Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Distributed and Ubiquitous Computing Laboratory
An External Integrity Checker for Increasing Security of Open Source Operating Systems�Hiromasa Shimada, Tsung-Han Lin, Ning Li
Distributed and Ubiquitous Computing Lab., Waseda University, Japan�
Distributed and Ubiquitous Computing Laboratory
Background �
! There are a lot of OSS in the Linux platform. ! Linux is also one of the OSS
! They tend to be so huge source code ! Linux has 34,563 files and involves 10,431,249 LOC (3.4.0)
! Can we make them without bugs by hand? ! No, we cannot.
12/06/06� ��
Distributed and Ubiquitous Computing Laboratory
How to handle the bugs�
! One solution is to verify the software to remove bugs ! There are a lot of research of formal verifications. ! But most of them cannot handle the OS.
! A number of states to be verified is not feasible. ! Some of research handle the OSes
! But they target a specified OS and the part of it.
! Only way that we can do for bugs is to apply patches.
12/06/06� ��
Distributed and Ubiquitous Computing Laboratory
Integrity Checker �
! In order to enhance security, the integrity checkers are often used. ! Attackers invade the system via the software vulnerabilities. ! They often insert rootkits into they system to assist their
manipulations. �! The integrity checkers can detect the infections of rootkits
12/06/06� ��
Distributed and Ubiquitous Computing Laboratory
Specifications �
! Integrity checkers require specifications to check the kernel.
! How to define the correct properties for the integrity checkers? ! Most of them are defined by hand.
! It requires a lot of engineering cost.
! How to verify that the properties are correct?
12/06/06� ��
Distributed and Ubiquitous Computing Laboratory
Our Solution �
! We provide an integrity checker that is generated automatically. ! It runs outside from the target OS using a hypervisor.
! against cross domain attack
! It checks kernel data structures of the target OS
12/06/06� ��
Distributed and Ubiquitous Computing Laboratory
System Design �
IntegrityChecker
Target OS
Kernel Data Structures
Hypervisor
check
12/06/06� ��
Distributed and Ubiquitous Computing Laboratory
Building The Integrity Checker�
! We need 4 steps to generate the integrity checker. ! Make a tracer program ! Execute the tracer and obtain the actual kernel data structures.
! Analyze the result and generate invariants. ! Make the integrity checker
12/06/06� �
Distributed and Ubiquitous Computing Laboratory
Building A Tracer Program�
! Tracer program obtain actual kernel data of the target kernel. ! The tracer runs with Linux at the same time. �
12/06/06� �
Distributed and Ubiquitous Computing Laboratory
To get preprocessed files �
! We modified $LINUX_DIR/scripts/Makefile.build ! We cannot use ‘--save-temps’ option
! Using this option saves all of preprocessed files in the current directory.
! gcc 4.5 supports to save them in the same directory with object files.
! Add a below line in the file �
cmd_cc_o_c +=; $(CC) $(c_flags) –E –o $(patsubst %.o,%.i,$@) $< �
12/06/06� ��
Distributed and Ubiquitous Computing Laboratory
Analyzing Linux Source Codes �
! We use Haskell and Language.C library to parse Linux source codes.
! Environment ! python 2.6 ! ghc 6.12.1
! language.c 0.3.1.1 ! scons 2.0.0 �
12/06/06� ���
Distributed and Ubiquitous Computing Laboratory
Abstracting kernel data structures �
! In order to make a header file to build a tracer, we have to abstract definitions of kernel data structures from all of the source codes. ! global variables ! typedef
! struct ! union
12/06/06� ���
Distributed and Ubiquitous Computing Laboratory
How to obtain kernel data structures�
! Making the tracer is below steps ! Make functions to traverse each kernel data structures �! Map symbol names in System.map and global variables to get
types of the variable and call the functions
! Obtained data ! Primitive type: actual data
! Structure type: pointer address and field
! Pointer type: pointer address and actual data
12/06/06� ���
Distributed and Ubiquitous Computing Laboratory
Invariants �! Our tool generates invariants of the kernel data structures
using daikon tool
! Daikon requires declared file and traced file ! declared file: definitions of target data structures ! traced file: obtained data
! Example
! Our tool parses the invariants and generate the integrity checker�
simple_dir_operations.read == proc_root.proc_fops.read �
12/06/06� ���
Distributed and Ubiquitous Computing Laboratory
Applying Integrity Checker �
! Platform setup ! Basic Platform: hypervisor system ! Integrity Checker Protection: Secure Pager
! Hypervisor: SPUMONE
! Secure Pager: using local memory �
Pysical Core 0 Pysical Core 1 Pysical Core 2 Pysical Core 3
Virtual Core 0 Virtual Core 1 Virtual Core 2 Virtual Core 3
IntegrityChecker
Linux
Kernel Data Structures
Blocked
Rootkit
12/06/06� ���
Distributed and Ubiquitous Computing Laboratory
SPUMONE�
! SH4A architecture
! Co-kernel approach
! Dedicated device management
! Para-virtualization ! Small modifications
! Distributed design ! Per-CPU image
12/06/06� ���
Distributed and Ubiquitous Computing Laboratory
Interrupt Virtualization�
Register Setting - INT2PRI0 ~ INT2PRI7�
12/06/06� ���
Distributed and Ubiquitous Computing Laboratory
Interrupt Delivery Mechanism�
12/06/06� ��
Distributed and Ubiquitous Computing Laboratory
Traditional Hypervisor v.s. SPUMONE�
! Single hypervisor Image
! Straightforward
! Managing ! Communication
! Distributed design
! Risk Diversification
! Reliability enhancement
! Shared memory communication
Core 1� Core 2� Core 3� Core 4�
Traditional Hypervisor�
GPOS� RTOS�
Core 1� Core 2� Core 3� Core 4�
SPUMONE� SPUMONE� SPUMONE� SPUMONE�
GPOS� RTOS�
12/06/06� ��
Distributed and Ubiquitous Computing Laboratory
Protection of the integrity checker�! A typical scene.
! Without the protection, the Guest OS may attack the integrity checker to invalid the monitoring function.
�����
��� ����
��� �������� �� �
�� ����
���������
12/06/06� ���
Distributed and Ubiquitous Computing Laboratory
Isolation based on Local memory�! Local memory (small size) is a programmable region and can
not be accessed by other cores.
12/06/06� ���
Distributed and Ubiquitous Computing Laboratory
Basic Architecture�! Secure pager is used to extend the size of the local memory
virtually.
12/06/06� ���
Distributed and Ubiquitous Computing Laboratory
Secure Pager�! Xv6: a simple OS to run the integrity checker. �
! Secure pager verifies the integrity of the xv6’s pages when loading them into local memory.
12/06/06� ���
Distributed and Ubiquitous Computing Laboratory
Summary �• Increasing security using an external
integrity checker – generated automatically
• Applying integrity checker – Based on hypervisor environment – Protected by Secure Pager �
12/06/06� ���