ABSTRACT
In recent years, researchers have proposed systems for running trusted code on an untrusted operating system. Protection mechanisms deployed by such systems keep a malicious kernel from directly manipulating a trusted application's state. Under such systems, the application and kernel are, conceptually, peers, and the system call API defines an RPC interface between them.
We introduce Iago attacks, attacks that a malicious kernel can mount in this model. We show how a carefully chosen sequence of integer return values to Linux system calls can lead a supposedly protected process to act against its interests, and even to undertake arbitrary computation at the malicious kernel's behest.
Iago attacks are evidence that protecting applications from malicious kernels is more difficult than previously realized.
- Anonymous. Once upon a free()łdots. Phrack Magazine, 57 (9), August 2001.http://www.phrack.org/archives/57/p57_0x09_Once%20upon%20a%20free()_by_anonymous20author.txt.Google Scholar
- Adam Barth, Collin Jackson, Charles Reis, and The Google Chrome Team. The security architecture of the Chromium browser. Online: http://seclab.stanford.edu/websec/chromium/, 2008.Google Scholar
- blackngel. Malloc des-maleficarum. Phrack Magazine, 66 (10), November 2009. http://www.phrack.org/archives/66/p66_0x0a_Malloc%20Des-Maleficarum_by_blackngel.txt.Google Scholar
- blackngel. ptmalloc v2 & v3: Analysis & corruption. Phrack Magazine, 67 (8), November 2010. http://www.phrack.org/archives/67/p67_0x08_The%20House%20Of%20Lore:%20Reloaded20ptmalloc%20v2%20&%20v3:%20Analysis%20&%20Corruption_by_blackngel.txt.Google Scholar
- Stephen Checkoway, Ariel J. Feldman, Brian Kantor, J. Alex Halderman, Edward W. Felten, and Hovav Shacham. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC Advantage. In David Jefferson, Joseph Lorenzo Hall, and Tal Moran, editors, Proceedings of EVT/WOTE 2009. USENIX/ACCURATE/IAVoSS, August 2009. Google ScholarDigital Library
- Xiaoxin Chen, Tal Garfinkel, E. Christopher Lewis, Pratap Subrahmanyam, Carl A. Waldspurger, Dan Boneh, Jeffrey Dwoskin, and Dan R.K. Ports. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In James Larus, editor, Proceedings of ASPLOS 2008, pages 2--13. ACM Press, March 2008. Google ScholarDigital Library
- ISO/IEC FDIS 9899:1999 (E). Programming languages -- C. ISO, 1999.Google Scholar
- Dawson R. Engler, M. Frans Kaashoek, and James W. O'Toole. Exokernel: An operating system architecture for application-level resource management,. In Mark Weiser, editor, Proceedings of SOSP 1995, pages 251--66. ACM Press, December 1995. Google ScholarDigital Library
- Tal Garfinkel. Traps and pitfalls: Practical problems in system call interposition based security tools. In Virgil Gligor and Mike Reiter, editors, Proceedings of NDSS 2003. Internet Society, February 2003.Google Scholar
- Tal Garfinkel, Ben Pfaff, and Mendel Rosenblum. Ostia: A delegating architecture for secure system call interposition. In Mike Reiter and Dan Boneh, editors, Proceedings of NDSS 2004. Internet Society, February 2004.Google Scholar
- Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. A secure environment for untrusted helper applications. In Greg Rose, editor, Proceedings of USENIX Security 1996. USENIX, July 1996. Google ScholarDigital Library
- David B. Golub and Richard P. Draves. Moving the default memory manager out of the mach kernel. In Alan Langerman, editor, Proceedings of Mach Symposium 1991, pages 177--88, November, 1991. USENIX.Google Scholar
- Michel Kaempf. Vudo malloc tricks. Phrack Magazine, 57 (8), August 2001. http://www.phrack.org/archives/57/p57_0x08_Vudo%20malloc%20tricks_by_MaXX.txt.Google Scholar
- David Lie, Chandramohan Thekkath, and Mark Horowitz. Implementing an untrusted operating system on trusted hardware. In Larry Peterson, editor, Proceedings of SOSP 2003, pages 178--92. ACM Press, October 2003. Google ScholarDigital Library
- Jonathan M. McCune, Bryan Parno, Adrian Perrig, Michael K. Reiter, and Arvind Seshadri. Minimal tcb code execution (extended abstract). In Birgit Pfitzmann and Patrick McDaniel, editors, Proceedings of IEEE Security & Privacy ("Oakland") 2007, pages 267--72. IEEE Computer Society, May 2007. Google ScholarDigital Library
