research-article

PrivWatcher: Non-bypassable Monitoring and Protection of Process Credentials from Memory Corruption Attacks

Authors:

Guruprasad Ganesh,

Peng NingAuthors Info & Claims

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Pages 167 - 178

https://doi.org/10.1145/3052973.3053029

Published: 02 April 2017 Publication History

Abstract

Commodity operating systems kernels are typically implemented using low-level unsafe languages, which leads to the inevitability of memory corruption vulnerabilities. Multiple defense techniques are widely adopted to mitigate the impact of memory corruption on executable code and control data. Nevertheless, there has not been much attention to defend against corruption of non-control data despite the fact that previous incidents of kernel exploitation showed that corrupting non-control data is a real threat.

We present PrivWatcher, a framework for monitoring and protecting the integrity of process credentials and their usage contexts from memory corruption attacks. PrivWatcher solves multiple challenges to achieve this objective. It introduces techniques to isolate and protect the data that define process credentials and guarantee the locality of this data within the protected memory. Then, by adopting a dual reference monitor model, it guarantees the Time of Check To Time of Use (TOCTTOU) consistency between verification and usage contexts for process credentials. Moreover, it provides a secure mechanism that allows the presumably protected kernel code to verify the protected data without relying on unprotected data fields.

PrivWatcher provides non-bypassable integrity assurances for process credentials and can be adapted to enforce a variety of integrity policies. In this paper, we demonstrate an application of PrivWatcher that enforces the original semantics of the OS kernel's access control policy: a change in process privileges is legitimate only if an uncompromised kernel would have allowed it. We implemented a PrivWatcher prototype to protect Ubuntu Linux running on x86-64. Evaluation of our prototype showed that PrivWatcher is effective and efficient.

References

[1]

ApacheBench. https://httpd.apache.org/.

[2]

CVE-2013--2596. http://www.cvedetails.com/cve/CVE-2013--2596.

[3]

CVE-2013--6282. http://www.cvedetails.com/cve/CVE-2013--6282.

[4]

CVE-2014--3153. http://www.cvedetails.com/cve/CVE-2014--3153.

[5]

CVE-2015--3636. http://www.cvedetails.com/cve/CVE-2015--3636.

[6]

CVE-2016-0728. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0728.

[7]

iovyroot. https://github.com/dosomder/iovyroot.

[8]

kcbench. https://github.com/knurd/kcbench.

[9]

Kernel address space layout randomization. https://lwn.net/Articles/569635/.

[10]

KNOXout. http://www.vsecgroup.com/single-post/2016/09/16/KNOXout--Bypassing-Samsung-KNOX.

[11]

PingPong Root. http://pingpongroot.co/.

[12]

QuadRooter. https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Adam-Donenfeld-Stumping-The-Mobile-Chipset.pdf.

[13]

The SLUB allocator. http://lwn.net/Articles/229984.

[14]

UnixBench. https://github.com/kdlucas/byte-unixbench.

[15]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In Proceedings of the 12th ACM conference on Computer and communications security, pages 340--353. ACM, 2005.

Digital Library

[16]

P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In Security and Privacy, 2008. SP 2008. IEEE Symposium on, pages 263--277. IEEE, 2008.

Digital Library

[17]

Android. System and kernel security. http://source.android.com/devices/tech/security/overview/kernel-security.html.

[18]

A. M. Azab, P. Ning, E. C. Sezer, and X. Zhang. HIMA: A hypervisor-based integrity measurement agent. In Computer Security Applications Conference, 2009. ACSAC'09. Annual, pages 461--470. IEEE, 2009.

Digital Library

[19]

A. M. Azab, P. Ning, J. Shah, Q. Chen, R. Bhutkar, G. Ganesh, J. Ma, and W. Shen. Hypervision across worlds: real-time kernel protection from the ARM TrustZone secure world. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 90--102. ACM, 2014.

Digital Library

[20]

A. M. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. C. Skalsky. HyperSentry: enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of the 17th ACM conference on Computer and communications security, pages 38--49. ACM, 2010.

