Revisiting memory

to coin security
Djob Mvondo
Virtualization infrastructure
The split driver model is often used:
Frontend/Backend + Ring buffer idea

Résilience et dimensionnement des environnement virtualisés. Djob Mvondo. Dec 2020

Virtualization infrastructure
The split driver model is often used:
Frontend/Backend + Ring buffer idea

Existing code
Modularity Performance reuse

Résilience et dimensionnement des environnement virtualisés. Djob Mvondo. Dec 2020

 Virtualization infrastructure
The split driver model is often used:
Frontend/Backend + Ring buffer idea

Existing code
Modularity Performance reuse

Single point of failure Memory issues

Bottleneck on the
and bottleneck for regarding ring
backend driver
the pVM buffers

Résilience et dimensionnement des environnement virtualisés. Djob Mvondo. Dec 2020

Single point of failure and bottleneck illustration

The split driver model is often used:

Frontend/Backend + Ring buffer idea

Existing code
Modularity Performance reuse

Single point of failure Memory issues

Bottleneck on the
and bottleneck for regarding ring
backend driver
the pVM buffers

Résilience et dimensionnement des environnement virtualisés. Djob Mvondo. Dec 2020

Mitigating single point of failures
The key idea is to decompose the single point of
failure to reduce the blast radius in case of
problems.

Full replication[1]: Replicate virtualized

components across the data center
• Resource consuming
• Synchronization across the different replicas

[1] https://nutanixbible.com
Mitigating single point of failures
The key idea is to decompose the single point of
failure to reduce the blast radius in case of
problems.

Disaggregation + Periodic reboots[2]: Breaks the dom0 into

several independent components that run without each other
support and periodically reboot components to mitigate
corrupted states.
• Huge overhead for latency sensitive applications
Djob Mvondo et al. Fine-Grained Fault Tolerance For Resilient pVM-based Virtual Machine
Monitors. DSN'20

[2] Colp et al. Breaking Up is Hard to Do: Security and Functionality in a Commodity Hypervisor. SOSP’11
Mitigating single point of failures
The key idea is to decompose the single point of
failure to reduce the blast radius in case of
problems.

Disaggregation + Specialization +
Pro-activity: Reuse Xoar idea without
the periodic reboot but introduce a
tailored monitoring and recovery
mechanism for each sub-component.

[1] Mike Swift et al. Recovering Device Drivers. OSDI'04

[2] Djob Mvondo et al. Fine-Grained Fault Tolerance For Resilient pVM-based Virtual Machine Monitors. DSN'20
Mitigating bottlenecks

Bottlenecks can cause degradation on

application performance and affect
response times.

Djob Mvondo et al. Closer: A new design principle for the privileged virtual machine OS. MASCOTS 2019
Mitigating bottlenecks
VM VM VM
Bottlenecks are mitigated by trying to Stub Stub Stub
reduce the load on the target
Xen
component when input load
increases.
Hardware

Stub-domains[1]: Dedicate a specific

component for each VM responsible to only help
that VM.
• Quid of resource provisioning and positioning ?

[1] Xen studdomains: https://xenproject.org

Mitigating bottlenecks
Bottlenecks are mitigated by trying to
reduce the load on the target
component when input load
increases.

Closer principle[1]: Stubdomains

provisioned automatically on VM allocated
resources leaving out administration tasks.

[1] Djob Mvondo et al. Closer: A new design principle for the privileged virtual machine OS. MASCOTS 2019
Memory issues: Corruption - access
To understand memory issues, we should understand how memory is
allocated to a process/VM.

Process
Malloc(…)

Virtual memory
Memory issues: Corruption - access
To understand memory issues, we should understand how memory is
allocated to a process/VM.

Process
chunk
Malloc(…)

Virtual memory chunk

Real Memory

chunk

chunk
Memory issues: Corruption - access
To understand memory issues, we should understand how memory is
allocated to a process/VM.

Process
chunk
Malloc(…)

Virtual memory chunk

Real Memory

chunk

chunk
Memory issues: Corruption - access
To understand memory issues, we should understand how memory is
allocated to a process/VM.

Process
chunk
Malloc(…)

Virtual memory chunk

Real Memory

chunk
free
chunk
Memory issues: Corruption - access
To understand memory issues, we should understand how memory is
allocated to a process/VM.

Process
chunk
Malloc(…)

Virtual memory chunk

Real Memory

chunk
free
chunk
Memory issues: Corruption - access
To understand memory issues, we should understand how memory is
allocated to a process/VM.

Process
chunk
Malloc(…)

Virtual memory chunk

Real Memory

chunk
free
chunk

Later on, access to

this page will cause
a minor page fault
Memory issues: Corruption - access
To understand memory issues, we should understand how memory is
allocated to a process/VM.

