SeminarSeminar onon ComputerComputer SecuritySecurity ThreatsThreats andand CounterCounter MeasuresMeasures HardwareHardware AttackAttack PreventionPrevention (No(No executeexecute bit,bit, DEPDEP datadata executionexecution preventionprevention)) TrustedTrusted PlatformPlatform ModuleModule Patrick Anagnostaras SummarySummary 11 HardwareHardware attackattack preventionprevention 2.2. TrustedTrusted PlatformPlatform ModuleModule 1.11.1 NoNo ExecuteExecute BitBit AimsAims PreventPrevent softwaresoftware fromfrom takingtaking overover computercomputer ÆÆ insertinginserting theirtheir codecode intointo anotheranother datadata storagestorage areaarea ÆÆ runningrunning theirtheir codecode withinwithin thisthis sectionsection ÆÆ bufferbuffer overflowoverflow PreventPrevent fromfrom virus,virus, wormworm andand TrojanTrojan HorseHorse attacksattacks ¾ Blaster ¾ Sasser ¾ Code Red 1.21.2 NoNo executeexecute bitbit TechnologyTechnology usedused inin CPUCPU’’ss SegregateSegregate areasareas ofof memorymemory ¾ Storage of processor instruction ¾ Storage of data (normaly only on Harvard architecture processors) NXNX ÆÆ onlyonly storestore datadata ÆÆ nono executionsexecutions ofof processorprocessor instructionsinstructions NoNo NXNX ÆÆ processorprocessor instructionsinstructions 1.31.3 NoNo ExecuteExecute BitBit DenominationsDenominations AMDAMD ÆÆ NoNo ExecuteExecute (NX)(NX) IntelIntel ÆÆ ExecuteExecute DisableDisable BitBit (XD)(XD) MicrosoftMicrosoft ÆÆ ExecutionExecution ProtectionProtection 1.41.4 NXNX BitBit hardwarehardware backgroundbackground Bit number 63 on the paging table entry of an x86 processor If set to 0 Æ code can be executed from this page If set to 1 Æ no execution possible Æ anything on the page Æ assumed as data Pages must have PAE table format (Physical Address Extension) PAE maps up to 64 GB of physical memory into a 32-bit (4 GB) virtual address space using either 4-KB or 2-MB pages. 1.51.5 FirstFirst NXNX BitBit compatiblecompatible processorsprocessors IBM PowerPC (1992) Sun processors SPARC (1995) AMD Opteron (2004) Athlon 64 (2004) Intel Itanium (2004) Pentium 4 (2004) Tansmeta: Efficeon (2004) 1.61.6 SoftwareSoftware emulationemulation ofof thethe NXNX BitBit EmulationEmulation onon operatingoperating systemsystem ¾ PreventsPrevents stackstack andand heapheap memorymemory toto bebe executableexecutable ¾ PreventsPrevents executableexecutable memorymemory fromfrom beingbeing writablewritable ¾ HelpsHelps preventprevent bufferbuffer overflowoverflow 1.71.7 OSOS technologiestechnologies ofof thethe NXNX BitBit PaXPaX AdamantixAdamantix,, HardenedHardened GentooGentoo ((octoberoctober 2000)2000) ExecExec ShieldShield FedoraFedora Core,Core, RedRed HatHat enterpriseenterprise (may(may 2003)2003) W^XW^X OpenBSDOpenBSD operatingoperating systemsystem DEPDEP WindowsWindows Vista,Vista, WindowsWindows XPXP SP2,SP2, WindowsWindows serverserver 20032003 SP1SP1 (august(august 2004)2004) 1.81.8 ComparisonComparison ofof technologies:technologies: OverheadOverhead AmountAmount ofof extraextra CPUCPU processionprocession powerpower requiredrequired forfor eacheach technologytechnology toto functionfunction EmulationEmulation ofof NXNX bitbit willwill usuallyusually imposeimpose aa measurablemeasurable overheadoverhead NoNo significantsignificant measurablemeasurable overheadoverhead onon CPUsCPUs supplyingsupplying aa hardwarehardware NXNX bitbit 1.8.11.8.1 ComparisonComparison ofof technologies:technologies: ExecExec ShieldShield Checks for two ELF header markings (stack or heap needs to be executable) ÆPT-GNU-STACK ÆPT-GNU-HEAP Allows controls to set both binary executables and libraries Æ Executable loads a library requiring restriction relaxed Æ inherit that marking + restriction relaxed. Track upper code segment limit CPUs without NX bit Æ pages below the code segment limit Æ not protected Few cycle of overhead Æ immeasurable 1.8.21.8.2 ComparisonComparison ofof technologies:technologies: PaXPaX PaXPaX technologytechnology cancan emulateemulate NXNX bitbit oror NXNX functionnalityfunctionnality oror useuse hardwarehardware NXNX bitbit ÆÆ trampolinetrampoline emulationemulation WorksWorks onon x86x86 CPUsCPUs thatthat dodo notnot havehave NXNX bitbit IgnoreIgnore PTPT--GNUGNU--STACKSTACK andand PTPT--GNUGNU--HEAPHEAP SuppliesSupplies 22 methodsmethods ofof NXNX bitbit emulationemulation ¾ SEGMEXEC ¾ PAGEEXEC 1.8.31.8.3 ComparisonComparison ofof technologies:technologies: PaXPaX -- SEGMEXECSEGMEXEC Impose measurable low overhead ( <1%) Virtual memory mirroring Effect of cutting in two the task’s virtual address space ¾ Task access less memory ¾ No problems until task requires more than half the normal address space (rare) Restricts the system memory that a program can access 1.8.41.8.4 ComparisonComparison ofof