1000 µs = 1 ms

Evaluation (Cont.)• False Positive Analysis• Since benign modules don’t directly modify security-critical

kernel data, and uses exported APIs provided by kernel• For example, benign modules don’t directly modify run_list, but

using enqueue_task and dequeue_task to modify this member, and those functions are valid APIs, so the modules can still works fine

• Our system did not show any false positives and detected all attacks

Conclusion• We create protected memory regions within the unified

kernel data space.

• We show how to optimize kernel memory space layout for the protection constraints created by our system.

• We design and develop a system, Sentry, which is capable of protecting both statically and dynamically allocated data structures.