Process Brk() keeps

chunk direct
Malloc(…)
mappings OS
memory and
Virtual memory chunk
does not
unlock it for
OS use
Real Memory

chunk
free
chunk

Later on, access to

this page will cause
a minor page fault
 Memory issues: Corruption - access
Concretely, a process address space contains the heap, which keeps
addresses towards code, data, and other libraries segments.
Process heap

.bss
Each block has specific
permissions
R: read
.data Using informations in the private heap of a
W: write process is the prefered attack mode when
X: execution dealing with memory issues
P: protected Shared libraries
S: shared segment
Memory issues: Corruption - access
Step by step example to view how memory is allocated and how the
OS is called

gcc -odemo.o demo.c

strace ./demo.o

What do you observe ?

demo.c
Memory issues: Corruption - access
Step by step example to view how memory is allocated and how the
OS is called

What do you observe ?

mmap()
mprotect()

What is their purpose ?

demo.c
Memory issues: Corruption - access
Step by step example to view how memory is allocated and how the
OS is called

mmap(): Maps a virtual memory region and defines the

behavior when trying to access it (fetch on IO device or RAM).

Returns a pointer of the start address of the mapped region

mprotect(): Protects a memory region to prevent it from being

allocated by the kernel.
Memory issues: Corruption - access
More details on the heap informated currently used by a process
/proc/<pid>/maps

Provides information on the range of memory used, mappings, protections, and the type of underneath device.

Each line format :

<address start>-<address end> <mode> <offset> <major id:minor id> <inode id> <file path>
Memory issues: Corruption - access
Check the mappings for your C program and also cat /proc/self/maps

How can this information be maliciously used ?

Memory issues: Corruption - access
Check the mappings for your C program and also cat /proc/self/maps

How can this information be maliciously used ?

Buffer overflow
Memory issues: Corruption - access
Check the mappings for your C program and also cat /proc/self/maps

How can this information be maliciously used ?

Buffer overflow Branch prediction

Memory issues: Corruption - access
Check the mappings for your C program and also cat /proc/self/maps

How can this information be maliciously used ?

Buffer overflow Branch prediction Admin privileges

 Buffer overflow

Utiliser les zones de mémoires d'un processus pour essayer

de lire les zones en dehors de sa juridiction.

Process P
range of memory

P has access

Branch prediction Admin privileges

 Buffer overflow

Utiliser les zones de mémoires d'un processus pour essayer

de lire les zones en dehors de sa juridiction.
P don't have access P don't have access

O's Process P Q's

memory range of memory memory

P has access

Branch prediction Admin privileges

 Buffer overflow

Utiliser les zones de mémoires d'un processus pour essayer

de lire les zones en dehors de sa juridiction.
P don't have access P don't have access
But what happens if Q's memory
is not correctly protected?
O's Process P Q's
Then P can go overbound
memory range of memory memory
(overflow). Any process can try
to go overbound by manually
triggering a read at a specific
address.
Oxdf1 P has access Oxdf5

Branch prediction Admin privileges

 Buffer overflow

Exemple: Code
d'authentification en C

gcc -ooverflow.o overflow.c –fno-stack-protector

–zexecstatck –fno-pie

./overflow.o
Branch prediction Admin privileges
What do you observe ?
 Buffer overflow

Branch prediction Admin privileges

 Se protéger contre Buffer overflow

Activer les canaries dans un Process P

C C
système d'exploitation range of memory

Page mémoire placées à la fin d'une

zone de mémoire afin de détecter des
débordements
Canarie (Guard page)

Branch prediction Admin privileges

 Se protéger contre Buffer overflow
Le système va régulièrement changer
l'emplacement des adresses de votre
tas pour bloquer des attaques liés à
1
l'ancien emplacement

Activer les canaries dans un (K)ASLR – (Kernel) Adress Process P

système d'exploitation Space Layout Randomization range of
memory

Page mémoire placées à la fin d'une

zone de mémoire afin de détecter des
débordements

Branch prediction Admin privileges

 Se protéger contre Buffer overflow
Le système va régulièrement changer
l'emplacement des adresses de votre
tas pour bloquer des attaques liés à
2
l'ancien emplacement

Activer les canaries dans un (K)ASLR – (Kernel) Adress Process P

système d'exploitation Space Layout Randomization range of
memory

Page mémoire placées à la fin d'une

zone de mémoire afin de détecter des
débordements

Branch prediction Admin privileges

 Se protéger contre Buffer overflow
Le système va régulièrement changer
l'emplacement des adresses de votre
tas pour bloquer des attaques liés à
3
l'ancien emplacement

Activer les canaries dans un (K)ASLR – (Kernel) Adress Process P

système d'exploitation Space Layout Randomization range of
memory

Page mémoire placées à la fin d'une

zone de mémoire afin de détecter des
débordements

Branch prediction Admin privileges