DOCSLIB.ORG

OS-Level Attacks and Defenses: from Software to Hardware-Based Exploits © December 2018 by David Gens Phd Referees: Prof

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

OS-LEVELATTACKSANDDEFENSES: FROMSOFTWARETOHARDWARE-BASEDEXPLOITS Dissertation zur Erlangung des akademischen Grades Doktor der Ingenieurswissenschaften (Dr.-Ing.) genehmigt durch den Fachbereich Informatik (FB 20) der Technischen Universtität Darmstadt von D AV I D G E N S aus Wiesbaden, Deutschland Gutachter: Prof. Dr.-Ing. Ahmad-Reza Sadeghi (Erstreferent) Prof. Dr. Thorsten Holz (Zweitreferent) Tag der Einreichung: 14. Dezember 2018 Tag der Disputation: 13. Februar 2019 CYSEC/System Security Lab Intel Collaborative Research Institute (ICRI-CARS) Fachbereich für Informatik Technische Universität Darmstadt Hochschulkennziffer: D17 OS-level Attacks and Defenses: from Software to Hardware-based Exploits © December 2018 by David Gens phd referees: Prof. Dr.-Ing. Ahmad-Reza Sadeghi (1st PhD Referee) Prof. Dr. Thorsten Holz (2nd PhD Referee) further phd commission members: Prof. Dr. Sebastian Faust Prof. Dr. Guido Salvaneschi Prof. Dr.-Ing. Thomas Schneider Darmstadt, Germany December 2018 Veröffentlichung unter CC-BY-SA 4.0 International https://creativecommons.org/licenses/ ABSTRACT Run-time attacks have plagued computer systems for more than three decades, with control-flow hijacking attacks such as return-oriented programming repre- senting the long-standing state-of-the-art in memory-corruption based exploits. These attacks exploit memory-corruption vulnerabilities in widely deployed soft- ware, e.g., through malicious inputs, to gain full control over the platform remotely at run time, and many defenses have been proposed and thoroughly studied in the past. Among those defenses, control-flow integrity emerged as a powerful and ef- fective protection against code-reuse attacks in practice. As a result, we now start to see attackers shifting their focus towards novel techniques through a number of increasingly sophisticated attacks that combine software and hardware vulnerabil- ities to construct successful exploits. These emerging attacks have a high impact on computer security, since they completely bypass existing defenses that assume ei- ther hardware or software adversaries. For instance, they leverage physical effects to provoke hardware faults or force the system into transient micro-architectural states. This enables adversaries to exploit hardware vulnerabilities from software without requiring physical presence or software bugs. In this dissertation, we explore the real-world threat of hardware and software- based run-time attacks against operating systems. While memory-corruption-based exploits have been studied for more than three decades, we show that data-only attacks can completely bypass state-of-the-art defenses such as Control-Flow In- tegrity which are also deployed in practice. Additionally, hardware vulnerabili- ties such as Rowhammer, CLKScrew, and Meltdown enable sophisticated adver- saries to exploit the system remotely at run time without requiring any memory- corruption vulnerabilities in the system’s software. We develop novel design strate- gies to defend the OS against hardware-based attacks such as Rowhammer and Meltdown to tackle the limitations of existing defenses. First, we present two novel data-only attacks that completely break current code-reuse defenses deployed in real-world software and propose a randomization-based defense against such data- only attacks in the kernel. Second, we introduce a compiler-based framework to automatically uncover memory-corruption vulnerabilities in real-world kernel code. Third, we demonstrate the threat of Rowhammer-based attacks in security- sensitive applications and how to enable a partitioning policy in the system’s phys- ical memory allocator to effectively and efficiently defend against such attacks. We demonstrate feasibility and real-world performance through our prototype for the popular and widely used Linux kernel. Finally, we develop a side-channel defense to eliminate Meltdown-style cache attacks by strictly isolating the address space of kernel and user memory. iii ZUSAMMENFASSUNG Softwarebasierte Laufzeitangriffe stellen Rechnerplattformen seit mehr als drei Jahrzehnten vor große Sicherheitsprobleme. In Form weit verbreiteter Offensivtech- niken wie Return-Oriented Programming, die Programmierfehler durch bösartige Eingaben gezielt ausnutzen, können Angreifer im Extremfall so die vollständige Kontrolle über die Plattform erlangen. Daher wurden über die Jahre eine Vielzahl von Defensivmaßnahmen wie Control-Flow Integrity und Fine-Grained Randomi- zation vorgeschlagen und die Effektivität dieser Schutzmechanismen war lange Zeit Gegenstand intensiver Forschungsarbeit. In jüngster Zeit wurden jedoch eine Reihe zunehmend ausgefeilterer Angriffe auf Hardwareschwachstellen aus Softwa- re heraus