Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Nested Kernel Presentation: General Purpose 45 min

This prezi details our efforts in creating the nested kernel architecture, a new operating system organization that enables a single kernel to enforce memory isolation and privilege separation within the kernel itself.
by

Nathan Dautenhahn

on 30 March 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Nested Kernel Presentation: General Purpose 45 min

Monolithic Operating System Architecture
Drivers
Virtual Memory
1) What's the problem?
2) Nested Kernel Approach
3) Intra-Kernel Isolation
4) Evaluation
5) Future Work
The Nested Kernel Architecture
Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation
*Nathan Dautenhahn
Theodoros Kasampalis
Will Dietz
John Criswell
Vikram Adve
UIUC
UIUC
UIUC
University of Rochester
UIUC
Nested Kernel
MMU
Isolate MMU at a single hardware privilege level by
virtualizing supervisor mode
Simple malware are extremely powerful:
File System
CPU Virtualization
Networking
Nested Kernel Property
Hardware privilege boundary
Threads, Address Spaces, and Message Passing
Microkernel
Virtualizing the MMU with the Nested Kernel
nk_update_pte(mapping,pte){

if (
update_pts_to_ptp(val, pte)
){
set_read_only();
}
do_update();
}
The nested kernel interposes on all modifications of the MMU
Access to Page Tables is
configured
read-only
Read-only permissions
enforced
while the outer kernel executes
Microbenchmarks
Macrobenchmark
Apache HTTPD
Kernel Reorganization
Trusted Computing Base
Code Scanner
40 implicit instructions
2 writes to cr0
38 wrmsr
52 Files
~1900 LOC Modified
~100 Deleted
IOMMU + SMP + NX Configuration support needed
∼4000 C
∼800 Assembly
248 Python Scanner
MMU TCB FreeBSD 9.0 / PerspicuOS: 232x
Nested Kernel Services
Write-Logging
Intra-kernel memory isolation
Nested Kernel
MMU Isolation and Write-Protection Services
Key Takeaways
Intra-kernel memory protection services
Lifetime kernel code integrity in FreeBSD 9.0
End-to-end
intra-kernel security solutions
Directions for the Nested Kernel
Formal verification
of Nested Kernel
Nested Kernel
VMMs

De-privileging
to virtualize other
hardware
(e.g.,
EFLAGS
)
Nested Kernel and Microkernel Address Similar Problems but...
Virtualize supervisor mode
Observation: If we can Restrict Access to the Page Tables then Enable Memory Isolation
13.1%
Initialize read-only
Outer Kernel
Nested Kernel
Outer Kernel Execution Integrity
Problem: A complete lack of memory isolation
Super-Duper-Ooper-Schmooper Big Idea:
Isolate the MMU using the MMU
Nested Kernel Lines of Code
TCB for Nested Kernel and MMU Isolation
SLOCCOUNT
The nested kernel isolates the MMU and provides lifetime kernel code integrity
Outer Kernel
Monolithic Operating System
Services
Privilege Separation
Monolithic Applicability
Virtualize Supervisor Mode
Write Protection Service
syscall(read)
syscall_dispatch()
read( )
malicous_read()
operation;
audit_read();
return;
NOOP
Code Injection
operation;
operation;
Violates the integrity of audit recording
System Call Hooking
Confidentiality or Integrity Violation
Single Privilege Level
Efficient Privilege Switch
Entry Gate
2. Disable write-protection enforcement
1. Disable interrupts
3. Switch to nested kernel stack
Outer Kernel
Nested Kernel
Exit Gate
2. Enable write-protection enforcement
3. Enable interrupts
1. Switch to outer kernel stack
Outer Kernel
Nested Kernel
Enforcing Privilege Separation on x86-64
Static Code Privilege Separation
mov cr0, val
nk_wr_cr0(val)
mov cr3, val
nk_wr_cr3(val)
Write Mediation
Guaranteed invocation and isolation of security monitor
Each connection forks a new process and mmaps data
Reliability
nk_update_pte(mapping,pte)
Special Operating Modes
Return Integrity
Guaranteed Mediation
Nested Kernel key assumption: can enforce read-only on supervisor code
CPU
Memory
Root PTR
Enforcement Bits
Page Tables in Typical Systems
Modifiable by Attacker
Apply to Monolithic OS
No Control Flow Integrity
Access Control Policy
Translation
Overview + Threat Model
Outer Kernel Under Complete Control of Attacker
Source Code
Execution State
No Control Flow Integrity
Nested Kernel source is trusted
Code Deprivilege
CPU
: Base PTR -> CR3
Memory
: PTs
CPU
: CR0 write-protect enable flag
Code Verification
Lifetime Kernel Code Execution Integrity
FreeBSD 9.0: 7.9 MB
PerspicuOS: 34 KB
Virtual Privilege Switch
Attacker cannot remove events
No Virtual Machine Introspection
Virtual Privilege Switch
How Practical is the Nested Kernel
Isolate the MMU not defend against general kernel attacks
Goal: restrict MMU access to nested kernel
Nested Kernel Protections
Memory Protections
CPU Protections
Write-protect Enable:
mov cr0, val
Page Table Base:
mov cr3, val
Non-exececutable:
mov cr4, val
SMEP:
wrmsr(EFER, val)
Page Tables --- read-only
Kernel Code --- read-only
Kernel Data --- NoExecute
User Code + Data --- user-priv
All kernel mappings non-executable
If code:
verify with scanner
configure as executable and read-only
User mode code and data: supervisor mode execution prevention
Lifetime Kernel Code Integrity
User
Kernel
Code
Data
RO
NX
SMEP
SMEP
nk_update_pte:

disable write-protection

if valid_update(newvalue, pte):

*pte = newvalue; // 0x10

enable write-protection

return;
call 0x10
Shadow Process List
Security Monitor
Rootkit removes evidence of malicious activities
Challenge: policy and allocation
Created a shadow allproc list and force updates to go through nk_log()
Ensure attacker is observed
allproc
sh_allproc
remove_proc()
nk_log(...)
Completing the Implementation
Dynamic rewriting for maintenance
NX Policies
SMP
To Finish:
Special operating modes (e.g., SMM)
Future Research
To Add:
Hardware-assisted virtualization (e.g. VT-x)
IOMMU Support
MMU Operation Batching
Port to FreeBSD Current and Refactor
Compelling
memory isolation use cases (e.g., device drivers, file system, crypto)
Retrofit the nested kernel architecture
in FreeBSD 9.0
ret2dir bypasses SMEP, SMAP, and other hardening features [1]
[1] V. P. Kemerlis, M. Polychronakis, and A. D. Keromytis, “ret2dir: Rethinking Kernel Isolation,” in Proceedings of the 23rd USENIX Conference on Security Symposium, Berkeley, CA, USA, 2014, pp. 957–972.
pMMU
vMMU
Base Ptr
Enforce Bits
Outer Kernel
Nested Kernel
1. Memory isolation via MMU
2. Code De-privileging and Runtime Integrity
Full transcript