Try   HackMD

System call protection study

tags: security system call

Approach study: call stack integrety

On the meeting at 1st March, this approach was proposed. Therefore, we are gonna look into the possibility and limitation of this approach.

Core idea

The core idea behind this method is to verify the call stack integrety, and determine if the process is compromised.

To verify the call stack integrety, the approach states that given a call stack, if we can perform backtrace back to the entry point (_start in crt0.o), this call stack is sound

Design

  1. for all programs in the system, we assume they are all compiled with gnu toolchain without bringing flags like: -fno-unwind-tables (see)
  2. upon a process calls a sensitive system call, the mechanism is enforced
  3. retreive the call stack, and use library, like libunwind to perform backtrace
  4. if we can backtrace back to the entry point, we consider the process is uncompromised, and give this system call permission

  • backtrace to _start states the integrety is not compromised

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

  • a ROP chain wreck the call stack, therefore we cannot backtrace to _start

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

Pros and Cons

Pros

  • quick for implementation
    • backtrace can invoke libunwind
    • don't need to generate more information during compilation

Cons

  • no efficient for runtime: O(N) for each system call
    • N: the number of the call frames
  • hight false negative rate
    • this approach based on some assumptions, invalidated if any one of them not held:
      • The ROP chain definitely compromises the call stack
      • programs always have .en_frame section
    • cannot deal with attack methods like, dll injection, on which the backtrace can still be performed back to the entry point
  • similiar to stack canary
  • exception handler (setjump, jump)
Last changed by 
Ztex
0
448

Read more

Protect the System Call, Protect (most of) the World with BASTION

website Abstract enforces at runtime 3 contexts(Call type): which system call, how's call (Control Flow) (Argument Integrity) Bastion

Apr 10, 2023
GNU GCC plugin study

Introduction This article aims to explain how does GNU GCC plugins work, what can it do, and how to write one. According to kernel.org GCC plugins are loadable modules that provide extra features to the compiler [1]_. They are useful for runtime instrumentation and static analysis. We can analyse, change and add further code during compilation via callbacks [2]_, GIMPLE [3]_, IPA [4]_ and RTL passes [5]_. ...

Mar 1, 2023
[Embedded System] Deploy Linux v5.13 onto qemu vexpress-a9

[Embedded System] Deploy Linux v5.13 onto qemu vexpress-a9 Table of Contents [TOC] Beginners Guide Given the fact the the tutorials are mostly focused on Linux v4, and you will find that it doesnt work out by simply follow these tutorials to deploy v5.13, this blog aims to cover the latest Linux version of the time (2021/10/29), v5.13. If you are a total beginner to this, start here! Visit The Linux Kernel Archives

Nov 2, 2021
Linux platform device driver and design

The discussion below is based on the assumption that we are talking about after Linux 2.6 Platform Devices and Drivers platform bus line, device and driver In the model of device driver, there are three instances we have to take care of: Bus line Device

Oct 13, 2021
Read more from Ztex
Published on HackMD