vorgestellt, die bei Beibehaltung des Angreifersmodells zur kompletten Kompromittierung dieser Systeme führen können. Diese neuartige Entwicklung stellt bestehende Verteidigungen, die traditionelle Softwareangriffe annehmen, so- mit in der Praxis vor große Herausforderungen. Diese Dissertation erforscht eine Reihe solcher neuartigen Angriffsszenarien, um die reale Bedrohung auf das Betriebssystem trotz bestehender Verteidigungsme- chanismen abschätzen zu können. Insbesondere geht die Arbeit im ersten Teil auf die Problematik sogenannter Data-Only Angriffe im Kontext von Defensivmaß- nahmen wie Control-Flow Integrity ein und demonstriert, wie diese unter Aus- nutzung von Softwarefehlern vollständig ausgehebelt werden können. Der zweite Teil erforscht die Bedrohung von Laufzeitangriffen durch Hardwarefehler, auch in Abwesenheit von Softwarefehlern auf welche sich bisherige Verteidigungen be- schränken. Um die bisherigen Problem in den vorhandenen Schutzmechanismen anzugehen wurden neue Designstrategien entwickelt, mit Hilfe derer sich das Be- triebssystem vor solch weiterführenden Angriffen durch geeignete Maßnahmen in Software schützen kann. Zunächst demonstrieren wir eine randomisierungs- basierte Verteidigung gegen Data-Only Angriffe auf Seitentabellen. Des weiteren wird ein Framework zur automatisierten Identifikation von Softwarefehlern im Betriebssystem anhand des Quelltexts auf Basis des LLVM Compilers vorgestellt. Außerdem erforscht die Arbeit eine Absicherung des Betriebbsystems vor Seitenka- nalangriffen durch geeignete Isolation des Addressraumes. Ferner entwickeln wir eine Schutzmaßnahme vor Rowhammer-basierten Angriffen auf das OS, indem der physische Speicherallokator des Systems um eine Partitionierungsstrategie er- weitert wird. v ACKNOWLEDGMENTS First and foremost I would like to thank my thesis advisor Professor Ahmad-Reza Sadeghi for his excellent supervision and continuous support. I am grateful to have Professor Thorsten Holz as thesis co-advisor. I thank Professor Sebastian Faust, Professor Guido Salvaneschi, and Professor Thomas Schneider for being members of my thesis committee. Additional thanks go to Professor Lucas Davi with whom I had the privilege to collaborate and work with while he was still based in Darmstadt and who offered me an initial position in his Junior Research Group funded by DFG’s Emmy Noether program. My research work and travels were funded in part by the Federal Ministry of Education and Research (BMBF) through SAL and by the DFG through CROSS- ING, both of which provided a great working environment and allowed me to collaborate with renowned and leading researchers from academia and industry worldwide. Further, I thank all my co-authors besides Ahmad and Lucas: Orlando Arias, Fer- dinand Brasser, Poulami Das, Ghada Dessouky, Lisa Eckey, Rolf Egert, Sebastian Faust, Marc Fischlin, Tommaso Frassetto, Jason M. Fung, Patrick Haney, Kristina Hostakova, Sven Jacob, Patrick Jauernig, Yier Jin, Arun Karthik Kanuparthi, Ha- reesh Khattri, Christopher Liebchen, Garrett Persyn, Jeyavijayan Rajendran, Si- mon Schmitt, Matthias Senker, Emmanuel Stapf, Dean Sullivan, Jörg Tillmans, and Shaza Zeitouni. Thanks to all my colleagues of the System Security Lab at Technische Universität Darmstadt for fruitful and interesting technical discussion, as well as their help in organizing courses, and a great time. Finally, I would like to thank my family and in particular my parents Monika and Andreas for their continuing encouragement. Special thanks to Miriam for her enduring sympathy, support, and friendship. vii CONTENTS I introduction 1 overview3 1.1 Goals and Scope 5 1.2 Summary of Contributions 5 1.3 Organization 7 1.4 Publications 8 2 background9 2.1 Basic OS-level Defenses 9 2.1.1 Privilege-Level Separation 9 2.1.2 Virtual-Memory Protection 10 2.2 The Traditional Threat Models 11 2.3 Memory-Corruption Attacks 12 2.3.1 Causes of Memory Corruption 12 2.3.2 A Model for Exploitation 13 2.3.3 Typical Attack Workflow 14 2.4 State-of-the-art Attacks and Defenses 15 2.4.1 Return-to-libc and Return-Oriented Programming 15 2.4.2 Code-Reuse Defenses and Advanced Attacks 16 2.4.3 Data-only attacks 17 2.5 Modern Hardware Platforms 18 2.5.1 Overall System Architecture 18 2.5.2 Processor Design Principles 19 2.5.3 Remote Hardware Exploits 21 II memory corruption: the threat of data-only attacks 3 bypassing cfi in modern browsers. 25 3.1 Data-Only Attacks on Dynamic Code Generation 25 3.2 Assumptions and Threat Model 26 3.3 Generically Bypassing CFI by Exploiting JIT-Compilers 27 3.3.1 Attack Overview 27 3.3.2 Corrupting the Intermediate Representation 28 3.3.3 Attack Framework 29 3.4 On the Prevalence of Data-Only Attacks 29 3.5 Possible Mitigations 30 4 breaking and fixing cfi in os kernels. 31 4.1 OS Kernels as Targets of Data-Only Attacks
Recommended publications
  • Operating Systems and Virtualisation Security Knowledge Area (Draft for Comment)

