Black Hat Europe 2011 is now over and we are very happy to have participated once again in the best European IT security conference!
Continuing from our last year’s presentation, our talk this year focused on operating system kernel protections. Specifically, our researchers Patroklos Argyroudis and Dimitris Glynos collected their experiences from kernel exploit development and presented the ways in which modern operating systems protect their kernels from memory corruption attacks.
The first part of our talk touched on the importance of kernel security. Operating system kernel security has become very important lately, mainly for two reasons. The first one is that in userland most generic exploitation approaches have been defeated by countermeasure technologies. This means that it is becoming increasingly harder to successfully penetrate target systems through memory corruption bugs in applications and therefore penetration testers and security researchers have started looking more at kernel vulnerabilities. The second reason for the importance of kernel security is that operating system kernels are large and complex code bases, increasing the possibility of security-related bugs. This has led to the wide adoption of proactive kernel defense mechanisms.
The second part of our talk gave an overview of kernel vulnerability classes and programming bugs that lead to such vulnerabilities.
In order to allow the attendants to compare userland mitigations to kernel ones, the third part of the talk briefly presented the currently available userland exploitation defenses.
The fourth and main part of our talk presented a detailed technical analysis of the kernel exploitation mitigations found on Linux (version 2.6.37), Windows 7, Mac OS X Snow Leopard (version 10.6.6) and FreeBSD (version 8.1). Our talk also covered the kernel defenses available on popular mobile phone platforms, such as Apple’s iOS (the iPhone operating system) and Google’s Android.
As an example success story of a kernel exploitation mitigation one may consider the MS10-009/CVE-2010-0239 ICMPv6 router advertisement vulnerability. This is a Windows 7 remote code execution vulnerability due to unbounded memory copying when processing ICMPv6 router advertisement packets. When the vulnerability is triggered, the Windows 7 kernel detects the corrupted kernel stack and the operating system halts. This is indeed preferable to the alternative which is remote code execution and subsequent full compromise of the system.
Where possible, the fourth part of our talk also presented the available techniques for bypassing some of the examined mitigation technologies, along with the appropriate references to enable all interested parties to get a head start in this area of research.
The fifth and final part of our presentation provided generic hints and tips on bypassing proactive
kernel defense mechanisms.
All material from our presentation are provided below in the hope that they will be useful to security researchers, developers and users of the above operating systems.
We would like to thank Matt Miller and Maarten Van Horenbeeck of Microsoft for providing us with helpful comments regarding Windows 7.
Linux is a registered trademark of Linus Torvalds. Microsoft, Windows 7 and the Windows logo are
registered trademarks of Microsoft Corporation. Mac OS X Snow Leopard, iPhone and the Apple logo are registered trademarks of Apple Inc. FreeBSD and the FreeBSD logo are registered trademarks of The FreeBSD Foundation. Android is a trademark of Google Inc. Finally, the Android Robot logo is reproduced from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License.