"Bypassing Kernel Code Integrity Protection Mechanisms"
Saturday, July 18. 2009
A paper that we will publish next month at USENIX Security'09 is entitled "Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms". In return-oriented programming, an attacker re-uses existing code: he searches for short instruction sequences (typically only one instruction) which are followed by a RET. By cleverly chaining these sequences, an attacker can build a gadget that then performs an actual computation, e.g., the gadget adds two operands. By combining these gadgets, an attacker can then perform arbitrary computations. Return-oriented programming was popularized by Shacham (CCS'07 paper targeting Linux/x86, CCS'08 paper targeting Solaris/SPARC). In our paper we present a system to automatically find useful instructions, build gadgets, and then generate a return-oriented program for Windows as the target OS. In a case study, we show how this system can be used to implement a return-oriented rootkit, bypassing typical kernel code integrity mechanisms. The main insight here is that integrity mechanisms protect against injection of code - however, if the attacker re-uses existing code, these approaches typically fail.Abstract: Protecting the kernel of an operating system against attacks, especially injection of malicious code, is an important factor for implementing secure operating systems. Several kernel integrity protection mechanism were proposed recently that all have a particular shortcoming: They cannot protect against attacks in which the attacker re-uses existing code within the kernel to perform malicious computations. In this paper, we present the design and implementation of a system that fully automates the process of constructing instruction sequences that can be used by an attacker for malicious computations. We evaluate the system on different commodity operating systems and show the portability and universality of our approach. Finally, we describe the implementation of a practical attack that can bypass existing kernel integrity protection mechanisms.
The paper contains all the details and the results of our experiments are also available. The main part of this work was performed by Ralf Hund, it was the topic of his thesis. Furthermore, Felix Freiling helped with the project. And the word cloud was generated with the help of Wordle