    Operating Systems and Virtualisation Security Knowledge Area (Draft for Comment)

    OPERATING SYSTEMS AND VIRTUALISATION SECURITY KNOWLEDGE AREA (DRAFT FOR COMMENT) AUTHOR: Herbert Bos – Vrije Universiteit Amsterdam EDITOR: Andrew Martin – Oxford University REVIEWERS: Chris Dalton – Hewlett Packard David Lie – University of Toronto Gernot Heiser – University of New South Wales Mathias Payer – École Polytechnique Fédérale de Lausanne © Crown Copyright, The National Cyber Security Centre 2019. Following wide community consultation with both academia and industry, 19 Knowledge Areas (KAs) have been identified to form the scope of the CyBOK (see diagram below). The Scope document provides an overview of these top-level KAs and the sub-topics that should be covered under each and can be found on the project website: https://www.cybok.org/. We are seeking comments within the scope of the individual KA; readers should note that important related subjects such as risk or human factors have their own knowledge areas. It should be noted that a fully-collated CyBOK document which includes issue 1.0 of all 19 Knowledge Areas is anticipated to be released by the end of July 2019. This will likely include updated page layout and formatting of the individual Knowledge Areas. Operating Systems and Virtualisation Security Herbert Bos Vrije Universiteit Amsterdam April 2019 INTRODUCTION In this knowledge area, we introduce the principles, primitives and practices for ensuring security at the operating system and hypervisor levels. We shall see that the challenges related to operating system security have evolved over the past few decades, even if the principles have stayed mostly the same. For instance, when few people had their own computers and most computing was done on multiuser (often mainframe-based) computer systems with limited connectivity, security was mostly focused on isolating users or classes of users from each other1.
  • A Solution to Php Code Injection Attacks and Web