- Jonathan M. McCune, Bryan Parno, Adrian Perrig, Michael K. Reiter, and Arvind Seshadri. How low can you go? Recommendations for hardware-supported minimal TCB code execution. In James Larus, editor, Proceedings of ASPLOS 2008, pages 14--25. ACM Press, March 2008. Google ScholarDigital Library
- Jonathan M. McCune, Bryan Parno, Adrian Perrig, Michael K. Reiter, and Arvind Seshadri. Flicker: An execution infrastructure for TCB minimization. In Steven Hand, editor, Proceedings of EuroSys 2008, pages 315--28. ACM Press, March 2008. Google ScholarDigital Library
- Jonathan M. McCune, Adrian Perrig, and Michael K. Reiter. Safe passage for passwords and other sensitive data. In Giovanni Vigna, editor, Proceedings of NDSS 2009. The Internet Society, February 2009.Google Scholar
- Gene Novark and Emery D. Berger. DieHarder: Securing the heap. In Angelos D. Keromytis and Vitaly Shmatikov, editors, Proceedings of CCS 2010. ACM Press, October 2010. Google ScholarDigital Library
- Jon Oberheide. The stack is back. Presented at Infiltrate 2012, January 2012. Presentation. Slides: http://jon.oberheide.org/files/infiltrate12-thestackisback.pdf.Google Scholar
- Phantasmal Phantasmagoria. The malloc maleficarum: Glibc malloc exploitation techniques. Bugtraq, October 2005. http://seclists.org/bugtraq/2005/Oct/118.Google Scholar
- Dan R.K. Ports and Tal Garfinkel. Towards application security on untrusted operating systems. In Niels Provos, editor, Proceedings of HotSec 2008. USENIX, July 2008. Google ScholarDigital Library
- POSIX.1-2008/IEEE Std 1003.1-2008. The Open Group Base Specifications Issue 7. IEEE and The Open Group, 2008.Google ScholarDigital Library
- Niels Provos. Improving host security with system call policies. In Vern Paxson, editor, Proceedings of USENIX Security 2003. USENIX, August 2003. Google ScholarDigital Library
- Eric Rescorla. SSL and TLS: Designing and Building Secure Systems. Addison-Wesley, 2000.Google Scholar
- Thomas Ristenpart and Scott Yilek. When good randomness goes bad: Virtual machine reset vulnerabilities and hedging deployed cryptography. In Wenke Lee, editor, Proceedings of NDSS 2003. Internet Society, February 2003.Google Scholar
- Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. Return-oriented programming: Systems, languages, and applications. Trans. Info. & Sys. Sec., 2012. To appear. Google ScholarDigital Library
- Alexander Sotirov and Mark Dowd. Bypassing browser memory protections in Windows Vista. Presented at Black Hat 2008, August 2008. Online: http://www.phreedom.org/research/bypassing-browser-memory-protections/bypassing-browser-memory-protections.pdf.Google Scholar
- Scott Yilek, Eric Rescorla, Hovav Shacham, Brandon Enright, and Stefan Savage. When private keys are public: Results from the 2008 Debian OpenSSL vulnerability. In Anja Feldmann and Laurent Mathy, editors, Proceedings of IMC 2009, pages 15--27. ACM Press, November 2009. Google ScholarDigital Library
Index Terms
- Iago attacks: why the system call API is a bad untrusted RPC interface
Recommendations
Iago attacks: why the system call API is a bad untrusted RPC interface
ASPLOS '13In recent years, researchers have proposed systems for running trusted code on an untrusted operating system. Protection mechanisms deployed by such systems keep a malicious kernel from directly manipulating a trusted application's state. Under such ...
Iago attacks: why the system call API is a bad untrusted RPC interface
ASPLOS '13In recent years, researchers have proposed systems for running trusted code on an untrusted operating system. Protection mechanisms deployed by such systems keep a malicious kernel from directly manipulating a trusted application's state. Under such ...
PESC: A Per System-Call Stack Canary Design for Linux Kernel
CODASPY '20: Proceedings of the Tenth ACM Conference on Data and Application Security and PrivacyStack canary is the most widely deployed defense technique against stack buffer overflow attacks. However, since its proposition, the design of stack canary has very few improvements during the past 20 years, making it vulnerable to new and ...
Comments