RandCompile: Removing Forensic Gadgets from the Linux Kernel to Combat its Analysis
Pages 677 - 690
Abstract
Recently proposed tools such as LogicMem, Katana, and AutoProfile enable a fine-grained inspection of the operating system’s memory. They provide insights that were previously only available for Linux machines specifically instrumented for cooperation with virtual machine introspection frameworks. An overly controlling cloud operator can now regularly deep-inspect VMs under their control.
In this paper, we investigate how the concept of software diversity can be employed to remove structural information from the Linux kernel to harden it against automated analysis by the aforementioned tools. We employ a mixture of small targeted obfuscations to the memory layout and randomization of the ABI between functions in the Linux kernel as they provide predictable artifacts across different compilers, kernel configurations and the presence of Structure Layout Randomization.
We provide an implementation of our ideas in RandCompile, which is composed of a small patch set for the 5.15 Linux LTS kernel and a compiler plugin. RandCompile seeks to remove structural information artifacts, which we call forensic gadgets, to eliminate all leverage points for further analysis of the tools mentioned above. Our approach does not require major modifications to the kernel code base and only has a negligible performance impact (less than 5% percent), which is less than other major security or debugging features enabled by default in the Linux kernel.
References
[1]
Boaz Barak, Oded Goldreich, Rusell Impagliazzo, Steven Rudich, Amit Sahai, Salil Vadhan, and Ke Yang. 2001. On the (im)possibility of obfuscating programs. In Advances in Cryptology — CRYPTO 2001, Joe Kilian (Ed.). Springer Berlin Heidelberg, 1–18. https://doi.org/10.1007/3-540-44647-8_1
[2]
Sandeep Bhatkar and R. Sekar. 2008. Data Space Randomization. In Detection of Intrusions and Malware, and Vulnerability Assessment, Diego Zamboni (Ed.). Springer Berlin Heidelberg, 1–22. https://doi.org/10.1007/978-3-540-70542-0_1
[3]
bitsecurerlab. 2022. LogicMem - Github Repository. https://github.com/bitsecurerlab/LogicMem. (Online; accessed 25-May-2023).
[4]
Robert Buhren, Hans-Niklas Jacob, Thilo Krachenfels, and Jean-Pierre Seifert. 2021. One Glitch to Rule Them All: Fault Injection Attacks Against AMD’s Secure Encrypted Virtualization. In 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS). Association for Computing Machinery, 2875–2889. https://doi.org/10.1145/3460120.3484779
[5]
Ping Chen, Jun Xu, Zhiqiang Lin, Dongyan Xu, Bing Mao, and Peng Liu. 2015. A Practical Approach for Adaptive Data Structure Layout Randomization. In Computer Security – ESORICS 2015, Günther Pernul, Peter Y. Ryan, and Edgar Weippl (Eds.). Springer International Publishing, Cham, 69–89. https://doi.org/10.1007/978-3-319-24174-6_4
[6]
Zhongtian Chen and Hao Han. 2017. Attack Mitigation by Data Structure Randomization. In Foundations and Practice of Security, Frédéric Cuppens, Lingyu Wang, Nora Cuppens-Boulahia, Nadia Tawbi, and Joaquin Garcia-Alfaro (Eds.). Springer International Publishing, Cham, 85–93. https://doi.org/10.1007/978-3-319-51966-1_6
[7]
Christian Collberg. 2023. The Tigress C Obfuscator. https://tigress.wtf/index.html. (Online; accessed 30-September-2023).
[8]
Manuel Costa, Jean-Philippe Martin, and Miguel Castro. 2008. Data Randomization. Technical Report MSR-TR-2008-120. 14 pages. https://www.microsoft.com/en-us/research/publication/data-randomization/
[9]
Stephen Crane, Andrei Homescu, and Per Larsen. 2016. Code Randomization: Haven’t We Solved This Problem Yet?. In 2016 IEEE Cybersecurity Development (SecDev). 124–129. https://doi.org/10.1109/SecDev.2016.036
[10]
David Demicco, Rukayat Erinfolami, and Aravind Prakash. 2021. Program Obfuscation via ABI Debiasing. In Annual Computer Security Applications Conference (ACSAC). Association for Computing Machinery, 146–157. https://doi.org/10.1145/3485832.3488017
[11]
Zhao-Hui Du, Zhiwei Ying, Zhenke Ma, Yufei Mai, Phoebe Wang, Jesse Liu, and Jesse Fang. 2017. Secure encrypted virtualization is unsecure. arXiv preprint arXiv:1712.05090 (2017).