Digital Library

[21]

A. Baliga, V. Ganapathy, and L. Iftode. Automatic inference and enforcement of kernel data structure invariants. In Computer Security Applications Conference, 2008. ACSAC 2008. Annual, pages 77--86. IEEE, 2008.

Digital Library

[22]

M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang. Mapping kernel objects to enable systematic integrity checking. In Proceedings of the 16th ACM conference on Computer and communications security, pages 555--565. ACM, 2009.

Digital Library

[23]

M. Castro, M. Costa, and T. Harris. Securing software by enforcing data-flow integrity. In Proceedings of the 7th symposium on Operating systems design and implementation, pages 147--160. USENIX Association, 2006.

Digital Library

[24]

H. Chen, D. Wagner, and D. Dean. Setuid demystified. In USENIX Security Symposium, pages 171--190, 2002.

Digital Library

[25]

S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In Usenix Security, volume 5, 2005.

Digital Library

[26]

Y. Cheng, Z. Zhou, Y. Miao, X. Ding, and R. Deng. ROPecker: A generic and practical approach for defending against ROP attack. In Network and Distributed System Security Symposium, 2014.

[27]

J. Criswell, N. Dautenhahn, and V. Adve. KCoFI: Complete control-flow integrity for commodity operating system kernels. In Security and Privacy (SP), 2014 IEEE Symposium on, pages 292--307. IEEE, 2014.

Digital Library

[28]

N. Dautenhahn, T. Kasampalis, W. Dietz, J. Criswell, V. Adve, S. K. Sahoo, C. Geigle, B. Ding, Y. He, Y. Wu, et al. Nested kernel: An operating system architecture for intra-kernel privilege separation. In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, pages 191--206. ACM, 2015.

Digital Library

[29]

L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In 23rd USENIX Security Symposium (USENIX Security 14), pages 401--416, 2014.

Digital Library

[30]

B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust signatures for kernel data structures. In Proceedings of the 16th ACM conference on Computer and communications security, pages 566--577. ACM, 2009.

Digital Library

[31]

I. Fratric. ROPGuard: runtime prevention of return-oriented programming attacks (2012).

[32]

X. Ge, N. Talele, M. Payer, and T. Jaeger. Fine-grained control-flow integrity for kernel software. In Security and Privacy (EuroS&P), 2016 IEEE European Symposium on, pages 179--194. IEEE, 2016.

[33]

X. Ge, H. Vijayakumar, and T. Jaeger. Sprobes: Enforcing kernel code integrity on the TrustZone architecture. arXiv preprint arXiv:1410.7747, 2014.

[34]

A. Grünbacher. POSIX access control lists on Linux. In USENIX Annual Technical Conference, FREENIX Track, pages 259--272, 2003.

[35]

H. Hu, S. Shinde, S. Adrian, Z. L. Chua, P. Saxena, and Z. Liang. Data-oriented programming: On the expressiveness of non-control data attacks. In Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 2016.

[36]

Intel. Intel 64 and and IA-32 architectures software developer's manual, Volume 2.

[37]

X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM conference on Computer and communications security, pages 128--138. ACM, 2007.

Digital Library

[38]

V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2014.

Digital Library

[39]

C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In Code Generation and Optimization, 2004. CGO 2004. International Symposium on, pages 75--86. IEEE, 2004.

Digital Library

[40]

J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with return-less kernels. In Proceedings of the 5th European conference on Computer systems, pages 195--208. ACM, 2010.

Digital Library

[41]

Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang. SigGraph: Brute force scanning of kernel data structure instances using graph-based signatures. In Network and Distributed System Security Symposium (NDSS), 2011.

[42]

L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor support for identifying covertly executing binaries. In USENIX Security Symposium, pages 243--258, 2008.

Digital Library

[43]

G. C. Necula, S. McPeak, S. P. Rahul, and W. Weimer. CIL: Intermediate language and tools for analysis and transformation of C programs. In Compiler Construction, pages 213--228. Springer, 2002.

