Tesi Final Marco Oliverio.Pdf
Total Page:16
File Type:pdf, Size:1020Kb
i Abstract Advancements in exploitation techniques call for the need of advanced defenses. Modern operating systems have to face new sophisticate attacks that do not rely on any programming mistake, rather they exploit leaking information from computational side effects (side-channel attacks) or hardware glitches (rowhammer attacks). Mitigating these new attacks poses new challanges and involves delicate trade-offs, balancing security on one side and performance, simplicity, and compatibility on the other. In this disseration we explore the attack surface exposed by page fusion, a memory saving optimization in modern operating systems and, after that, a secure page fusion implementation called VUsion is shown. We then propose a complete and compatible software solution to rowhammer attacks called ZebRAM. Lastly, we show OpenCAL, a free and general libray for the implementation of Cellular Automata, that can be used in several security scenarios. iii Acknowledgements I would like to thank my Supervisor prof. Andrea Pugliese for the encouragement and the extremely valuable advice that put me in a fruitful and exciting research direction. A hearty acknowledgment goes to Kaveh Razavi, Cristiano Giuffrida, Herbert Bos and all the VUSec group of the Vrije Universiteit of Amsterdam. I felt at home from day one and I found myself surrounded by brilliant researchers and good friends. v Contents Abstract i Acknowledgements iii Introduction1 1 VUsion3 1.1 Introduction...................................3 1.2 Page Fusion...................................5 1.2.1 Linux Kernel Same-page Merging...................5 1.2.2 Windows Page Fusion.........................7 1.3 Threat Model..................................8 1.4 Known Attack Vectors.............................8 1.4.1 Information Disclosure.........................8 1.4.2 Flip Feng Shui.............................9 1.5 New Attack Vectors............................... 10 1.5.1 Information Disclosure......................... 10 1.5.2 Flip Feng Shui............................. 11 1.5.3 Summary................................ 13 1.6 Design Principles................................ 13 1.6.1 Stopping Information Disclosure.................... 14 1.6.2 Flip Feng Shui attacks......................... 15 1.6.3 Discussion............................... 15 1.7 Implementation................................. 15 1.7.1 Enforcing the Design Principles.................... 15 1.7.2 Working Set Estimation........................ 16 1.8 Transparent Huge Pages............................ 17 1.8.1 Handling Idle and Active Pages.................... 17 1.8.2 Securing khugepaged.......................... 17 1.9 Evaluation.................................... 18 1.9.1 Security................................. 18 1.9.2 Performance.............................. 19 1.9.3 Fusion Rates.............................. 22 1.10 Related Work.................................. 23 1.10.1 Attacks................................. 23 1.10.2 Defenses................................ 24 1.11 Conclusion................................... 25 2 ZebRAM 27 2.1 Introduction................................... 27 2.2 Background................................... 29 2.2.1 DRAM Organization.......................... 29 2.2.2 The Rowhammer Bug......................... 30 vi 2.2.3 Rowhammer Defenses......................... 31 2.3 Threat Model.................................. 31 2.4 Design...................................... 32 2.5 Implementation................................. 34 2.5.1 ZebRAM Prototype Components................... 35 2.5.2 Implementation Details......................... 36 2.6 Security Evaluation............................... 36 2.6.1 Traditional Rowhammer Exploits................... 37 2.6.2 ZebRAM-aware Exploits........................ 37 Attacking the Unsafe Region...................... 37 Attacking the Safe Region....................... 38 2.7 Performance Evaluation............................. 38 2.8 Related work.................................. 44 2.9 Discussion.................................... 46 2.9.1 Prototype................................ 46 2.9.2 Alternative Implementations...................... 46 2.10 Conclusion................................... 47 3 OpenCAL 49 3.1 Introduction................................... 49 3.2 An OpenCAL Overview: Software Architecture, Main Specifications and a First Example of Application.......................... 51 3.2.1 Software Architecture......................... 51 3.2.2 OpenCAL Domain Specific API Abstractions............. 52 3.2.3 The quantization optimization..................... 56 3.2.4 Conway’s Game of Life........................ 59 3.3 The SciddicaT XCA Example of Application................. 