[12]
Volatility Foundation. 2023. Volatility Framework. https://www.volatilityfoundation.org/. (Online; accessed 25-May-2023).
[13]
Fabian Franzen, Tobias Holl, Manuel Andreas, Julian Kirsch, and Jens Grossklags. 2022. Katana: Robust, Automated, Binary-Only Forensic Analysis of Linux Memory Snapshots. In 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID). Association for Computing Machinery, 214–231. https://doi.org/10.1145/3545948.3545980
[14]
Shafi Goldwasser and Guy N. Rothblum. 2007. On best-possible obfuscation. In Theory of Cryptography, Salil P. Vadhan (Ed.). Springer Berlin Heidelberg, 194–213. https://doi.org/10.1007/978-3-540-70936-7_11
[15]
Google. 2023. Rekall Forensics. https://github.com/google/rekall. (Online; accessed 25-May-2023).
[16]
Vincent Haupert, Dominik Maier, Nicolas Schneider, Julian Kirsch, and Tilo Müller. 2018. Honey, I shrunk your app security: The state of Android app hardening. In Detection of Intrusions and Malware, and Vulnerability Assessment, Cristiano Giuffrida, Sébastien Bardin, and Gregory Blanc (Eds.). Springer International Publishing, Cham, 69–91. https://doi.org/10.1007/978-3-319-93411-2_4
[17]
Muhui Jiang, Lin Ma, Yajin Zhou, Qiang Liu, Cen Zhang, Zhi Wang, Xiapu Luo, Lei Wu, and Kui Ren. 2021. ECMO: Peripheral Transplantation to Rehost Embedded Linux Kernels. In 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS). Association for Computing Machinery, 734–748. https://doi.org/10.1145/3460120.3484753
[18]
Pascal Junod, Julien Rinaldini, Johan Wehrli, and Julie Michielin. 2015. Obfuscator-LLVM – Software Protection for the Masses. In 2015 IEEE/ACM 1st International Workshop on Software Protection. 3–9. https://doi.org/10.1109/SPRO.2015.10
[19]
Per Larsen, Stefan Brunthaler, and Michael Franz. 2014. Security through diversity: Are we there yet?IEEE Security & Privacy 12, 2 (2014), 28–35. https://doi.org/10.1109/MSP.2013.129
[20]
Mengyuan Li, Yinqian Zhang, Zhiqiang Lin, and Yan Solihin. 2019. Exploiting unprotected I/O operations in AMD’s secure encrypted virtualization. In 28th USENIX Security Symposium (USENIX Security). USENIX Association, 1257–1272. https://www.usenix.org/conference/usenixsecurity19/presentation/li-mengyuan
[21]
GNU Libc. 2013. Pointer Encryption. https://sourceware.org/glibc/wiki/PointerEncryption.