    A Solution to Php Code Injection Attacks and Web

    INTERNATIONAL JOURNAL OF RESEARCH IN COMPUTER APPLICATIONS AND ROBOTICS Vol.2 Issue.9, Pg.: 24-31 September 2014 www.ijrcar.com INTERNATIONAL JOURNAL OF RESEARCH IN COMPUTER APPLICATIONS AND ROBOTICS ISSN 2320-7345 A SOLUTION TO PHP CODE INJECTION ATTACKS AND WEB VULNERABILITIES Venkatesh Yerram1, Dr G.Venkat Rami Reddy2 ¹Computer Networks and Information Security, [email protected] ²Computer Science Engineering, 2nd [email protected] JNTU Hyderabad, India Abstract Over the decade web applications are grown rapidly. This leads to cyber crimes. Attacker injects various scripts to malfunction the web application. Attacker injects these scripts to text box of vulnerable web application from various compounds such as search bar, feedback form, login form etc and later which is executed by the server. Sometimes attacker modifies the URL to execute a successful attack. This execution of system calls and API on web server by attacker can damage the file system and or leaks information of web server. PHP is a server side scripting language, dynamic features and functionalities are controlled through the PHP language. Hence, the use of PHP language results in high possibility of successful execution of code injection attacks. The aim of this paper is first to understand the code web application vulnerability related to PHP code injection attack, the scenario has been developed. Secondly defeat the attack and fast incident determination from the developed domain dictionary. This proposed system is helpful for cyber forensics expert to gather and analyze the evidence effectively Keywords: Code Injection, vulnerabilities, Attack, cyber forensics 1. INTRODUCTION The web environment is growing rapidly day by day, the cyber crimes also increasing rapidly.
  • Security Analysis of Docker Containers in a Production Environment

    Security Analysis of Docker Containers in a Production Environment

    Security analysis of Docker containers in a production environment Jon-Anders Kabbe Master of Science in Communication Technology Submission date: June 2017 Supervisor: Colin Alexander Boyd, IIK Co-supervisor: Audun Bjørkøy, TIND Technologies Norwegian University of Science and Technology Department of Information Security and Communication Technology Title: Security Analysis of Docker Containers in a Production Environment Student: Jon-Anders Kabbe Problem description: Deployment of Docker containers has achieved its popularity by providing an au- tomatable and stable environment serving a particular application. Docker creates a separate image of a file system with everything the application require during runtime. Containers run atop the regular file system as separate units containing only libraries and tools that particular application require. Docker containers reduce the attack surface, improves process interaction and sim- plifies sandboxing. But containers also raise security concerns, reduced segregation between the operating system and application, out of date or variations in libraries and tools and is still an unsettled technology. Docker containers provide a stable and static environment for applications; this is achieved by creating a static image of only libraries and tools the specific application needs during runtime. Out of date tools and libraries are a major security risk when exposing applications over the Internet, but availability is essential in a competitive market. Does Docker raise some security concerns compared to standard application deploy- ment such as hypervisor-based virtual machines? Is the Docker “best practices” sufficient to secure the container and how does this compare to traditional virtual machine application deployment? Responsible professor: Colin Alexander Boyd, ITEM Supervisor: Audun Bjørkøy, TIND Technologies Abstract Container technology for hosting applications on the web is gaining traction as the preferred mode of deployment.
  • Bull SAS: Novascale B260 (Intel Xeon Processor 5110,1.60Ghz)

    Bull SAS: Novascale B260 (Intel Xeon Processor 5110,1.60Ghz)

