利用ARM指標認證與棧回溯技術以保護系統呼叫及控制流

許智凱; Chih-Kai Hsu

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/94320

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	黎士瑋	zh_TW
dc.contributor.advisor	Shih-Wei Li	en
dc.contributor.author	許智凱	zh_TW
dc.contributor.author	Chih-Kai Hsu	en
dc.date.accessioned	2024-08-15T16:48:07Z	-
dc.date.available	2024-08-16	-
dc.date.copyright	2024-08-15	-
dc.date.issued	2024	-
dc.date.submitted	2024-08-02	-
dc.identifier.citation	Dwarf debugging information format, version 4. https://dwarfstd.org/doc/DWARF4.pdf. Lighttpd web server. https://www.lighttpd.net/. Sqlite. https://www.sqlite.org/index.html. Introducing Amazon EC2 A1 Instances Powered By New Arm-based AWS Gravi-ton Processors, Nov. 2018. https://aws.amazon.com/about-aws/whats-new/2018/11/introducing-amazon-ec2-a1-instances. A sqlite3 benchmark tool, 2018. https://github.com/ukontainer/sqlite-bench. Nginx web server, 2022. https://nginx.org. I. Agadakos, D. Jin, D. Williams-King, V. P. Kemerlis, and G. Portokalidis. Nibbler: debloating binary shared libraries. In Proceedings of the 35th Annual Computer Security Applications Conference, ACSAC ’19, page 70–83, New York, NY, USA, 2019. Association for Computing Machinery. Apple. Apple mac mini m1, 2020. https://www.apple.com/shop/buy-mac/mac-mini/applem1-chip-with-8-core-cpu-and-8-core-gpu-256gb Apple. Apple unleashes m1, 2020. https://www.apple.com/newsroom/2020/11/apple-unleashes-m1/. Apple Inc. Apple platform security, May 2022. https://help.apple.com/pdf/security/en_US/apple-platform-security-guide.pdf. Arm Developer. Execute never, 2014. https://developer.arm.com/documentation/den0013/d/The-Memory-Management-Unit/Memory-attributes/Execute-Never?lang=en. R. Avanzi. The qarma block cipher family. almost mds matrices over rings with zero divisors, nearly symmetric even-mansour constructions with non-involutory central rounds, and search heuristics for low-latency s-boxes. IACR Transactions on Symmetric Cryptology, pages 4–44, 2017. J. Bucek, K.-D. Lange, and J. v. Kistowski. Spec cpu2017: Next-generation compute benchmark. In Companion of the 2018 ACM/SPEC International Conference on Performance Engineering, pages 41–42, 2018. N. Burow, D. McKee, S. A. Carr, and M. Payer. Cfixx: Object type integrity for c++ virtual dispatch. In Symposium on Network and Distributed System Security (NDSS), 2018. C. Canella, S. Dorn, D. Gruss, and M. Schwarz. Sfip: Coarse-grained syscall-flow-integrity protection in modern systems. arXiv preprint arXiv:2202.13716, 2022. C. Canella, M. Werner, D. Gruss, and M. Schwarz. Automating seccomp filter generation for linux applications. In Proceedings of the 2021 on Cloud Computing Security Workshop, pages 139–151, 2021. N. DeMarinis, K. Williams-King, D. Jin, R. Fonseca, and V. P. Kemerlis. Sysfilter: Automated system call filtering for commodity software. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), pages 459–474, 2020. I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos. Control jujutsu: On the weaknesses of fine-grained control flow integrity. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015. Y. Fu, J. Rhee, Z. Lin, Z. Li, H. Zhang, and G. Jiang. Detecting stack layout corruptions with robust stack unwinding. In Research in Attacks, Intrusions, and Defenses: 19th International Symposium, RAID 2016, Paris, France, September 19-21, 2016, Proceedings 19, pages 71–94. Springer, 2016. S. Ghavamnia, T. Palit, S. Mishra, and M. Polychronakis. Temporal system call specialization for attack surface reduction. In 29th USENIX Security Symposium (USENIX Security 20), pages 1749–1766. USENIX Association, Aug. 2020. E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In 2014 IEEE Symposium on Security and Privacy, pages 575–589. IEEE, 2014. Google. A fast key-value storage library, 2011. https://github.com/google/leveldb. M. Ismail, A. Quach, C. Jelesnianski, Y. Jang, and C. Min. Tightly seal your sensitive pointers with {PACTight}. In 31st USENIX Security Symposium (USENIX Security 22), pages 3717–3734, 2022. Jake Edge. A library for seccomp filters. https://lwn.net/Articles/494252/. C. Jelesnianski, M. Ismail, Y. Jang, D. Williams, and C. Min. Protect the system call, protect (most of) the world with bastion. In Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 3, pages 528–541, 2023. V. Kuznetzov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In The Continuing Arms Race: Code-Reuse Attacks and Defenses, pages 81–116. 