SeminarSeminar onon ComputerComputer SecuritySecurity ThreatsThreats andand CounterCounter MeasuresMeasures
HardwareHardware AttackAttack PreventionPrevention (No(No executeexecute bit,bit, DEPDEP datadata executionexecution preventionprevention)) TrustedTrusted PlatformPlatform ModuleModule
Patrick Anagnostaras SummarySummary
11 HardwareHardware attackattack preventionprevention
2.2. TrustedTrusted PlatformPlatform ModuleModule 1.11.1 NoNo ExecuteExecute BitBit AimsAims
PreventPrevent softwaresoftware fromfrom takingtaking overover computercomputer ÆÆ insertinginserting theirtheir codecode intointo anotheranother datadata storagestorage areaarea ÆÆ runningrunning theirtheir codecode withinwithin thisthis sectionsection ÆÆ bufferbuffer overflowoverflow
PreventPrevent fromfrom virus,virus, wormworm andand TrojanTrojan HorseHorse attacksattacks
¾ Blaster
¾ Sasser
¾ Code Red 1.21.2 NoNo executeexecute bitbit
TechnologyTechnology usedused inin CPUCPU’’ss
SegregateSegregate areasareas ofof memorymemory ¾ Storage of processor instruction ¾ Storage of data (normaly only on Harvard architecture processors)
NXNX ÆÆ onlyonly storestore datadata ÆÆ nono executionsexecutions ofof processorprocessor instructionsinstructions
NoNo NXNX ÆÆ processorprocessor instructionsinstructions 1.31.3 NoNo ExecuteExecute BitBit DenominationsDenominations
AMDAMD ÆÆ NoNo ExecuteExecute (NX)(NX)
IntelIntel ÆÆ ExecuteExecute DisableDisable BitBit (XD)(XD)
MicrosoftMicrosoft ÆÆ ExecutionExecution ProtectionProtection 1.41.4 NXNX BitBit hardwarehardware backgroundbackground
Bit number 63 on the paging table entry of an x86 processor
If set to 0 Æ code can be executed from this page
If set to 1 Æ no execution possible Æ anything on the page Æ assumed as data
Pages must have PAE table format (Physical Address Extension)
PAE maps up to 64 GB of physical memory into a 32-bit (4 GB) virtual address space using either 4-KB or 2-MB pages. 1.51.5 FirstFirst NXNX BitBit compatiblecompatible processorsprocessors
IBM PowerPC (1992)
Sun processors SPARC (1995)
AMD Opteron (2004) Athlon 64 (2004)
Intel Itanium (2004) Pentium 4 (2004)
Tansmeta: Efficeon (2004) 1.61.6 SoftwareSoftware emulationemulation ofof thethe NXNX BitBit
EmulationEmulation onon operatingoperating systemsystem
¾ PreventsPrevents stackstack andand heapheap memorymemory toto bebe executableexecutable
¾ PreventsPrevents executableexecutable memorymemory fromfrom beingbeing writablewritable
¾ HelpsHelps preventprevent bufferbuffer overflowoverflow 1.71.7 OSOS technologiestechnologies ofof thethe NXNX BitBit
PaXPaX AdamantixAdamantix,, HardenedHardened GentooGentoo ((octoberoctober 2000)2000)
ExecExec ShieldShield FedoraFedora Core,Core, RedRed HatHat enterpriseenterprise (may(may 2003)2003)
W^XW^X OpenBSDOpenBSD operatingoperating systemsystem
DEPDEP WindowsWindows Vista,Vista, WindowsWindows XPXP SP2,SP2, WindowsWindows serverserver 20032003 SP1SP1 (august(august 2004)2004) 1.81.8 ComparisonComparison ofof technologies:technologies: OverheadOverhead AmountAmount ofof extraextra CPUCPU processionprocession powerpower requiredrequired forfor eacheach technologytechnology toto functionfunction
EmulationEmulation ofof NXNX bitbit willwill usuallyusually imposeimpose aa measurablemeasurable overheadoverhead
NoNo significantsignificant measurablemeasurable overheadoverhead onon CPUsCPUs supplyingsupplying aa hardwarehardware NXNX bitbit 1.8.11.8.1 ComparisonComparison ofof technologies:technologies: ExecExec ShieldShield Checks for two ELF header markings (stack or heap needs to be executable) ÆPT-GNU-STACK ÆPT-GNU-HEAP
Allows controls to set both binary executables and libraries Æ Executable loads a library requiring restriction relaxed Æ inherit that marking + restriction relaxed.