    SPEC CINT2006 Result spec Copyright 2006-2014 Standard Performance Evaluation Corporation Bull SAS SPECint2006 = 10.2 NovaScale B260 (Intel Xeon processor 5110,1.60GHz) SPECint_base2006 = 9.84 CPU2006 license: 20 Test date: Dec-2006 Test sponsor: Bull SAS Hardware Availability: Dec-2006 Tested by: Bull SAS Software Availability: Dec-2006 0 1.00 2.00 3.00 4.00 5.00 6.00 7.00 8.00 9.00 10.0 11.0 12.0 13.0 14.0 15.0 16.0 17.0 18.0 12.7 400.perlbench 11.6 8.64 401.bzip2 8.41 6.59 403.gcc 6.38 11.9 429.mcf 12.7 12.0 445.gobmk 10.6 6.90 456.hmmer 6.72 10.8 458.sjeng 9.90 11.0 462.libquantum 10.8 17.1 464.h264ref 16.8 9.22 471.omnetpp 8.38 7.84 473.astar 7.83 12.5 483.xalancbmk 12.4 SPECint_base2006 = 9.84 SPECint2006 = 10.2 Hardware Software CPU Name: Intel Xeon 5110 Operating System: Windows Server 2003 Enterprise Edition (32 bits) CPU Characteristics: 1.60 GHz, 4MB L2, 1066MHz bus Service Pack1 CPU MHz: 1600 Compiler: Intel C++ Compiler for IA32 version 9.1 Package ID W_CC_C_9.1.033 Build no 20061103Z FPU: Integrated Microsoft Visual Studio .NET 2003 (lib & linker) CPU(s) enabled: 1 core, 1 chip, 2 cores/chip MicroQuill SmartHeap Library 8.0 (shlW32M.lib) CPU(s) orderable: 1 to 2 chips Auto Parallel: No Primary Cache: 32 KB I + 32 KB D on chip per core File System: NTFS Secondary Cache: 4 MB I+D on chip per chip System State: Default L3 Cache: None Base Pointers: 32-bit Other Cache: None Peak Pointers: 32-bit Memory: 8 GB (2GB DIMMx4, FB-DIMM PC2-5300F ECC CL5) Other Software: None Disk Subsystem: 73 GB SAS, 10000RPM Other Hardware: None
  • Microkernel Mechanisms for Improving the Trustworthiness of Commodity Hardware

    Microkernel Mechanisms for Improving the Trustworthiness of Commodity Hardware

    Microkernel Mechanisms for Improving the Trustworthiness of Commodity Hardware Yanyan Shen Submitted in fulfilment of the requirements for the degree of Doctor of Philosophy School of Computer Science and Engineering Faculty of Engineering March 2019 Thesis/Dissertation Sheet Surname/Family Name : Shen Given Name/s : Yanyan Abbreviation for degree as give in the University calendar : PhD Faculty : Faculty of Engineering School : School of Computer Science and Engineering Microkernel Mechanisms for Improving the Trustworthiness of Commodity Thesis Title : Hardware Abstract 350 words maximum: (PLEASE TYPE) The thesis presents microkernel-based software-implemented mechanisms for improving the trustworthiness of computer systems based on commercial off-the-shelf (COTS) hardware that can malfunction when the hardware is impacted by transient hardware faults. The hardware anomalies, if undetected, can cause data corruptions, system crashes, and security vulnerabilities, significantly undermining system dependability. Specifically, we adopt the single event upset (SEU) fault model and address transient CPU or memory faults. We take advantage of the functional correctness and isolation guarantee provided by the formally verified seL4 microkernel and hardware redundancy provided by multicore processors, design the redundant co-execution (RCoE) architecture that replicates a whole software system (including the microkernel) onto different CPU cores, and implement two variants, loosely-coupled redundant co-execution (LC-RCoE) and closely-coupled redundant co-execution (CC-RCoE), for the ARM and x86 architectures. RCoE treats each replica of the software system as a state machine and ensures that the replicas start from the same initial state, observe consistent inputs, perform equivalent state transitions, and thus produce consistent outputs during error-free executions.
  • Draft SP 800-125A Rev. 1, Security Recommendations for Server

