DOCSLIB.ORG

Lord of the X86 Rings: a Portable User Mode Privilege Separation Architecture on X86

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

View metadata, citation and similar papers at core.ac.uk brought to you by CORE Lord of the x86 Rings: A Portable User Mode Privilege Separation Architecture on x86 Hojoon Lee∗ Chihyun Song Brent Byunghoon Kang CISPA Helmholtz Center i.G. GSIS, School of Computing, KAIST GSIS, School of Computing, KAIST [email protected] [email protected] [email protected] ABSTRACT 1 INTRODUCTION Modern applications often involve processing of sensitive informa- User applications today are prone to software attacks, and yet are tion. However, the lack of privilege separation within the user space often monolithically structured or lack privilege separation. As leaves sensitive application secret such as cryptographic keys just a result, adversaries who have successfully exploited a software as unprotected as a "hello world" string. Cutting-edge hardware- vulnerability in an application can access sensitive in-process code supported security features are being introduced. However, the or data that are irrelevant to the exploited module or part of the features are often vendor-specific or lack compatibility with older application. Today’s applications often contain secrets that are too generations of the processors. The situation leaves developers with critical to reside in the memory along with the rest of the application no portable solution to incorporate protection for the sensitive contents, as we have witnessed in the incident of HeartBleed [20, application component. 45]. We propose LOTRx86, a fundamental and portable approach The conventional software privilege model that coarsely divides for user-space privilege separation. Our approach creates a more the system privilege into only two levels (user-level and kernel- privileged user execution layer called PrivUser by harnessing the level) has failed to provide a fundamental solution that can support underused intermediate privilege levels on the x86 architecture. The privilege separation in user applications. As a result, critical appli- PrivUser memory space, a set of pages within process address space cation secrets such as cryptographic information are essentially that are inaccessible to user mode, is a safe place for application treated no differently than a "hello world" string in user memory secrets and routines that access them. We implement the LOTRx86 space. When the control flow of a running user context is compro- ABI that exports the privcall interface to users to invoke secret mised, there is no access control left to prevent the hijacked context handling routines in PrivUser. This way, sensitive application oper- to access arbitrary memory addresses. ations that involve the secrets are performed in a strictly controlled Many approaches have been introduced to mitigate the chal- manner. The memory access control in our architecture is privilege- lenging issue within the boundaries of the existing application based, accessing the protected application secret only requires a memory protection mechanisms provided by the operating sys- change in the privilege, eliminating the need for costly remote pro- tem. A number of works proposed using the process abstraction cedure calls or change in address space. We evaluated our platform as a unit of protection by separating a program into multiple pro- by developing a proof-of-concept LOTRx86-enabled web server that cesses [7, 29, 41]. The fundamental idea is to utilize the process employs our architecture to securely access its private key during separation mechanism provided by the OS; these work achieve an SSL connection. We conducted a set of experiments including a privilege separation by splitting a single program into multiple performance measurement on the PoC on both Intel and AMD PCs, processes. However, this process-level separation incurs a signifi- and confirmed that LOTRx86 incurs only a limited performance cant overhead due to the cost of the inter-process communication overhead. (IPC) between the processes or address space switching that incur TLB flushes. Also, the coarse unit of separation still leaves alarge CCS CONCEPTS attack surface for attackers. The direction has advanced through • Security and privacy → Trusted computing; a plethora of works on the topic. One prominent aspect of the ad- vancements is the granularity of protection. Thread-level protection KEYWORDS schemes [6, 24, 44] have reduced the protection granularity com- pared to the process-level separation schemes while still suffering privilege separation; memory protection; operating system from performance overhead from page table modifications. Shreds presented fine-grained in-process memory protection using amem- ∗ affiliation changed from KAIST to CISPA as of Sept2018 ory partitioning feature that has long been present in ARM called Memory Domains [11]. However, the feature has been deprecated Permission to make digital or hard copies of all or part of this work for personal or in the 64-bit