Track upper code segment limit
CPUs without NX bit Æ pages below the code segment limit Æ not protected
Few cycle of overhead Æ immeasurable 1.8.21.8.2 ComparisonComparison ofof technologies:technologies: PaXPaX PaXPaX technologytechnology cancan emulateemulate NXNX bitbit oror NXNX functionnalityfunctionnality oror useuse hardwarehardware NXNX bitbit ÆÆ trampolinetrampoline emulationemulation
WorksWorks onon x86x86 CPUsCPUs thatthat dodo notnot havehave NXNX bitbit
IgnoreIgnore PTPT--GNUGNU--STACKSTACK andand PTPT--GNUGNU--HEAPHEAP
SuppliesSupplies 22 methodsmethods ofof NXNX bitbit emulationemulation ¾ SEGMEXEC ¾ PAGEEXEC 1.8.31.8.3 ComparisonComparison ofof technologies:technologies: PaXPaX -- SEGMEXECSEGMEXEC Impose measurable low overhead ( <1%)
Virtual memory mirroring
Effect of cutting in two the task’s virtual address space
¾ Task access less memory
¾ No problems until task requires more than half the normal address space (rare)
Restricts the system memory that a program can access 1.8.41.8.4 ComparisonComparison ofof technologies:technologies: PaXPaX -- PAGEEXECPAGEEXEC Similar to Exec Shield
No pages will become executable unless operating system explicitly makes them as such
Protects pages below the code segment limit
Supplies mprotect() restriction Æ prevent programs from marking memory for potential exploit
High overhead operation
If hardware NX bit used no emulation used Æ no overhead 1.8.51.8.5 ComparisonComparison ofof technologies:technologies: W^XW^X MemoryMemory protectionprotection
AnyAny pagepage inin aa processprocess addressaddress spacespace isis eithereither writablewritable oror executableexecutable (( xorxor == ^)^)
StackStack notnot executableexecutable ÆÆ nono executionexecution ofof arbitraryarbitrary codecode injectedinjected ÆÆ willwill causecause thethe programprogram toto terminateterminate 1.8.61.8.6 ComparisonComparison ofof technologies:technologies: DEPDEP OnOn windowswindows ÆÆservicesservices byby defaultdefault ConfigurableConfigurable throughthrough advanceadvance propertiesproperties inin thethe «« mymy computercomputer »» 1.91.9 HardwareHardware enforcedenforced DEPDEP
same design for 32-bit and 64 bit versions of Windows
Developers should be aware of DEP behavior
Device driver Æ Execution code from the stack Æ DEP is enabled Æ no permission
Æ DEP access violation Æ error 0XFC: Æ ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY 1.101.10 SoftwareSoftware DEPDEP protectionprotection
HandlingHandling ofof thethe NXNX faults:faults: ÆÆ otherother technologiestechnologies terminateterminate thethe programprogram ÆÆ DEPDEP raisesraises anan exceptionexception ÆÆ programprogram flowflow isis destroyeddestroyed inin aa unrecoverableunrecoverable mannermanner
ChecksChecks whenwhen anan exceptionexception isis thrownthrown ÆÆ EExceptionxception isis registeredregistered ÆÆ functionfunction tabletable 1.101.10 SoftwareSoftware DEPDEP protectionprotection
NX supported Æ enabled by default
Allows programs to control which pages disallow execution through its API
Also through the section headers in a portable executable file
Win32 API calls VirtualAlloc[Ex] and VirtualProtect[Ex] Æpage protection setting specified by programmer Æeach page individually flagged Æ executable or non-executable 1.111.11 DEPDEP limitationslimitations
DEPDEP providesprovides nono addressaddress spacespace layoutlayout randomizationrandomization