    Draft SP 800-125A Rev. 1, Security Recommendations for Server

    The attached DRAFT document (provided here for historical purposes), released on April 11, 2018, has been superseded by the following publication: Publication Number: NIST Special Publication (SP) 800-125A Rev. 1 Title: Security Recommendations for Server-based Hypervisor Platforms Publication Date: June 2018 • Final Publication: https://doi.org/10.6028/NIST.SP.800-125Ar1 (which links to https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-125Ar1.pdf). • Related Information on CSRC: Final: https://csrc.nist.gov/publications/detail/sp/800-125a/rev-1/final 1 Draft NIST Special Publication 800-125A 2 Revision 1 3 4 Security Recommendations for 5 Hypervisor Deployment on 6 ServersServer-based Hypervisor 7 Platforms 8 9 10 11 12 Ramaswamy Chandramouli 13 14 15 16 17 18 19 20 21 22 23 C O M P U T E R S E C U R I T Y 24 25 Draft NIST Special Publication 800-125A 26 Revision 1 27 28 29 30 Security Recommendations for 31 Server-based Hypervisor Platforms 32 33 Hypervisor Deployment on Servers 34 35 36 37 Ramaswamy Chandramouli 38 Computer Security Division 39 Information Technology Laboratory 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 April 2018 56 57 58 59 60 61 U.S. Department of Commerce 62 Wilbur L. Ross, Jr., Secretary 63 64 National Institute of Standards and Technology 65 Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology 66 67 Authority 68 69 This publication has been developed by NIST in accordance with its statutory responsibilities under the 70 Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C.
  • Host-Based Code Injection Attacks: a Popular Technique Used by Malware

    Host-Based Code Injection Attacks: a Popular Technique Used by Malware

    Host-Based Code Injection Attacks: A Popular Technique Used By Malware Thomas Barabosch Elmar Gerhards-Padilla Fraunhofer FKIE Fraunhofer FKIE Friedrich-Ebert-Allee 144 Friedrich-Ebert-Allee 144 53113 Bonn, Germany 53113 Bonn, Germany [email protected] [email protected] c 2014 IEEE. Personal use of this material is per- implemented with different goals in mind, they share one mitted. Permission from IEEE must be obtained for all common feature: they all inject code locally into foreign other uses, in any current or future media, including process spaces. One reason for this behaviour is detection reprinting/republishing this material for advertising or avoidance. However, code injections are not limited to tar- promotional purposes, creating new collective works, for geted malware. Mass-malware also uses code injections in resale or redistribution to servers or lists, or reuse of any order to stay under the radar (ZeroAccess, ZeusP2P or Con- copyrighted component of this work in other works. ficker). Detection avoidance is not the only advantage of us- ing code injections from a malware author’s point of view. Abstract Further reasons for using code injections are interception of critical information, privilege escalation or manipulation of Common goals of malware authors are detection avoid- security products. ance and gathering of critical information. There exist The above mentioned examples are all malware fami- numerous techniques that help these actors to reach their lies for Microsoft Windows. However, code injections are goals. One especially popular technique is the Host-Based platform-independent. In fact all established multitasking Code Injection Attack (HBCIA).
  • A Complete Bibliography of ACM Transactions on Computer Systems