63 3.3.1 The SciddicaTnaive Example of Application.............. 63 The SciddicaTnaive Simulation of the Tessina Landslide....... 64 3.3.2 The SciddicaTac Example of Application............... 65 The SciddicaTac Simulation of the Tessina Landslide......... 66 3.3.3 The SciddicaTac+esl Example of Application............. 66 3.4 Computational Results and Discussion..................... 67 3.4.1 Standard Tests............................. 67 3.4.2 Transition Function Stress Tests.................... 69 3.4.3 Computational Domain Stress Tests.................. 70 3.5 Conclusions and Outlooks........................... 76 4 Conclusion 79 Bibliography 81 vii To Mom and Dad. 1 Introduction The Morris worm in 1988 [146], Zatko private note on buffer overflow [173] and, above all, Elias Levy’s (AlephOne) phrack article on stack-based exploitation [108] published in 1996, made extremely clear that bugs were more threatening than previously thought. They showed how to abuse common memory bugs to get complete control of computer systems. As writing complex software without making any mistake is impossible (a mistake can even hide in the specifics or in the verifier of a formally verified system), the research commu- nity focuses its efforts on preventing the exploitation of bugs, more than bugs themselves. Non-executable memory [9, 124], bound checking [6, 102], address space layout random- ization [136, 22], and control flow integrity [1] are just a few of the effective and already deployed techniques that, even if not bullet-proof, make bug exploitation way harder than it was a decade ago. Unfortunately, since the second half of 2010s, new types of attack techniques were discovered. They use a completely different approach: they do not rely on any software bug. This means that even a (hypothetical) bug-free software is at danger and previous mitigation techniques are useless. The first of these techniques mines confidentiality of a computer system or, in other words, allows unauthorized users to learn sensitive data. Even if breaking confidentiality looks less severe than complete system compromise, total compromise can easily follow either by login credentials disclosure or, as we will shortly see, by combining it with other techniques. When developing complex software (or hardware) components, we can be tempted to abstract away “irrelevant” properties and to focus only on their functional behavior. Bug-free implementations guarantee that unauthorized users cannot access a component’s secret state using the information exposed by its functional behavior. We should not make the mistake, though, of assuming that determined attackers will constrain themselves to look just at the functional behavior. A careful observer can, indeed, focus on overlooked aspects, such as the time, the memory, or the energy spent doing a specific computation. If a correlation exists between these aspects and the secret, then attackers can measure them and then use them to infer the secret state, breaking the confidentiality of our “bug-free” implementation. These kinds of attack are called side-channel attacks and can affect components at every level of the hardware and software stack. While initially the research community focused on side-channel attacks targeting crypto- graphic algorithms [99], in the last decade the community discovered numerous side-channel attacks to applications [172, 111], operating systems [74, 78, 63, 64] and at the micro- architecture level [64, 74, 63], such as the now famous meltdown/spectre bug [98, 110]. Researchers discovered another threat around 2016 that was dubbed rowhammer effect [96]. The effect is a hardware glitch that affects common DRAM chips. The root cause is a physical electrical charge leak between DRAM memory cells that can be abused to flip memory bits. While initially considered just a mere reliability issue, today the literature gives us numerous examples of security breaches using the rowhammer effect [171, 26, 143, 67]. Hardware glitches like rowhammer share one thing with side-channel attacks: they also do not rely on any software bug. Moreover, they offer an important missing piece in bug-free software exploitation: while side-channels can be used to break confidentiality (read primitive), 2 Contents hardware glitches can be used to corrupt data (write primitive). Net effect: a system can be totally compromised without a single bug. The combination of side-channel and hardware glitches poses a severe threat to modern computer systems [143, 26]. Mitigating the resulting attacks is challenging. First of all, we need to consider the software and hardware components in all their complexity, examining every effect that can be measured by an attacker to infer secret information. Moreover, we need to put under scrutiny the interactions between different