Digital Library

[44]

V. Pappas. kBouncer: Efficient and transparent ROP mitigation. Apr, 1:1--2, 2012.

[45]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In USENIX Security, pages 447--462, 2013.

Digital Library

[46]

B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In Security and Privacy, 2008. SP 2008. IEEE Symposium on, pages 233--247. IEEE, 2008.

Digital Library

[47]

N. L. Petroni Jr, T. Fraser, A. Walters, and W. A. Arbaugh. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In Usenix Security, 2006.

Digital Library

[48]

N. L. Petroni Jr and M. Hicks. Automated detection of persistent kernel control-flow attacks. In Proceedings of the 14th ACM conference on Computer and communications security, pages 103--115. ACM, 2007.

Digital Library

[49]

Samsung. White paper: An overview of Samsung KNOX, 2013.

[50]

A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. ACM SIGOPS Operating Systems Review, 41(6):335--350, 2007.

Digital Library

[51]

S. Smalley, C. Vance, and W. Salamon. Implementing SELinux as a Linux security module. NAI Labs Report, 1(43):139, 2001.

[52]

C. Song, B. Lee, K. Lu, W. Harris, T. Kim, and W. Lee. Enforcing kernel security invariants with data flow integrity. In NDSS, 2016.

[53]

A. Srivastava and J. Giffin. Efficient protection of kernel data structures via object partitioning. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 429--438. ACM, 2012.

Digital Library

[54]

X. Wang, Y. Chen, Z. Wang, Y. Qi, and Y. Zhou. SecPod: a framework for virtualization-based security systems. In Proceedings of the 2015 USENIX Conference on Usenix Annual Technical Conference, pages 347--360. USENIX Association, 2015.

Digital Library

[55]

C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux security modules: General security support for the Linux kernel. In USENIX Security Symposium, 2002.

Digital Library

[56]

W. Xu and Y. Fu. Own your Android! yet another universal root. In 9th USENIX Workshop on Offensive Technologies (WOOT 15), 2015.

Digital Library

[57]

X. Zhang, A. Edwards, and T. Jaeger. Using CQUAL for static analysis of authorization hook placement. In USENIX Security Symposium, pages 33--48, 2002.

Digital Library

Cited By

Liu DMeng XWang PZhou XXie WWang B(2025)Constructing arbitrary write via puppet objects and delivering gadgets in Linux kernelComputers & Security10.1016/j.cose.2024.104189150(104189)Online publication date: Mar-2025
https://doi.org/10.1016/j.cose.2024.104189
Xu SWang YLei LSun KJing JMa SWang JHuang H(2024)Condo: Enhancing Container Isolation Through Kernel Permission Data ProtectionIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.341191519(6168-6183)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3411915
Xu SLei LWang YHuang H(2024)KPDP: Kernel Permission Data Protection Against Data-Oriented Attacks2024 9th International Conference on Signal and Image Processing (ICSIP)10.1109/ICSIP61881.2024.10671512(538-543)Online publication date: 12-Jul-2024
https://doi.org/10.1109/ICSIP61881.2024.10671512
Show More Cited By

Index Terms

PrivWatcher: Non-bypassable Monitoring and Protection of Process Credentials from Memory Corruption Attacks
1. General and reference
  1. Cross-computing tools and techniques
    1. Design
  2. Document types
    1. General conference proceedings
2. Security and privacy

Recommendations

A cryptographic access control architecture secure against privileged attackers
CSAW '07: Proceedings of the 2007 ACM workshop on Computer security architecture

The overwhelming majority of existing access control schemes use active protection mechanisms where a security kernel enforces policy based upon an identity label assigned to each process. However, this design is fragile as a result of widely-used but ...
Intel Software Guard Extensions: Introduction and Open Research Challenges
SPRO '16: Proceedings of the 2016 ACM Workshop on Software PROtection

Hardware-enhanced security is an important pillar of secure systems in general and software protection in particular. This presentation will survey the recently announced Intel Software Guard Extensions (Intel SGX) as well as innovative usages for ...
Architectural Supports to Protect OS Kernels from Code-Injection Attacks and Their Applications