[22]
Zhiqiang Lin, Ryan D. Riley, and Dongyan Xu. 2009. Polymorphing Software by Randomizing Data Structure Layout. In Detection of Intrusions and Malware, and Vulnerability Assessment, Ulrich Flegel and Danilo Bruschi (Eds.). Springer Berlin Heidelberg, 107–126. https://doi.org/10.1007/978-3-642-02918-9_7
[23]
H. J. Lu, Michael Matz, Milind Girkar, Jan Hubička, Andreas Jaeger, and Mark Mitchell. 2022. System V Application Binary Interface AMD64 Architecture Processor Supplement (With LP64 and ILP32 Programming Models) Version 1.0. https://gitlab.com/x86-psABIs/x86-64-ABI/-/jobs/artifacts/master/raw/x86-64-ABI/abi.pdf?job=build
[24]
Daniel Marth, Clemens Hlauschek, Christian Schanes, and Thomas Grechenig. 2022. Abusing Trust: Mobile Kernel Subversion via TrustZone Rootkits. 2022 IEEE Security and Privacy Workshops (SPW) (2022), 265–276. https://doi.org/10.1109/SPW54247.2022.9833891
[25]
Keegan McAllister. 2012. Writing kernel exploits. Presentation Slides. Georgia Institute of Technology. https://tc.gtisc.gatech.edu/bss/2014/r/kernel-exploits.pdf
[26]
Mathias Morbitzer, Sergej Proskurin, Martin Radev, Marko Dorfhuber, and Erick Quintanar Salas. 2021. SEVerity: Code Injection Attacks against Encrypted Virtual Machines. 2021 IEEE Security and Privacy Workshops (SPW) (2021), 444–455. https://doi.org/10.1109/SPW53761.2021.00063
[27]
Andrea Oliveri, Matteo Dell’Amico, and Davide Balzarotti. 2023. An OS-agnostic Approach to Memory Forensics. 2023 Network and Distributed System Security Symposium (NDSS) (2023), 16 pages. https://doi.org/10.14722/ndss.2023.23398
[28]
Fabio Pagani and Davide Balzarotti. 2021. AutoProfile: Towards Automated Profile Generation for Memory Analysis. ACM Transactions on Privacy and Security 25, 1, Article 6 (2021), 26 pages. https://doi.org/10.1145/3485471
[29]
Samuel Page. 2022. Writing a Linux Kernel Remote in 2022. https://blog.immunityinc.com/p/writing-a-linux-kernel-remote-in-2022/. (Online; accessed 30-September-2023).
[30]
LibVMI Project. 2015. LibVMI. https://libvmi.com/. (Online; accessed 25-May-2023).
[31]
Panda.re Project. 2023. PANDA’s OS-specific introspection plugins. https://github.com/panda-re/panda/tree/dev/panda/plugins/osi. (Online; accessed 25-May-2023).
[32]
Zhenxiao Qi, Yu Qu, and Heng Yin. 2022. LogicMEM: Automatic Profile Generation for Binary-Only Memory Forensics via Logic Inference. 2022 Network and Distributed System Security Symposium (NDSS) (2022), 17 pages. https://doi.org/10.14722/ndss.2022.24324
[33]
Dannie M. Stanley, Dongyan Xu, and Eugene H. Spafford. 2013. Improved kernel security through memory layout randomization. 2013 IEEE 32nd International Performance Computing and Communications Conference (IPCCC) (2013), 10 pages. https://doi.org/10.1109/PCCC.2013.6742768
[34]
Tomasz Tuzel, Mark Bridgman, Joshua Zepf, Tamas K. Lengyel, and Kyle J. Temkin. 2018. Who watches the watcher? Detecting hypervisor introspection from unprivileged guests. Digital Investigation 26 (2018), S98–S106. https://doi.org/10.1016/j.diin.2018.04.015
[35]
Luca Wilke, Jan Wichelmann, Florian Sieck, and Thomas Eisenbarth. 2021. undeSErVed trust: Exploiting permutation-agnostic remote attestation. In 2021 IEEE Security and Privacy Workshops (SPW). 456–466. https://doi.org/10.1109/SPW53761.2021.00064
[36]
Jidong Xiao, Lei Lu, Haining Wang, and Xiaoyun Zhu. 2016. HyperLink: Virtual machine introspection and memory forensic analysis without kernel source code. In 2016 IEEE International Conference on Autonomic Computing (ICAC). 127–136. https://doi.org/10.1109/ICAC.2016.46
Index Terms
- RandCompile: Removing Forensic Gadgets from the Linux Kernel to Combat its Analysis
Recommendations
Katana: Robust, Automated, Binary-Only Forensic Analysis of Linux Memory Snapshots
RAID '22: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and DefensesThe development and research of tools for forensically analyzing Linux memory snapshots have stalled in recent years as they cannot deal with the high degree of configurability and fail to handle security advances like structure layout randomization. ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
December 2023
836 pages
ISBN:9798400708862
DOI:10.1145/3627106
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 04 December 2023
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ACSAC '23
Acceptance Rates
Overall Acceptance Rate 104 of 497 submissions, 21%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 333Total Downloads
- Downloads (Last 12 months)333
- Downloads (Last 6 weeks)42
Reflects downloads up to 23 Nov 2024
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in