2018. L. C. Lam and T.-c. Chiueh. Automatic extraction of accurate application-specific sandboxing policy. In Recent Advances in Intrusion Detection: 7th International Symposium, RAID 2004, Sophia Antipolis, France, September 15-17, 2004. Proceedings 7, pages 1–20. Springer, 2004. H. Liljestrand, T. Nyman, K. Wang, C. C. Perez, J.-E. Ekberg, and N. Asokan. {PAC} it up: Towards pointer integrity using {ARM} pointer authentication. In 28th USENIX Security Symposium (USENIX Security 19), pages 177–194, 2019. Linux Foundation. Dynamic section. https://refspecs.linuxbase.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/dynamicsection.html. Linux Foundation. Section header. https://refspecs.linuxbase.org/elf/gabi4+/ch4.sheader.html. Linux manual page. ld.so. https://man7.org/linux/man-pages/man8/ld.so.8.html. Mark Rutland. Armv8.3 pointer authentication, September 14, 2017. https://events.static.linuxfound.org/sites/events/files/slides/slides_23.pdf A. J. Mashtizadeh, A. Bittau, D. Boneh, and D. Mazières. Ccfi: Cryptographically enforced control flow integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS ’15, page 941–951, New York, NY, USA, 2015. Association for Computing Machinery. Nathan Burow. Cfixx c+ + test suite, 2018. https://github.com/HexHive/CFIXX/tree/master/CFIXX-Suite. https://nvd.nist.gov/vuln/detail/CVE-2013-2028. https://nvd.nist.gov/vuln/detail/CVE-2012-0809. https://nvd.nist.gov/vuln/detail/CVE-2015-8617. https://nvd.nist.gov/vuln/detail/CVE-2016-10190. https://nvd.nist.gov/vuln/detail/CVE-2016-10191. PaX. Address space layout randomization, 2003. https://pax.grsecurity.net/docs/aslr.txt. Project Zero. Examining pointer authentication on the iphone xs, Feb 2019. https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html. C. Qian, H. Hu, M. Alharthi, P. H. Chung, T. Kim, and W. Lee. {RAZOR}: A framework for post-deployment software debloating. In 28th USENIX security symposium (USENIX Security 19), pages 1733–1750, 2019. A. Quach, A. Prakash, and L. Yan. Debloating software through Piece-Wise compilation and loading. In 27th USENIX Security Symposium (USENIX Security 18), pages 869–886, Baltimore, MD, Aug. 2018. USENIX Association. Qualcomm Technologies, Inc. Pointer authentication on armv8.3, January 2017. https://www.qualcomm.com/content/dam/qcomm-martech/dm-assets/documents/pointer-auth-v7.pdf. R. Rudd, R. Skowyra, D. Bigelow, V. Dedhia, T. Hobson, S. Crane, C. Liebchen, P. Larsen, L. Davi, M. Franz, A.-R. Sadeghi, and H. Okhravi. Address-oblivious code reuse: On the effectiveness of leakage-resilient diversity. Network and Distributed System Security Symposium, 2017. F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in c++ applications. In 2015 IEEE Symposium on Security and Privacy, pages 745–762. IEEE, 2015. V. van der Veen, D. Andriesse, M. Stamatogiannakis, X. Chen, H. Bos, and C. Giuffrdia. The dynamics of innocent flesh on the bone: Code reuse ten years later. ACM SIGSAC Conference on Computer and Communications Security, 2017. Will Glozer. a http benchmarking tool, 2019. https://github.com/wg/wrk. C. Williams. Microsoft: Can’t wait for ARM to power MOST of our cloud data centers! Take that, Intel! Ha! Ha! The Register, Mar. 2017. https://www.theregister.co.uk/2017/03/09/microsoft_arm_server_followup.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/94320	-
dc.description.abstract	現代系統為應用程式提供各種服務，這些服務主要通過系統調用訪問。系統調用經常被利用於嚴重攻擊中，例如控制流劫持攻擊。因此，與安全相關的系統調用（如 mprotect、mmap 和 execve）在整個攻擊鏈中起著關鍵作用。另一方面，ARM 處理器現在越來越多地部署在桌面和數據中心。雖然先前的研究已經構建了保護 x64 架構上系統調用使用的防禦機制，但我們提出了一種新穎的框架，以確保內存不安全編程語言（C/C++）在 ARM 架構上的系統調用使用的安全性。我們確保合法的系統調用使用具有以下屬性：系統調用調用的控制流完整性。首先，我們在 Linux 內核中引入了一個基於堆棧回溯的監控器。其次，我們利用 ARMv8.3 處理器中可用的指針驗證（PA）功能來保護控制流敏感的指針，如函數指針和 C++ 虛表指針。通過這些防禦機制，我們可以有效地破壞攻擊鏈，防止攻擊者達成他/她的目標。我們的框架由兩個主要組件組成：1）可加載內核模塊（LKM）和 2）定制的 LLVM 編譯器。我們的安全案例研究表明，我們可以有效地擊敗所有攻擊，包括真實世界的漏洞利用。我們使用三個常見的系統調用密集型程序（Lighttpd、NGINX 和 SQLite）以及 SPEC CPU2017 基準套件來評估性能。結果顯示，Lighttpd 的性能開銷為 0.68%，NGINX 為 0.45%，而 SPEC CPU2017 基準套件的平均開銷為 2.95%。我們在 Section 6.2.3 中解釋了 SQLite 開銷較高的原因。	zh_TW