    A Complete Bibliography of ACM Transactions on Computer Systems

    A Complete Bibliography of ACM Transactions on Computer Systems Nelson H. F. Beebe University of Utah Department of Mathematics, 110 LCB 155 S 1400 E RM 233 Salt Lake City, UT 84112-0090 USA Tel: +1 801 581 5254 FAX: +1 801 581 4148 E-mail: [email protected], [email protected], [email protected] (Internet) WWW URL: http://www.math.utah.edu/~beebe/ 10 August 2021 Version 1.75 Title word cross-reference Accelerating [BJS01]. Accelerator [CZL+15]. Accelerators [LAB+13]. Accent [FR86]. Access [AT83, LZCZ86, LP93, Smi84b, GB01]. arc [GS93]. N [SHG95, Mae85]. Access/Execute [Smi84b]. Accesses [AJ19, HY92, Kel00]. accessing [ACM04]. -Body [SHG95]. accounting [EV03]. accuracy [Jim05]. Accurate [GVM+11, NTW09]. Ace [RR99]. 11/780 [Cla83, CE85]. 1988 [ACM88]. Achieve [LLL+16]. ACM [Jha20]. ACM/SIGOPS [ACM88]. Action [Sch84]. + 2.6 [PTS 14]. 2011 [Mow12]. 2019 [MT20]. Actions [Ree83]. Activations [ABLL92]. active [SJS+00]. Activity 36 [Jha20]. [IRH86, MSB+06]. Ad [BYFK08, FKA10]. Adaptable [AC92]. Adaptation 4 [Jha20]. 432 [CGJ88, CCLP83]. [BS91, AD03, FS04]. Adaptive [ALHH08, AS95, MLS97, CT01]. Address 780 [Cla83, CE85]. [CLFL94, SV99]. Adrenaline [HZL+17]. Affected [IRH86]. Aggregate [AB83]. Abstract [Her86, SS84]. abstraction aggregation [JMB05]. Aggressive [CRL03, Kel00]. Abstractions [SKH+16]. 1 2 [GWSU13]. AI [RDB+21]. Air [CDD96]. al [HKS+83]. Arrays [SHCG94]. Article [Jha20]. Algorithm [Jha20]. Asbestos [VEK+07]. [Bad86, DC85, HBAK86, Lam87, Mae85, Assignments [BGM86]. Assistant Ray89, SK85, Zha91]. Algorithms [HLZ+16]. Assisting [KMG16]. [CM86, GD87, GLM91, KS91, KH92, LA93, Associative [SA95]. Astrolabe [VBV03]. MCS91, San87, Sau83a, Sau83b, TS89, KY04]. Asymmetric [SFKP12]. At-Most-Once allergies [QTZS07]. Allocation [LSW91]. ATC [MT20].
  • The Rise and Imminent Fall of the N-Day Exploit Market in the Cybercriminal Underground

    The Rise and Imminent Fall of the N-Day Exploit Market in the Cybercriminal Underground

    The Rise and Imminent Fall of the N-Day Exploit Market in the Cybercriminal Underground Mayra Rosario Fuentes and Shiau-Jing Ding Contents TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and 4 should not be construed to constitute legal advice. The information contained herein may not be applicable to all Introduction situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing 7 herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document Overview of Exploit Developers at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise 12 related to the accuracy of a translation, please refer to the original language official version of the document. Any Overview of Exploit Demand and discrepancies or differences created in the translation are Availability not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro 16 makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree Outdated Exploits that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied.
  • SMASH: Synchronized Many-Sided Rowhammer Attacks from Javascript

    SMASH: Synchronized Many-Sided Rowhammer Attacks from Javascript

    SMASH: Synchronized Many-sided Rowhammer Attacks from JavaScript Finn de Ridder Pietro Frigo Emanuele Vannacci Herbert Bos ETH Zurich VU Amsterdam VU Amsterdam VU Amsterdam VU Amsterdam Cristiano Giuffrida Kaveh Razavi VU Amsterdam ETH Zurich Abstract has instead been lagging behind. In particular, rather than Despite their in-DRAM Target Row Refresh (TRR) mitiga- addressing the root cause of the Rowhammer bug, DDR4 in- tions, some of the most recent DDR4 modules are still vul- troduced a mitigation known as Target Row Refresh (TRR). nerable to many-sided Rowhammer bit flips. While these TRR, however, has already been shown to be ineffective bit flips are exploitable from native code, triggering them against many-sided Rowhammer attacks from native code, in the browser from JavaScript faces three nontrivial chal- at least in its current in-DRAM form [12]. However, it is lenges. First, given the lack of cache flushing instructions in unclear whether TRR’s failing also re-exposes end users to JavaScript, existing eviction-based Rowhammer attacks are TRR-aware, JavaScript-based Rowhammer attacks from the already slow for the older single- or double-sided variants browser. In fact, existing many-sided Rowhammer attacks and thus not always effective. With many-sided Rowhammer, require frequent cache flushes, large physically-contiguous mounting effective attacks is even more challenging, as it re- regions, and certain access patterns to bypass in-DRAM TRR, quires the eviction of many different aggressor addresses from all challenging in JavaScript. the CPU caches. Second, the most effective many-sided vari- In this paper, we show that under realistic assumptions, it ants, known as n-sided, require large physically-contiguous is indeed possible to bypass TRR directly from JavaScript, memory regions which are not available in JavaScript.
  • Low-Cost Mitigation Against Cold Boot Attacks for an Authentication Token

