An External Integrity Checker for Increasing Security of ... · An External Integrity Checker for Increasing Security of Open Source Operating Systems Hiromasa Shimada, Tsung-Han

Distributed and Ubiquitous Computing Laboratory

An External Integrity Checker for Increasing Security of Open Source Operating Systems�Hiromasa Shimada, Tsung-Han Lin, Ning Li

Distributed and Ubiquitous Computing Lab., Waseda University, Japan�


Background �

!  There are a lot of OSS in the Linux platform. !  Linux is also one of the OSS

!  They tend to be so huge source code !  Linux has 34,563 files and involves 10,431,249 LOC (3.4.0)

!  Can we make them without bugs by hand? !  No, we cannot.

12/06/06� ��


How to handle the bugs�

!  One solution is to verify the software to remove bugs !  There are a lot of research of formal verifications. !  But most of them cannot handle the OS.

!  A number of states to be verified is not feasible. !  Some of research handle the OSes

!  But they target a specified OS and the part of it.

!  Only way that we can do for bugs is to apply patches.

12/06/06� ��


Integrity Checker �

!  In order to enhance security, the integrity checkers are often used. !  Attackers invade the system via the software vulnerabilities. !  They often insert rootkits into they system to assist their

manipulations. �!  The integrity checkers can detect the infections of rootkits

12/06/06� ��


Specifications �

!  Integrity checkers require specifications to check the kernel.

!  How to define the correct properties for the integrity checkers? !  Most of them are defined by hand.

!  It requires a lot of engineering cost.

!  How to verify that the properties are correct?

12/06/06� ��


Our Solution �

!  We provide an integrity checker that is generated automatically. !  It runs outside from the target OS using a hypervisor.

!  against cross domain attack

!  It checks kernel data structures of the target OS

12/06/06� ��


System Design �

IntegrityChecker

Target OS

Kernel Data Structures

Hypervisor

check

12/06/06� ��


Building The Integrity Checker�

!  We need 4 steps to generate the integrity checker. !  Make a tracer program !  Execute the tracer and obtain the actual kernel data structures.

!  Analyze the result and generate invariants. !  Make the integrity checker

12/06/06� �


Building A Tracer Program�

!  Tracer program obtain actual kernel data of the target kernel. !  The tracer runs with Linux at the same time. �

12/06/06� �


To get preprocessed files �

!  We modified $LINUX_DIR/scripts/Makefile.build !  We cannot use ‘--save-temps’ option

!  Using this option saves all of preprocessed files in the current directory.

!  gcc 4.5 supports to save them in the same directory with object files.

!  Add a below line in the file �

cmd_cc_o_c +=; $(CC) $(c_flags) –E –o $(patsubst %.o,%.i,$@) $< �

12/06/06� ��


Analyzing Linux Source Codes �

!  We use Haskell and Language.C library to parse Linux source codes.

!  Environment !  python 2.6 !  ghc 6.12.1

!  language.c 0.3.1.1 !  scons 2.0.0 �

12/06/06� ��


Abstracting kernel data structures �

!  In order to make a header file to build a tracer, we have to abstract definitions of kernel data structures from all of the source codes. !  global variables !  typedef

!  struct !  union

12/06/06� ��


How to obtain kernel data structures�

!  Making the tracer is below steps !  Make functions to traverse each kernel data structures �!  Map symbol names in System.map and global variables to get

types of the variable and call the functions

!  Obtained data !  Primitive type: actual data

!  Structure type: pointer address and field

!  Pointer type: pointer address and actual data

12/06/06� ��


Invariants �!  Our tool generates invariants of the kernel data structures

using daikon tool

!  Daikon requires declared file and traced file !  declared file: definitions of target data structures !  traced file: obtained data

!  Example

!  Our tool parses the invariants and generate the integrity checker�

simple_dir_operations.read == proc_root.proc_fops.read �

12/06/06� ��


Applying Integrity Checker �

!  Platform setup !  Basic Platform: hypervisor system !  Integrity Checker Protection: Secure Pager

!  Hypervisor: SPUMONE

!  Secure Pager: using local memory �

Pysical Core 0 Pysical Core 1 Pysical Core 2 Pysical Core 3

Virtual Core 0 Virtual Core 1 Virtual Core 2 Virtual Core 3

IntegrityChecker

Linux

Kernel Data Structures

Blocked

Rootkit

12/06/06� ��


SPUMONE�

!  SH4A architecture

!  Co-kernel approach

!  Dedicated device management

!  Para-virtualization !  Small modifications

!  Distributed design !  Per-CPU image

12/06/06� ��


Interrupt Virtualization�

Register Setting - INT2PRI0 ~ INT2PRI7�

12/06/06� ��


Interrupt Delivery Mechanism�

12/06/06� ��


Traditional Hypervisor v.s. SPUMONE�

!  Single hypervisor Image

!  Straightforward

!  Managing !  Communication

!  Distributed design

!  Risk Diversification

!  Reliability enhancement

!  Shared memory communication

Core 1� Core 2� Core 3� Core 4�

Traditional Hypervisor�

GPOS� RTOS�

Core 1� Core 2� Core 3� Core 4�

SPUMONE� SPUMONE� SPUMONE� SPUMONE�

GPOS� RTOS�

12/06/06� ��


Protection of the integrity checker�!  A typical scene.

!  Without the protection, the Guest OS may attack the integrity checker to invalid the monitoring function.

��

��

��

��

��

12/06/06� ��


Isolation based on Local memory�!  Local memory (small size) is a programmable region and can

not be accessed by other cores.

12/06/06� ��


Basic Architecture�!  Secure pager is used to extend the size of the local memory

virtually.

12/06/06� ��


Secure Pager�!  Xv6: a simple OS to run the integrity checker. �

!  Secure pager verifies the integrity of the xv6’s pages when loading them into local memory.

12/06/06� ��


Summary �•  Increasing security using an external

integrity checker – generated automatically

•  Applying integrity checker – Based on hypervisor environment – Protected by Secure Pager �

12/06/06� ��

Documents

An External Integrity Checker for Increasing Security of ... · An External Integrity Checker for Increasing Security of Open Source Operating Systems Hiromasa Shimada, Tsung-Han