dc.description.abstract	Modern systems provide various services to applications, primarily accessed through system calls. System calls are frequently utilized in serious attacks, such as control-flow hijacking attack. Therefore, security-related system calls, such as mprotect, mmap and execve play a pivotal role in the entire attack chain. On the other hand, ARM processors are increasingly deployed on desktops and in data centers nowadays. While previous works have built defense mechanisms to protect system call usages on x64 architecture, we propose a novel secure properties for system call usages for memory-unsafe programming languages (C/C++) on ARM architecture. We ensure a property for legitimate system call usage: the control flow integrity of system call invocations. Firstly, we introduce a stack unwinding-based monitor in the Linux kernel. Secondly, we utilize the Pointer Authentication (PA) feature available in ARMv8.3 processors to protect control-flow-sensitive pointers, such as function pointers and C++ Vtable pointers. With these defense mechanisms, we can effectively corrupts the attack chain, preventing the attacker from achieving her goals. Our framework consists of two main components 1) a loadable kernel module (LKM) and 2) a customized LLVM compiler. Our security case study demonstrates that we can effectively defeat all attacks, including real-world exploits. We evaluate the performance using three popular system call-intensive programs: Lighttpd, NGINX, and SQLite, as well as the SPEC CPU2017 benchmark suite. Our results indicate an overhead of 0.68% for Lighttpd, 0.45% for NGINX, and an average of 2.95% for the SPEC CPU2017 benchmark suite. We explain the reasons for the higher overhead on SQLite in the Section 6.2.3.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2024-08-15T16:48:07Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2024-08-15T16:48:07Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	Verification Letter from the Oral Examination Committee i 致謝 ii 摘要 iii Abstract v Contents vii List of Figures x List of Tables xi Chapter 1 Introduction 1 Chapter 2 Background 4 2.1 Stack Layout Information for binaries 4 2.1.1 Frame Pointer and Stack Pointer 4 2.1.2 .eh_frame 4 2.2 Stack Unwinding 5 2.3 Arm Pointer Authentication 6 2.4 Code Reuse Attack 7 2.5 Virtual Functions in C++ 8 2.6 VTable Hijacking Attacks 9 Chapter 3 Threat Model and Assumptions 10 Chapter 4 Design 12 4.1 Control Flow Integrity of System Call Usage 12 4.1.1 Backward-Edge CFI Protection 12 4.1.2 Forward-Edge CFI Protection 15 Chapter 5 Implementation 17 5.1 Loadable Kernel Module 19 5.1.1 Intercept system call 19 5.1.2 Mechanisms 20 5.2 Forward-edge CFI Protection 21 5.2.1 PA modifier 22 5.2.2 Function Pointer Signing/Authentication 22 5.2.3 C++ VPointer Signing/Authentication 24 Chapter 6 Evaluation 27 6.1 Performance Evaluation 27 6.1.1 Experimental Setup 27 6.1.2 Benchmarks 27 6.2 Application Performance 28 6.2.1 Lighttpd 28 6.2.2 NGINX 29 6.2.3 SQLite 29 6.2.4 SPECCPU2017 31 Chapter 7 Limitation and Discussion 32 7.1 The Limitation of the Unwinder 32 7.1.1 Complete Unwinding Information 33 7.1.2 Incomplete Unwinding Information 33 7.2 Attacks on PAC 34 Chapter 8 Security Evaluation 35 8.1 Security Analysis 35 8.1.1 ROP 35 8.1.2 VPointer Hijacking 35 8.1.3 Direct System Call Manipulation 37 8.1.4 Indirect System Call Manipulation 38 Chapter 9 Related Work 39 9.1 Related Work 39 9.1.1 Debloating and system call filtering 39 9.1.2 Runtime System Call Protection 39 9.1.3 Pointer Integrity Protection 41 9.1.4 PAC Defense Approaches 42 9.1.5 Unwinding based Approaches 43 Chapter 10 Conclusions 44 References 45	-
dc.language.iso	en	-
dc.title	利用ARM指標認證與棧回溯技術以保護系統呼叫及控制流	zh_TW
dc.title	Utilize Arm Pointer Authentication and Stack Unwinding to Protect System call Usage and Control Flow	en
dc.type	Thesis	-
dc.date.schoolyear	112-2	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	廖世偉;陳君朋	zh_TW
dc.contributor.oralexamcommittee	Shih-wei Liao;Jiun-Peng Chen	en
dc.subject.keyword	系統呼叫,棧回溯,指標認證,控制流完整性,	zh_TW
dc.subject.keyword	System Call,Stack Unwind,Pointer Authentication,Control Flow Integrity,	en
dc.relation.page	50	-
dc.identifier.doi	10.6342/NTU202402925	-
dc.rights.note	同意授權(全球公開)	-
dc.date.accepted	2024-08-06	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	資訊網路與多媒體研究所	-
顯示於系所單位：	資訊網路與多媒體研究所

文件中的檔案：

檔案	大小	格式
ntu-112-2.pdf	1.01 MB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。