    Low-Cost Mitigation Against Cold Boot Attacks for an Authentication Token

    Low-cost Mitigation against Cold Boot Attacks for an Authentication Token Ian Goldberg?1, Graeme Jenkinson2, and Frank Stajano2 1 University of Waterloo (Canada) 2 University of Cambridge (United Kingdom) Abstract. Hardware tokens for user authentication need a secure and usable mechanism to lock them when not in use. The Pico academic project proposes an authentication token unlocked by the proximity of simpler wearable devices that provide shares of the token’s master key. This method, however, is vulnera- ble to a cold boot attack: an adversary who captures a running Pico could extract the master key from its RAM and steal all of the user’s credentials. We present a cryptographic countermeasure—bivariate secret sharing—that protects all the credentials except the one in use at that time, even if the token is captured while it is on. Remarkably, our key storage costs for the wearables that supply the cryp- tographic shares are very modest (256 bits) and remain constant even if the token holds thousands of credentials. Although bivariate secret sharing has been used before in slightly different ways, our scheme is leaner and more efficient and achieves a new property—cold boot protection. We validated the efficacy of our design by implementing it on a commercial Bluetooth Low Energy development board and measuring its latency and energy consumption. For reasonable choices of latency and security parameters, a standard CR2032 button-cell battery can power our prototype for 5–7 months, and we demonstrate a simple enhancement that could make the same battery last for over 9 months.
  • Comparing Filesystem Performance: Red Hat Enterprise Linux 6 Vs

    Comparing Filesystem Performance: Red Hat Enterprise Linux 6 Vs

    COMPARING FILE SYSTEM I/O PERFORMANCE: RED HAT ENTERPRISE LINUX 6 VS. MICROSOFT WINDOWS SERVER 2012 When choosing an operating system platform for your servers, you should know what I/O performance to expect from the operating system and file systems you select. In the Principled Technologies labs, using the IOzone file system benchmark, we compared the I/O performance of two operating systems and file system pairs, Red Hat Enterprise Linux 6 with ext4 and XFS file systems, and Microsoft Windows Server 2012 with NTFS and ReFS file systems. Our testing compared out-of-the-box configurations for each operating system, as well as tuned configurations optimized for better performance, to demonstrate how a few simple adjustments can elevate I/O performance of a file system. We found that file systems available with Red Hat Enterprise Linux 6 delivered better I/O performance than those shipped with Windows Server 2012, in both out-of- the-box and optimized configurations. With I/O performance playing such a critical role in most business applications, selecting the right file system and operating system combination is critical to help you achieve your hardware’s maximum potential. APRIL 2013 A PRINCIPLED TECHNOLOGIES TEST REPORT Commissioned by Red Hat, Inc. About file system and platform configurations While you can use IOzone to gauge disk performance, we concentrated on the file system performance of two operating systems (OSs): Red Hat Enterprise Linux 6, where we examined the ext4 and XFS file systems, and Microsoft Windows Server 2012 Datacenter Edition, where we examined NTFS and ReFS file systems.