1 / 18

Secure Operating Systems

In this lesson, we delve into various vulnerabilities in operating systems, with a focus on Linux and Windows. We share insights from Chen et al.'s research on Linux kernel vulnerabilities and discuss countermeasures like software fault isolation and memory tagging. We also explore the Shatter attack that demonstrates local privilege escalation in Windows systems. Critical examples highlight the challenges of detecting and fixing these vulnerabilities while emphasizing the need for better defenses. Engage with questions and comments to deepen your understanding.

xerxes
Télécharger la présentation

Secure Operating Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Operating Systems Lesson B: Let’s go break something

  2. Where are we? • We’ve looked at hardware and software, but I have failed to really show you how to break things… which does rather make the beauty of Multics harder to see • So… let’s look at some examples of OSes breaking

  3. Linux: Overview • Based on Chen et al.’s “Linux kernel vulnerabilities: State-of-the-art defenses and open problems” • They looking at a year (approx) of Linux Kernel vulnerabilities and found the following…

  4. Vulns • Source: Chen et al.

  5. Vulns (cntd) • Source: Chen et al.

  6. What about countermeasures? • Software fault isolation • Code Integrity (such as SecVisor) • User-level drivers • Memory tagging (detect misuse of untrusted inputs) • Uninitialized memory tracking

  7. Semantic Vulnerabilities • Simply not protecting something that needs to be protected • Does it happen? Yes! (See CVE-2010-1641 and many manymore) • Much harder to detect automatically • This is a hard problem!

  8. Another problem: Shatter • From: “Exploiting design flaws in the Win32 API for privilege escalation. Or... Shatter Attacks – How to break Windows” • Shatter is a classic example of how things can go wrong

  9. The Setup • Shatter is a local privilege escalation attack • VirusScan runs as LocalAdministrator • I run as an unprivileged user • Can I get VirusScan to execute code on my behalf?

  10. How it works • First, we get a handle to the higher privileged Window – Windows provides the APIs for this • We now have access to the controls on that window programmatically • Set up the max length for our shell code, and paste it in using Windows Messages

  11. WM_TIMER • Send the window a WM_TIMER message with the location of the code we want to execute (oops) • Bingo! • Let’s discuss for a minute…

  12. Complicated: IA64 sysret • Okay, this one is REALLY quite complicated… let’s take a look • Following: “A Stitch In Time Saves Nine: A Case Of Multiple OS Vulnerability” • Eek!

  13. AMD • From Wojtczuk:

  14. Intel • From Wojtczuk:

  15. Think about it… • From Wojtczuk:

  16. Exploitation • DoS is easy, but code injection is a bit harder but not impossible • What’s worse, it’s hard to fix • The basic idea is how the exception gets kicked off

  17. Things to Do • Read: “Linux kernel vulnerabilities: State-of-the-art defenses and open problems”

  18. Questions & Comments • What do you want to know?

More Related