execution mode of the ARM architecture (AARCH64). classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation In the more recent years, a number of processor architecture on the first page. Copyrights for components of this work owned by others than ACM revisions and academic works have taken a more fundamental must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, approach to provide in-process protection; Intel has introduced to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. Software Guard Extensions (SGX) to its new x86 processors to pro- CCS ’18, October 15–19, 2018, Toronto, ON, Canada tect sensitive application and code and data from the rest of the © 2018 Association for Computing Machinery. application as well as the possibly malicious kernel [4, 14]. Intel also ACM ISBN 978-1-4503-5693-0/18/10...$15.00 https://doi.org/10.1145/3243734.3243748 offers hardware-assisted in-process memory safety and protection features [13, 15] and AMD has announced the plans to embed a PrivUser memory space and the use of the key (e.g., sign a mes- similar feature to its future generations of x86 processors [19]. How- sage with the key) is only allowed through our privcall interface. ever, the support for the new processor features are fragmented; In our PoC web server, the in-memory private key is inaccessible not only that the features are not inter-operable across processors outside the privcall routines that are invoked securely, hence ar- from different vendors (Intel, AMD), they are also only available bitrary access to the key is automatically thwarted (i.e., HeartBleed). on the newer processors. Hypervisor-based application memory The evaluation of the PoC and other evaluations are conducted on protection [10, 35] may serve to be a more portable solution, consid- both Intel and AMD PCs. We summarize the contributions of our ering the widespread adaption of hypervisors nowadays. However, LOTRx86 architecture as the following: it is not reasonable for a developer to assume that her users are using a virtual machine. • We propose a portable privileged user mode architecture for The situation presents complications for developers who need to sensitive application code and data protection that does not consider the portability as well as the security of the sensitive data require address switching or run-time page table manipula- her program processes. Therefore, we argue that there is a need tion. for an approach that provides a basis for an privilege in-process • We introduce the privcall ABI that allows user layer to separation based on only the portable features of the processor. invoke the privcall routines in a strictly controlled way. We An memory separation should not require a complete in-process also provide necessary software for building an LOTRx86- address space switching to access the protected memory or costly enabled software. page table modifications. In this paper, we propose a novel x86 user-mode privilege sep- • We developed a PoC LOTRx86-enabled web server to demon- aration architecture called The Lord of the x86 Rings (LOTRx86) strate the protection of in-memory private key during SSL architecture. Our architecture proposes a drastically different, yet connection. portable approach for user privilege separation on x86. While the existing approaches sought to retrofit the memory protection mech- anisms within the boundaries of the OS kernel’s support, we pro- 2 BACKGROUND: THE X86 PRIVILEGE pose the creation of a more privileged user layer called PrivUser ARCHITECTURE that protects sensitive application code and data from the normal The LOTRx86 architecture design leverages the x86 privilege struc- user mode. For this objective, LOTRx86 harnesses the underused tures in a unique way. Hence, it is necessary that we explain the x86 intermediate Rings (Ring1 and Ring2) with our unique design x86 privilege system before we go further into the LOTRx86 archi- that satisfies security requirements that define a distinct privilege tecture design. In this section, we briefly describe the x86 privilege layer. The PrivUser memory space is a subset of a process memory concepts focusing on the topics that are closely related to this paper. space that is accessible to when the process context is in PrivUser mode but inaccessible when in user mode. In our architecture, user memory access control is privileged-based. Therefore, the architec- 2.1 The Ring Privileges ture does not require costly run-time page table manipulations nor Modern operating systems on the x86 architecture adapt the two address space switching. privilege level model in which user programs run in Ring3 and We also implement the LOTRx86 ABI that exports the privcall kernel in Ring0. The x86 architecture, in fact, supports four privilege interface that supports PrivUser layer invocation from user layer. layers – Ring0 through Ring3 where Ring0 is the highest privilege To draw an analogy, the syscall interface is a controlled invocation on the system.
Recommended publications
  • Deciding Memory Safety for Single-Pass Heap-Manipulating Programs

    Deciding Memory Safety for Single-Pass Heap-Manipulating Programs

    Deciding Memory Safety for Single-Pass Heap-Manipulating Programs UMANG MATHUR, University of Illinois, Urbana-Champaign, USA ADITHYA MURALI, University of Illinois, Urbana-Champaign, USA PAUL KROGMEIER, University of Illinois, Urbana-Champaign, USA P. MADHUSUDAN, University of Illinois, Urbana-Champaign, USA MAHESH VISWANATHAN, University of Illinois, Urbana-Champaign, USA We investigate the decidability of automatic program verification for programs that manipulate heaps, andin particular, decision procedures for proving memory safety for them. We extend recent work that identified a decidable subclass of uninterpreted programs to a class of alias-aware programs that can update maps. We 35 apply this theory to develop verification algorithms for memory safetyÐ determining if a heap-manipulating program that allocates and frees memory locations and manipulates heap pointers does not dereference an unallocated memory location. We show that this problem is decidable when the initial allocated heap forms a forest data-structure and when programs are streaming-coherent, which intuitively restricts programs to make a single pass over a data-structure. Our experimental evaluation on a set of library routines that manipulate forest data-structures shows that common single-pass algorithms on data-structures often fall in the decidable class, and that our decision procedure is efficient in verifying them. CCS Concepts: • Theory of computation → Logic and verification; Automated reasoning. Additional Key Words and Phrases: Memory Safety, Program Verification, Aliasing, Decidability, Uninterpreted Programs, Streaming-Coherence, Forest Data-Structures ACM Reference Format: Umang Mathur, Adithya Murali, Paul Krogmeier, P. Madhusudan, and Mahesh Viswanathan. 2020. Deciding Memory Safety for Single-Pass Heap-Manipulating Programs. Proc. ACM Program.
  • Intra-Unikernel Isolation with Intel Memory Protection Keys

    Intra-Unikernel Isolation with Intel Memory Protection Keys

    Intra-Unikernel Isolation with Intel Memory Protection Keys Mincheol Sung Pierre Olivier∗ Virginia Tech, USA The University of Manchester, United Kingdom [email protected] [email protected] Stefan Lankes Binoy Ravindran RWTH Aachen University, Germany Virginia Tech, USA [email protected] [email protected] Abstract ACM Reference Format: Mincheol Sung, Pierre Olivier, Stefan Lankes, and Binoy Ravin- Unikernels are minimal, single-purpose virtual machines. dran. 2020. Intra-Unikernel Isolation with Intel Memory Protec- This new operating system model promises numerous bene- tion Keys. In 16th ACM SIGPLAN/SIGOPS International Conference fits within many application domains in terms of lightweight- on Virtual Execution Environments (VEE ’20), March 17, 2020, Lau- ness, performance, and security. Although the isolation be- sanne, Switzerland. ACM, New York, NY, USA, 14 pages. https: tween unikernels is generally recognized as strong, there //doi.org/10.1145/3381052.3381326 is no isolation within a unikernel itself. This is due to the use of a single, unprotected address space, a basic principle 1 Introduction of unikernels that provide their lightweightness and perfor- Unikernels have gained attention in the academic research mance benefits. In this paper, we propose a new design that community, offering multiple benefits in terms of improved brings memory isolation inside a unikernel instance while performance, increased security, reduced costs, etc. As a keeping a single address space. We leverage Intel’s Memory result,
  • Nessus 8.3 User Guide

    Nessus 8.3 User Guide

    Nessus 8.3.x User Guide Last Updated: September 24, 2021 Table of Contents Welcome to Nessus 8.3.x 12 Get Started with Nessus 15 Navigate Nessus 16 System Requirements 17 Hardware Requirements 18 Software Requirements 22 Customize SELinux Enforcing Mode Policies 25 Licensing Requirements 26 Deployment Considerations 27 Host-Based Firewalls 28 IPv6 Support 29 Virtual Machines 30 Antivirus Software 31 Security Warnings 32 Certificates and Certificate Authorities 33 Custom SSL Server Certificates 35 Create a New Server Certificate and CA Certificate 37 Upload a Custom Server Certificate and CA Certificate 39 Trust a Custom CA 41 Create SSL Client Certificates for Login 43 Nessus Manager Certificates and Nessus Agent 46 Install Nessus 48 Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trade- marks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective Download Nessus 49 Install Nessus 51 Install Nessus on Linux 52 Install Nessus on Windows 54 Install Nessus on Mac OS X 56 Install Nessus Agents 58 Retrieve the Linking Key 59 Install a Nessus Agent on Linux 60 Install a Nessus Agent on Windows 64 Install a Nessus Agent on Mac OS X 70 Upgrade Nessus and Nessus Agents 74 Upgrade Nessus 75 Upgrade from Evaluation 76 Upgrade Nessus on Linux 77 Upgrade Nessus on Windows 78 Upgrade Nessus on Mac OS X 79 Upgrade a Nessus Agent 80 Configure Nessus 86 Install Nessus Home, Professional, or Manager 87 Link to Tenable.io 88 Link to Industrial Security 89 Link to Nessus Manager 90 Managed by Tenable.sc 92 Manage Activation Code 93 Copyright © 2021 Tenable, Inc.
  • Pwny Documentation Release 0.9.0

    Pwny Documentation Release 0.9.0

    pwny Documentation Release 0.9.0 Author Nov 19, 2017 Contents 1 pwny package 3 2 pwnypack package 5 2.1 asm – (Dis)assembler..........................................5 2.2 bytecode – Python bytecode manipulation..............................7 2.3 codec – Data transformation...................................... 11 2.4 elf – ELF file parsing.......................................... 16 2.5 flow – Communication......................................... 36 2.6 fmtstring – Format strings...................................... 41 2.7 marshal – Python marshal loader................................... 42 2.8 oracle – Padding oracle attacks.................................... 43 2.9 packing – Data (un)packing...................................... 44 2.10 php – PHP related functions....................................... 46 2.11 pickle – Pickle tools.......................................... 47 2.12 py_internals – Python internals.................................. 49 2.13 rop – ROP gadgets........................................... 50 2.14 shellcode – Shellcode generator................................... 50 2.15 target – Target definition....................................... 79 2.16 util – Utility functions......................................... 80 3 Indices and tables 83 Python Module Index 85 i ii pwny Documentation, Release 0.9.0 pwnypack is the official CTF toolkit of Certified Edible Dinosaurs. It aims to provide a set of command line utilities and a python library that are useful when playing hacking CTFs. The core functionality of pwnypack
  • I386-Engine™ Technical Manual

    I386-Engine™ Technical Manual

    i386-Engine™ C/C++ Programmable, 32-bit Microprocessor Module Based on the Intel386EX Technical Manual 1950 5 th Street, Davis, CA 95616, USA Tel: 530-758-0180 Fax: 530-758-0181 Email: [email protected] http://www.tern.com Internet Email: [email protected] http://www.tern.com COPYRIGHT i386-Engine, VE232, A-Engine, A-Core, C-Engine, V25-Engine, MotionC, BirdBox, PowerDrive, SensorWatch, Pc-Co, LittleDrive, MemCard, ACTF, and NT-Kit are trademarks of TERN, Inc. Intel386EX and Intel386SX are trademarks of Intel Coporation. Borland C/C++ are trademarks of Borland International. Microsoft, MS-DOS, Windows, and Windows 95 are trademarks of Microsoft Corporation. IBM is a trademark of International Business Machines Corporation. Version 2.00 October 28, 2010 No part of this document may be copied or reproduced in any form or by any means without the prior written consent of TERN, Inc. © 1998-2010 1950 5 th Street, Davis, CA 95616, USA Tel: 530-758-0180 Fax: 530-758-0181 Email: [email protected] http://www.tern.com Important Notice TERN is developing complex, high technology integration systems. These systems are integrated with software and hardware that are not 100% defect free. TERN products are not designed, intended, authorized, or warranted to be suitable for use in life-support applications, devices, or systems, or in other critical applications. TERN and the Buyer agree that TERN will not be liable for incidental or consequential damages arising from the use of TERN products. It is the Buyer's responsibility to protect life and property against incidental failure. TERN reserves the right to make changes and improvements to its products without providing notice.
  • Protecting Million-User Ios Apps with Obfuscation: Motivations, Pitfalls, and Experience

    Protecting Million-User Ios Apps with Obfuscation: Motivations, Pitfalls, and Experience

    Protecting Million-User iOS Apps with Obfuscation: Motivations, Pitfalls, and Experience Pei Wang∗ Dinghao Wu Zhaofeng Chen Tao Wei [email protected] [email protected] [email protected] [email protected] The Pennsylvania State The Pennsylvania State Baidu X-Lab Baidu X-Lab University University ABSTRACT ACM Reference Format: In recent years, mobile apps have become the infrastructure of many Pei Wang, Dinghao Wu, Zhaofeng Chen, and Tao Wei. 2018. Protecting popular Internet services. It is now fairly common that a mobile app Million-User iOS Apps with Obfuscation: Motivations, Pitfalls, and Experi- ence. In ICSE-SEIP ’18: 40th International Conference on Software Engineering: serves a large number of users across the globe. Different from web- Software Engineering in Practice Track, May 27–June 3, 2018, Gothenburg, based services whose important program logic is mostly placed on Sweden. ACM, New York, NY, USA, 10 pages. https://doi.org/10.1145/3183519. remote servers, many mobile apps require complicated client-side 3183524 code to perform tasks that are critical to the businesses. The code of mobile apps can be easily accessed by any party after the software is installed on a rooted or jailbroken device. By examining the code, skilled reverse engineers can learn various knowledge about the 1 INTRODUCTION design and implementation of an app. Real-world cases have shown During the last decade, mobile devices and apps have become the that the disclosed critical information allows malicious parties to foundations of many million-dollar businesses operated globally. abuse or exploit the app-provided services for unrightful profits, However, the prosperity has drawn many malevolent attempts to leading to significant financial losses for app vendors.
  • “Sok: Eternal War in Memory”

    “Sok: Eternal War in Memory”

    “SoK: Eternal War in Memory” Presented by Mengjia Yan MIT 6.888 Fall 2020 Overview • Discuss the paper “SoK: Eternal War in Memory” with concrete examples • Recent progress on memory safety • With a focus on hardware/architecture 2 Motivation • C/C++ is unsafe • EveryboDy runs C/C++ coDe • They surely have exploitable vulnerabilities 3 Low-level Language Basics (C/C++/Assembly) 0x00..0000 • Programmers have more control + Efficient OS memory - Bugs - Programming productivity TEXT (code) Global/Static • Pointers DATA • Address of variables (uint64): index of memory location where variable is stored Heap • Programmers need to do pointer check, e.g. NULL, out-of-bound, use-after-free Stack 0xFF..FFFF 4 Low-level Language Basics 0x00..0000 TEXT (code) Heap Stack 0xFF..FFFF 5 Low-level Language Basics TEXT (code) stack 6 Attacks Code Injection Attack Example TEXT (code) int func (char *str) { Shell code: char buffer[12]; strncpy(buffer, str, len(str)); PUSH “/bin/sh” CALL system stack return 1; } int main() { …. func (input); … } 8 Code Injection Attack TEXT (code) TEXT (code) stack stack buffer Shell code … … Return addr Return addr 9 Attacks 10 Return-Oriented Programming (ROP) int func (char *str) { TEXT (code) TEXT (code) char buffer[12]; strncpy(buffer, str, len(str)); stack stack return 1; } …. int main() { buffer …. … … func (input); Return addr Return addr … } 11 Attacks 12 HeartBleed Vulnerability • Publicly DiscloseD in April 2014 • Bug in the OpenSSL cryptographic software library heartbeat extension • Missing a bound check 13 Attacks
  • MPTEE: Bringing Flexible and Efficient Memory Protection to Intel

    MPTEE: Bringing Flexible and Efficient Memory Protection to Intel

    MPTEE: Bringing Flexible and Efficient Memory Protection to Intel SGX Wenjia Zhao Kangjie Lu* Yong Qi* Saiyu Qi Xi’an Jiaotong University University of Minnesota Xi’an Jiaotong University Xidian University University of Minnesota Abstract code, emerge in today’s market. In particular, Intel has pro- Intel Software Guard eXtensions (SGX), a hardware-based vided SGX in its commodity processors, which supports a se- Trusted Execution Environment (TEE), has become a promis- cure region, namely enclave, to protect the internally loaded ing solution to stopping critical threats such as insider attacks code and data. Given its important and practical protection, and remote exploits. SGX has recently drawn extensive re- SGX has been extensively studied and used in practice. For search in two directions—using it to protect the confidentiality example, SCONE [1] uses it to effectively enhance the secu- and integrity of sensitive data, and protecting itself from at- rity of containers with low overhead. JITGuard [17] leverages tacks. Both the applications and defense mechanisms of SGX it to protect the security-critical just-in-time compiler oper- have a fundamental need—flexible memory protection that ations. SGXCrypter[49] utilizes it to securely unpack and updates memory-page permissions dynamically and enforces execute Windows binaries. There are many other useful appli- the least-privilege principle. Unfortunately, SGX does not pro- cations [35], [34], [31],[6], which confirm the practical and vide such a memory-protection mechanism due to the lack of promising applications of SGX. hardware support and the untrustedness of operating systems. Another line of research is to protect SGX itself from at- This paper proposes MPTEE, a memory-protection mech- tacks.
  • DOS Virtualized in the Linux Kernel

    DOS Virtualized in the Linux Kernel

    DOS Virtualized in the Linux Kernel Robert T. Johnson, III Abstract Due to the heavy dominance of Microsoft Windows® in the desktop market, some members of the software industry believe that new operating systems must be able to run Windows® applications to compete in the marketplace. However, running applications not native to the operating system generally causes their performance to degrade significantly. When the application and the operating system were written to run on the same machine architecture, all of the instructions in the application can still be directly executed under the new operating system. Some will only need to be interpreted differently to provide the required functionality. This paper investigates the feasibility and potential to speed up the performance of such applications by including the support needed to run them directly in the kernel. In order to avoid the impact to the kernel when these applications are not running, the needed support was built as a loadable kernel module. 1 Introduction New operating systems face significant challenges in gaining consumer acceptance in the desktop marketplace. One of the first realizations that must be made is that the majority of this market consists of non-technical users who are unlikely to either understand or have the desire to understand various technical details about why the new operating system is “better” than a competitor’s. This means that such details are extremely unlikely to sway a large amount of users towards the operating system by themselves. The incentive for a consumer to continue using their existing operating system or only upgrade to one that is backwards compatible is also very strong due to the importance of application software.
  • Least Privilege and Privilege Separation

