Secure Operating Systems Lesson B: Let’s go break something Where are we? We’ve looked at hardware and software, but I have failed to really show you how to break things… which does rather make the beauty of Multics harder to see So… let’s look at some examples of OSes breaking Linux: Overview Based on Chen et al.’s “Linux kernel vulnerabilities: State-of-the-art defenses and open problems” They looking at a year (approx) of Linux Kernel vulnerabilities and found the following… Vulns Source: Chen et al. Vulns (cntd) Source: Chen et al. What about countermeasures? Software fault isolation Code Integrity (such as SecVisor) User-level drivers Memory tagging (detect misuse of untrusted inputs) Uninitialized memory tracking Semantic Vulnerabilities Simply not protecting something that needs to be protected Does it happen? Yes! (See CVE-2010-1641 and many many more) Much harder to detect automatically This is a hard problem! Another problem: Shatter From: “Exploiting design flaws in the Win32 API for privilege escalation. Or... Shatter Attacks – How to break Windows” Shatter is a classic example of how things can go wrong The Setup Shatter is a local privilege escalation attack VirusScan runs as LocalAdministrator I run as an unprivileged user Can I get VirusScan to execute code on my behalf? How it works First, we get a handle to the higher privileged Window – Windows provides the APIs for this We now have access to the controls on that window programmatically Set up the max length for our shell code, and paste it in using Windows Messages WM_TIMER Send the window a WM_TIMER message with the location of the code we want to execute (oops) Bingo! Let’s discuss for a minute… Complicated: IA64 sysret Okay, this one is REALLY quite complicated… let’s take a look Following: “A Stitch In Time Saves Nine: A Case Of Multiple OS Vulnerability” Eek! AMD From Wojtczuk: Intel From Wojtczuk: Think about it… From Wojtczuk: Exploitation DoS is easy, but code injection is a bit harder but not impossible What’s worse, it’s hard to fix The basic idea is how the exception gets kicked off Things to Do Read: “Linux kernel vulnerabilities: State-ofthe-art defenses and open problems” Questions & Comments What do you want to know?
© Copyright 2026 Paperzz