ÆÆ allowsallows returnreturn--toto--liblib attackattack ÆÆthethe returnreturn addressaddress onon thethe stackstack replacedreplaced ÆÆthethe addressaddress ofof anotheranother functionfunction ÆÆcorrectcorrect portionportion ofof thethe stackstack isis overwrittenoverwritten ÆÆ provideprovide argumentsarguments toto thisthis functionfunction ÆÆallowsallows attackersattackers toto callcall prepre--existingexisting functionsfunctions ÆÆnono needneed toto injectinject maliciousmalicious codecode intointo aa programprogram 1.121.12 DEPDEP softwaresoftware conflictsconflicts
CausesCauses softwaresoftware problemsproblems
OldOld softwaresoftware
DriversDrivers compatibilitycompatibility problemsproblems
PreventPrevent programsprograms toto bebe virtualizedvirtualized correctlycorrectly
SolutionSolution ÆÆ disablingdisabling DEPDEP featuresfeatures 1.141.14 ExamplesExamples ofof DEPDEP onon WindowsWindows 1.131.13 WindowsWindows errorerror reportingreporting signaturesignature forfor aa DEPDEP problemproblem 1.151.15 NXNX BitBit attackattack example:example: MicrosoftMicrosoft’’ss XboxXbox CPU had no NX bit Æ buffer overflow
007:Agent Under Fire save game exploit
Newer version of XDK set code segment limit to the beginning of the kernel’s .data section Æ no code should be after this point
No change Æ memory executed Æ below the beginning of the kernel’s .data section
Æ new version of Xbox with new kernel 2.2. TrustedTrusted ModuleModule PlatformPlatform (TPM)(TPM)
2.12.1 WhatWhat isis aa TrustedTrusted PlatformPlatform Module?Module?
2.22.2 TPMTPM applicationsapplications
2.32.3 ThreeThree discusseddiscussed featuresfeatures ofof TPMTPM
2.42.4 TPMTPM architecturearchitecture
2.52.5 ExampleExample ApplicationApplication (Microsoft(Microsoft Outlook)Outlook) 2.12.1 WhatWhat isis aa TrustedTrusted PlatformPlatform Module?Module? HardwareHardware chipchip onon motherboardsmotherboards
ChipChip isis uniqueunique forfor eacheach particularparticular devicedevice
UsedUsed toto authenticateauthenticate hardwarehardware devicedevice No one played with the hardware No changes to bios
SecureSecure generationgeneration ofof cryptographiccryptographic keyskeys
ProvideProvide chainchain ofof trusttrust 2.22.2 TPMTPM applicationsapplications BitLockerBitLocker DriveDrive Encryption:Encryption:
¾ Microsoft Windows Vista Enterprise editions
¾ Microsoft Windows Vista Ultimate
LinuxLinux securitysecurity modulemodule
20062006 ÆÆ LaptopLaptop TPMTPM availableavailable
20082008 ÆÆ NewNew IntelIntel’’ss southbridgesouthbridge chipsetchipset 2.32.3 ThreeThree discusseddiscussed featuresfeatures ofof TPMTPM
Remote attestation ¾ Summary of software on the computer ¾ Allow verifying software is not compromised (digital music store) ÆThreat to privacy
Sealing ¾ Encrypted data Ædecryption Æ only exact same state ¾ Same software + same computer Ævery restrictive Æ digital rights management.
Binding ¾ Encrypt data using TPM endorsement key (unique RSA key put in the chip during production) Ævery restrictive 2.42.4 TPMTPM architecturearchitecture
Endorsement key:
Public/private key pair
Size : 2048 bits
Unique
Attestation Identity Key
Platform authentication
Pseudo anonymous authentication 2.52.5 ExampleExample ApplicationApplication (Microsoft(Microsoft Outlook)Outlook) 22 TPMTPM VerisignVerisign 33 CreateCreate newnew keykey 44 Public Private 11 55 Key Key
1. Outlook get digital ID launches Verisign website 2. Verisign talk to the TPM hardware OutlookOutlook 3. TPM generates a new key pair for signing 4. TPM send the public key of above pair to Verisign 5. Verisign signs the public key and returns to Outlook QuestionsQuestions ??