The kernel code injection is a common behavior of kernel-compromising attacks where the attackers aim to gain their goals by manipulating an OS kernel. Several security mechanisms have been proposed to mitigate such threats, but they all suffer from non-...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

April 2017

952 pages

ISBN:9781450349444

DOI:10.1145/3052973

General Chairs:
Ramesh Karri
New York University, New York, USA
,
Ozgur Sinanoglu
New York University Abu Dhabi, UAE
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universität Darmstadt, Germany
,
Xun Yi
RMIT University, Australia

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASIA CCS '17

Sponsor:

SIGSAC

ASIA CCS '17: ACM Asia Conference on Computer and Communications Security

April 2 - 6, 2017

Abu Dhabi, United Arab Emirates

Acceptance Rates

ASIA CCS '17 Paper Acceptance Rate 67 of 359 submissions, 19%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
579
Total Downloads

Downloads (Last 12 months)41
Downloads (Last 6 weeks)3

Reflects downloads up to 28 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Liu DMeng XWang PZhou XXie WWang B(2025)Constructing arbitrary write via puppet objects and delivering gadgets in Linux kernelComputers & Security10.1016/j.cose.2024.104189150(104189)Online publication date: Mar-2025
https://doi.org/10.1016/j.cose.2024.104189
Xu SWang YLei LSun KJing JMa SWang JHuang H(2024)Condo: Enhancing Container Isolation Through Kernel Permission Data ProtectionIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.341191519(6168-6183)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3411915
Xu SLei LWang YHuang H(2024)KPDP: Kernel Permission Data Protection Against Data-Oriented Attacks2024 9th International Conference on Signal and Image Processing (ICSIP)10.1109/ICSIP61881.2024.10671512(538-543)Online publication date: 12-Jul-2024
https://doi.org/10.1109/ICSIP61881.2024.10671512
Kuzuno HYamauchi T(2024)kdMonitor: Kernel Data Monitor for Detecting Kernel Memory Corruption2024 IEEE Conference on Dependable and Secure Computing (DSC)10.1109/DSC63325.2024.00022(66-73)Online publication date: 6-Nov-2024
https://doi.org/10.1109/DSC63325.2024.00022
Kuzuno HYamauchi T(2024)Mitigation of privilege escalation attack using kernel data relocation mechanismInternational Journal of Information Security10.1007/s10207-024-00890-423:5(3351-3367)Online publication date: 1-Oct-2024
https://dl.acm.org/doi/10.1007/s10207-024-00890-4
Meng JWang YLei LKou CWang P(2024)A Lightweight Defense Scheme Against Usermode Helper Privilege Escalation Using Linux CapabilityInformation Security10.1007/978-3-031-75757-0_10(190-208)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1007/978-3-031-75757-0_10
Li GZhang HZhou JShen WSui YQian ZCalandrino JTroncoso C(2023)A hybrid alias analysis and its application to global variable protection in the linux kernelProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620473(4211-4228)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620473
Kucab MBoryło PChołda P(2023)Hardware-Assisted Static and Runtime Attestation for Cloud DeploymentsIEEE Transactions on Cloud Computing10.1109/TCC.2023.332729011:4(3750-3765)Online publication date: Oct-2023
https://doi.org/10.1109/TCC.2023.3327290
Shen DHou TLu ZLiu YWang T(2023)SecDINT: Preventing Data-oriented Attacks via Intel SGX Escorted Data Integrity2023 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS59707.2023.10289062(1-9)Online publication date: 2-Oct-2023
https://doi.org/10.1109/CNS59707.2023.10289062
Choi KSeo HHan HRyu MKang S(2023)CredsCache: Making OverlayFS scalable for containerized servicesFuture Generation Computer Systems10.1016/j.future.2023.04.027147(44-58)Online publication date: Oct-2023
https://doi.org/10.1016/j.future.2023.04.027
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents