Subverting Operating System Properties through Evolutionary...
Transcript of Subverting Operating System Properties through Evolutionary...
![Page 1: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/1.jpg)
Subverting Operating System Properties through Evolutionary DKOM Attacks
Mariano Graziano, Lorenzo Flore, Andrea Lanzi, Davide Balzarotti
Cisco Systems, Inc. Universita’ degli Studi di Milano
Eurecom
DIMVA 2016 -‐ San Sebastian, Spain
![Page 2: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/2.jpg)
TRADITIONAL DKOM ATTACKS
EPROCESS EPROCESS EPROCESS
![Page 3: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/3.jpg)
TRADITIONAL DKOM ATTACKS
EPROCESS
EPROCESS
EPROCESS
![Page 4: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/4.jpg)
TRADITIONAL DKOM DEFENSES
‣ Kernel data integrity solutions: ‣ invariants
‣ external systems ‣ memory analysis
‣ data partitioning
![Page 5: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/5.jpg)
EVOLUTIONARY DKOM ATTACKS
Time
data structure of interest
![Page 6: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/6.jpg)
EVOLUTIONARY DKOM ATTACKS
Vio la t ion o f a temporal property
![Page 7: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/7.jpg)
EVOLUTIONARY DKOM ATTACKS
Vio la t ion o f a temporal property
the attack cannot b e d e t e c t e d looking at a single snapshot
![Page 8: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/8.jpg)
STATE VS PROPERTY
‣ Traditional DKOM affects the state and are discrete
‣ Evolutionary DKOM (E-DKOM) affects the evolution in time of a given property and are continuous
![Page 9: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/9.jpg)
THREAT MODEL
‣ Attacker has access to ring0
‣ Malicious code not detectable by current solutions
‣ Attacker cannot modify kernel code and attack the VMM
![Page 10: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/10.jpg)
EXAMPLE: L INUX CFS SCHEDULER
![Page 11: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/11.jpg)
SUBVERTING THE SCHEDULER
target
![Page 12: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/12.jpg)
SUBVERTING THE SCHEDULER
target
right most
![Page 13: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/13.jpg)
SUBVERTING THE SCHEDULER
target
right most
Set targetvruntime > rightmostvruntime
![Page 14: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/14.jpg)
SUBVERTING THE SCHEDULER
target
target
We affected the evolution of the data structure over time. We altered the scheduler property (fair execution).
![Page 15: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/15.jpg)
ATTACK EVALUATION
‣ Temporarily block an IDS or Antivirus
‣ Temporarily block Inotify
![Page 16: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/16.jpg)
DEFENSES?
‣ Reference monitor that mimics the OS property:
‣ OS specific
‣ Difficult to generalize
![Page 17: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/17.jpg)
DEFENSE FRAMEWORK
![Page 18: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/18.jpg)
DEFENSE FRAMEWORK
![Page 19: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/19.jpg)
DEFENSE FRAMEWORK
![Page 20: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/20.jpg)
OVERHEAD
Normal operations Stress test
![Page 21: Subverting Operating System Properties through Evolutionary …s3.eurecom.fr/slides/dimva16_graziano.slides.pdf · 2020-06-17 · DIMVA’2016’G’San’Sebastian,’Spain ... evolution](https://reader034.fdocuments.net/reader034/viewer/2022050110/5f479a0a76876623ef5298fc/html5/thumbnails/21.jpg)
CONCLUSIONS
‣ New DKOM attack based on data structures evolution
‣ Experiment on the Linux CFS scheduler
‣ Defense solution based on hypervisor
‣ General mitigation/solution very hard