    Least Privilege and Privilege Separation

    CSE 127: Computer Security Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage This week… • How to build secure systems ➤ Least privilege and privilege separation ➤ Sandboxing and isolation • Key is underlying principles not mechanisms ➤ We’re going to look at systems techniques ➤ Other ways to achieve similar goals: language-based Principles of secure design • Principle of least privilege • Privilege separation • Defense in depth ➤ Use more than one security mechanism ➤ Fail securely/closed • Keep it simple Principles of secure design • Principle of least privilege • Privilege separation • Defense in depth ➤ Use more than one security mechanism ➤ Fail securely/closed • Keep it simple Principle of Least Privilege Defn: A system should only have the minimal privileges needed for its intended purposes • What’s a privilege? ➤ Ability to access (e.g., read or write) a resource Principle of Least Privilege Defn: A system should only have the minimal privileges needed for its intended purposes • What’s a privilege? ➤ Ability to access (e.g., read or write) a resource Principle of Least Privilege Defn: A system should only have the minimal privileges needed for its intended purposes • What’s a privilege? ➤ Ability to access (e.g., read or write) a resource What’s the problem with this defn? • Talking about a huge, monolith system is not really useful • Why? Network Network User input User device File system File system Breaking a system into components • Compartmentalization and isolation ➤ Separate the system into isolated compartments ➤ Limit interaction between compartments • Why is this more meaningful? Network Network User input User device File system File system How dow we break things apart? Map compartment to user ids! • Recall: permissions in UNIX granted according to UID ➤ A process may access files, network sockets, ….
  • New Concept of the Android Keystore Service with Regard to Security and Portability

    New Concept of the Android Keystore Service with Regard to Security and Portability

    University of Bremen Department of Mathematics and Computer Science New concept of the Android keystore service with regard to security and portability. Master’s Thesis by Fritjof Bornebusch reviewed by Dr. Karsten Sohr Prof. Dr. Jan Peleska supervised by Dipl. Inf. Florian Junge 2016 Confirmation I hereby confirm that I wrote this master thesis on my own and that I have used only the indicated references, resources, and aids. In German: Hiermit bestätige ich, dass ich die vorliegende Masterthesis selbstständig verfasst, und keine anderen als die angegebenen Quellen und Hilfsmittel verwendet habe. Bremen, 1/13/2016 Fritjof Bornebusch “Any fool can write code that a computer can understand. Good programmers write code that humans can understand.” – Martin Fowler – Bornebusch, Fritjof New concept of the Android keystore service with regard to security and portability. Master’s thesis, Department 3 - Mathematics / Computer Science University of Bremen, 2015 This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0). To view a copy of this license, send an email to [email protected], visit http://creativecommons.org/licenses/by-nc-sa/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, California, 94042, USA. Table of Contents Acknowledgements 7 List of Figures 9 List of Listings 10 Acronyms 13 Glossary 15 1 Introduction 19 2 Background 24 2.1 Android System Architecture . 24 2.1.1 Security-Enhanced Linux . 28 2.1.2 Capabilities . 31 2.2 Memory Vulnerabilities . 32 2.2.1 Buffer Overflow Protection . 33 2.2.2 Dead Store Elimination .
  • Integration of Security Measures and Techniques in an Operating System (Considering Openbsd As an Example)

    Integration of Security Measures and Techniques in an Operating System (Considering Openbsd As an Example)

    Motivation Security Solutions and Techniques Summary Integration of Security Measures and Techniques in an Operating System (considering OpenBSD as an example) Igor Boehm Institute for Information Processing and Microprocessor Technology Johannes Kepler University Linz, Austria Igor Boehm Integration of Security Measures and Techniques in an OS Motivation Security Solutions and Techniques Summary Outline 1 Motivation The Basic Problem Being Studied Preliminary Solution Ideas and Goals 2 Security Solutions and Techniques Secure Software Design Techniques Memory Protection Techniques Relevance of Random Numbers for Security Igor Boehm Integration of Security Measures and Techniques in an OS Motivation The Basic Problem Being Studied Security Solutions and Techniques Preliminary Solution Ideas and Goals Summary Outline 1 Motivation The Basic Problem Being Studied Preliminary Solution Ideas and Goals 2 Security Solutions and Techniques Secure Software Design Techniques Memory Protection Techniques Relevance of Random Numbers for Security Igor Boehm Integration of Security Measures and Techniques in an OS Motivation The Basic Problem Being Studied Security Solutions and Techniques Preliminary Solution Ideas and Goals Summary The Basic Problem Being Studied The Clever Attacker: . finds a bug . knows how to craft an exploit . the exploit grants the attacker an advantage . the exploit is likely to work on many systems because of the strict regularity of the system environment Is there a way to solve this problem? Igor Boehm Integration of Security