It's Bugs All the Way Éé¤«¤¹¡¿·âÄÆ¤¹¤ë

°ÂÁ´ ¸¦µæ by Dan Rosenberg

SLOB ³«È¯¡¿ÍøÍÑ

The Linux kernel's SLOB allocator is ¤Þ¤ºÂè°ì¤Ë¡¿ËÜÍè used on embedded systems. I developed a °ìÏ¢¤Î new attacks against SLOB that may be used to °Î¶È¡¿ÍøÍÑ¤¹¤ë progressively more constrained vulnerabilities, ÈÏ°Ïing from an ÆÈÃÇÅª¤Ê heap ¹¿¿å to an off-by-one NULL byte. I also ²òÊü¡Ê¤¹¤ë¡Ëd libplayground, a simple ÏÈÁÈ¤ß I used to develop and ¼Â¸³¡Ê¤¹¤ë¡Ë these techniques.

January 2012 - Infiltrate
[event] [slides] [code]

Remote Kernel ³«È¯¡¿ÍøÍÑ

After ½Ï¹Í¤¹¤ë¡¿¹ÍÎ¸¤¹¤ëing every public example of remote kernel ³«È¯¡¿ÍøÍÑ, I developed a fully working °Î¶È¡¿ÍøÍÑ¤¹¤ë for a remote kernel stack ¹¿¿å in the Linux kernel's ¼Â»Ü of the ROSE amateur ÌµÀþ¤ÇÄÌ¿®¤¹¤ë µÄÄê½ñ. The °Î¶È¡¿ÍøÍÑ¤¹¤ë Ç¤Ì¿¤¹¤ë¡¿Æ³Æþ¤¹¤ës a kernel backdoor in the µ¾À·¼Ô host, µö¤¹ing the ¹¶·â¼Ô to send and Í¶È¯¤¹¤ë¡¿°ú¤µ¯¤³¤¹ ÆÈÃÇÅª¤Ê userland payloads at will. The °Î¶È¡¿ÍøÍÑ¤¹¤ë Åªs 32-bit PAE kernels, Í×µá¤¹¤ëing the use of return-oriented programming (ROP) in kernel Êý¼°.

October 2011 - H2HC
[event] [slides]
August 2011 - Defcon
[event] [slides] [code]

Stackjacking

Jon Oberheide and I gave a Â£Äè on ³«È¯¡¿ÍøÍÑ techniques against Linux kernels ¾ï½¬Åª¤Ê with the grsecurity patchset. By ¤Æ¤³Æþ¤ì¡¿¼ÚÆþ»ñËÜing the Ï³¤ì of uninitialized stack data in ¹çÆ± with an Â¸ºß¤¹¤ëing ÆÈÃÇÅª¤Ê kernel Îá¾õ vulnerability, we ÏÀ¾Ú¤¹¤ëd two techniques that could be used to ÁýÂç¤¹¤ë ÆÃ¸¢s.

June 2011 - SummerCon
[event] [slides]
April 2011 - Infiltrate
[event] [slides]
April 2011 - BeaCon
[event] [slides]
April 2011 - Hackito Ergo Sum
[event] [slides] [code]

Linux Kernel Hardening

In ¿·µ¬²ÃÆþ to auditing the Linux kernel to find and Ä¾¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë vulnerabilities, I'm È¼¤¦¡¿´Ø¤ï¤ëd in an À®²Ì¡¿ÅØÎÏ to ´ï¶ñ¡¿¼Â»Ü¤¹¤ë proactive °ÂÁ´ features upstream. So far, I've ´ï¶ñ¡¿¼Â»Ü¤¹¤ëd two sysctls, dmesg_restrict and kptr_restrict, both of which are designed to ºÇ¾®¸Â¤Ë¸º¤é¤¹ Ï³¤ì of ÀøºßÅª¤Ë ¶ËÅÙ¤Î¿µ½Å¤µ¤òÍ×¤¹¤ë ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁÊ¡Ê¾õ¡Ë that can be useful when developing kernel °Î¶È¡¿ÍøÍÑ¤¹¤ës.

Next on the Ì¾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ë is to continue ¸º¤º¤ëing ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁÊ¡Ê¾õ¡Ë Ï³¤ì, Å¬ÀÚ¤Ë ¾ìÆâ¼è°ú°÷¡¿³ô²Á and »Ü¹Ô¤¹¤ëing ³Î¤«¤Ê structures as read-only, À©¸Â¤¹¤ëing unprivileged ÉéÃ´ing of kernel modules, and ¤«¤â¤·¤ì¤Ê¤¤ randomizing kernel code on boot.

Fuzzing

I created a Æ»¶ñ called FuzzDiff to help make ¾×ÆÍ¡¤ÄÆÍî Ê¬ÀÏ during ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë È½·¿ fuzzing easier. When ¶¡µë¤¹¤ëd with a fuzzed ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë, a corresponding ½é¤á¤Î un-fuzzed ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë, and the path to the Åªd program, FuzzDiff will selectively "un-fuzz" ÉôÊ¬s of the fuzzed ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë while re-³«»Ï¤¹¤ë¡¤ÂÇ¤Á¾å¤²¤ëing the »ÈÍÑ¡¿Å¬ÍÑ to ´Æ»ë¤¹¤ë for ¾×ÆÍ¡¤ÄÆÍîs. This will »º¤¹¤ë¡¿À¸¤¸¤ë a ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë that still ¾×ÆÍ¡¤ÄÆÍîs the Åª »ÈÍÑ¡¿Å¬ÍÑ, but ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ës a ºÇ¾®¸Â »Ï¤á¤ë¡¤·è¤á¤ë of changes from the ½é¤á¤Î, un-fuzzed ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë. This can be useful in pinning Éé¤«¤¹¡¿·âÄÆ¤¹¤ë the exact ¸¶°ø¡Ê¤È¤Ê¤ë¡Ë of a ¾×ÆÍ¡¤ÄÆÍî.

Ê¬ÇÛ¤¹¤ëd ÃùÂ¢

I ´°Á´¤Ë¤¹¤ëd my Masters ¸¦µæ at Brown University with ½õ¸À¼Ô Roberto Tamassia. My work È¼¤¦¡¿´Ø¤ï¤ëd developing ²òÅús to ¶¡µë¤¹¤ë proof of data ÀµÄ¾¤µ when using outsourced ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë ÃùÂ¢, ÆÃ¤Ë ¥¢¥Þ¥¾¥ó S3 (paper). I developed a ¸¶·¿ that ¡Ê°»ö¡¤ÈëÌ©¤Ê¤É¤ò¡ËÈ¯¸«¤¹¤ës data tampering without any ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í-Ì£Êý¤¹¤ë ÃùÂ¢ É¬Í×Êª¡¿É¬Í×¾ò·ïs (no ÃÏ¸µ¤Î checksums) and ¶Ë¾®¤Î ¶ÈÀÓ¡¿À®²Ì Áí·×Èñ.