A Stab in the Dark: Blind Attacks on the Linux Kernel
The ViSP Distinguished Lecture Series continues with a talk by Herbert Bos of Vrije Universiteit Amsterdam, Netherlands.
This is an online-only event.
See description for details.
Herbert Bos is full professor at the Vrije Universiteit Amsterdam and co-leads the VUSec Systems Security research group with Cristiano Giuffrida and Erik van der Kouwe.
He obtained an ERC Starting Grant to work on reverse engineering and an NWO VICI grant to work on vulnerability detection. These and other systems security topics are still close to his heart. Other research interests include OS design, networking, and dependable systems.
Herbert moved to The Netherlands after approximately four years at the Universiteit Leiden. Before that he obtained his Ph.D. from the Cambridge University Computer Laboratory, followed by a brief stint at KPN Research (now TNO Telecom).
Unlike what we see in the movies, attacks on high-value targets are not easy. While there are still plenty of vulnerabilities in the software, exploitation is difficult due to multiple layers of protection. For instance, since data pages are no longer executable on modern systems, attackers cannot inject their own malicious code to execute and are forced to reuse snippets of code already present in the victim software instead. By stringing together such existing snippets of benign software, attackers can still create their malicious payloads. However, to do so, they need to know where all these snippets are in memory, which is made difficult by the randomized address spaces of today’s software.
Researchers have shown that in some cases it is possible to attack “blind”—without knowing anything about the target software. Unfortunately for the attacker, these blind attacks induce thousands of crashes, making them applicable only in cases where (a) the software can handle crashes, and (b) nobody raises an alarm when thousands of processes crash. Such cases are rare. In particular, they do not apply to truly high-value targets such as the Linux kernel, where even a single crash is fatal.
If software exploitation is difficult, what about hardware attacks such as Spectre? Here also, exploitation is really tough due to powerful mitigations in hardware and software. In the case of the Linux kernel developers have gone through the kernel code with a fine comb, to eliminate the known Spectre “gadgets” and neutralize possible attacks.
However, even if traditional software exploitation and speculative execution attacks are difficult, I will show that we can combine them and create very powerful blind attacks still, even on the Linux kernel. In particular, the software vulnerabilities make Spectre attacks possible in code that we previously considered safe. In return, speculative execution makes it possible for an attacker to probe blindly in the victim’s address space without ever crashing.
Such a symbiotic combination of attack vectors make the development of mitigation much harder: we can no longer limit ourselves to the threat of, say, memory errors or speculative execution, but have to consider interesting combinations also.
Join us via Zoom: tuwien.zoom.us/j/97853818273
About The Lecture Series
ViSP is organizing a Distinguished Lecture Series with internationally renowned researchers from the field of Security & Privacy. Every month there will be a talk on a current research topic, followed by an open discussion.
ViSP, the Vienna Cybersecurity and Privacy Research Center, consists of researchers from IST Austria, TU Wien and Uni Wien. With these three institutes, Vienna offers an exceptional degree of excellence for research in the area of Security and Privacy. The mission of ViSP is to unlock the true potential of the location by fostering collaborations between different institutes in Vienna. This collaboration strives to do impactful research and advance state of the art, securing Vienna’s pioneer role in the research in Security and Privacy.