technologies:technologies: PaXPaX -- PAGEEXECPAGEEXEC Similar to Exec Shield No pages will become executable unless operating system explicitly makes them as such Protects pages below the code segment limit Supplies mprotect() restriction Æ prevent programs from marking memory for potential exploit High overhead operation If hardware NX bit used no emulation used Æ no overhead 1.8.51.8.5 ComparisonComparison ofof technologies:technologies: W^XW^X MemoryMemory protectionprotection AnyAny pagepage inin aa processprocess addressaddress spacespace isis eithereither writablewritable oror executableexecutable (( xorxor == ^)^) StackStack notnot executableexecutable ÆÆ nono executionexecution ofof arbitraryarbitrary codecode injectedinjected ÆÆ willwill causecause thethe programprogram toto terminateterminate 1.8.61.8.6 ComparisonComparison ofof technologies:technologies: DEPDEP OnOn windowswindows ÆÆservicesservices byby defaultdefault ConfigurableConfigurable throughthrough advanceadvance propertiesproperties inin thethe «« mymy computercomputer »» 1.91.9 HardwareHardware enforcedenforced DEPDEP same design for 32-bit and 64 bit versions of Windows Developers should be aware of DEP behavior Device driver Æ Execution code from the stack Æ DEP is enabled Æ no permission Æ DEP access violation Æ error 0XFC: Æ ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY 1.101.10 SoftwareSoftware DEPDEP protectionprotection HandlingHandling ofof thethe NXNX faults:faults: ÆÆ otherother technologiestechnologies terminateterminate thethe programprogram ÆÆ DEPDEP raisesraises anan exceptionexception ÆÆ programprogram flowflow isis destroyeddestroyed inin aa unrecoverableunrecoverable mannermanner ChecksChecks whenwhen anan exceptionexception isis thrownthrown ÆÆ EExceptionxception isis registeredregistered ÆÆ functionfunction tabletable 1.101.10 SoftwareSoftware DEPDEP protectionprotection NX supported Æ enabled by default Allows programs to control which pages disallow execution through its API Also through the section headers in a portable executable file Win32 API calls VirtualAlloc[Ex] and VirtualProtect[Ex] Æpage protection setting specified by programmer Æeach page individually flagged Æ executable or non-executable 1.111.11 DEPDEP limitationslimitations DEPDEP providesprovides nono addressaddress spacespace layoutlayout randomizationrandomization ÆÆ allowsallows returnreturn--toto--liblib attackattack ÆÆthethe returnreturn addressaddress onon thethe stackstack replacedreplaced ÆÆthethe addressaddress ofof anotheranother functionfunction ÆÆcorrectcorrect portionportion ofof thethe stackstack isis overwrittenoverwritten ÆÆ provideprovide argumentsarguments toto thisthis functionfunction ÆÆallowsallows attackersattackers toto callcall prepre--existingexisting functionsfunctions ÆÆnono needneed toto injectinject maliciousmalicious codecode intointo aa programprogram 1.121.12 DEPDEP softwaresoftware conflictsconflicts CausesCauses softwaresoftware problemsproblems OldOld softwaresoftware DriversDrivers compatibilitycompatibility problemsproblems PreventPrevent programsprograms toto bebe virtualizedvirtualized correctlycorrectly SolutionSolution ÆÆ disablingdisabling DEPDEP featuresfeatures 1.141.14 ExamplesExamples ofof DEPDEP onon WindowsWindows 1.131.13 WindowsWindows errorerror reportingreporting signaturesignature forfor aa DEPDEP problemproblem 1.151.15 NXNX BitBit attackattack example:example: MicrosoftMicrosoft’’ss XboxXbox CPU had no NX bit Æ buffer overflow 007:Agent Under Fire save game exploit Newer version of XDK set code segment limit to the beginning of the kernel’s .data section Æ no code should be after this point No change Æ memory executed Æ below the beginning of the kernel’s .data section Æ new version of Xbox with new kernel 2.2. TrustedTrusted ModuleModule PlatformPlatform (TPM)(TPM) 2.12.1 WhatWhat isis aa TrustedTrusted PlatformPlatform Module?Module? 2.22.2 TPMTPM applicationsapplications 2.32.3 ThreeThree discusseddiscussed featuresfeatures ofof TPMTPM 2.42.4 TPMTPM architecturearchitecture 2.52.5 ExampleExample ApplicationApplication (Microsoft(Microsoft Outlook)Outlook) 2.12.1 WhatWhat isis aa TrustedTrusted PlatformPlatform Module?Module? HardwareHardware chipchip onon motherboardsmotherboards ChipChip isis uniqueunique forfor eacheach particularparticular devicedevice UsedUsed toto authenticateauthenticate hardwarehardware devicedevice No one played with the hardware No changes to bios SecureSecure generationgeneration ofof cryptographiccryptographic keyskeys ProvideProvide chainchain ofof trusttrust 2.22.2 TPMTPM applicationsapplications BitLockerBitLocker DriveDrive Encryption:Encryption: ¾ Microsoft Windows Vista Enterprise editions ¾ Microsoft Windows Vista Ultimate LinuxLinux securitysecurity modulemodule