Information Technology Reference
In-Depth Information
Figure 12. Invariants inferred by Gibraltar for zone_table[1], a data structure of type zone_struct (Gi-
braltar infers similar invariants for the other elements of the zone_table array).
Figure 13. The invariants satisfied by the coefficients of the polynomial used by the stirring function in the
PRNG. The coefficients are the fields of the struct poolinfo data structure, shown above as poolinfo.
Adding Binary Format Attack
in this Figure is represented in the kernel by one
of
random_state->poolinfo
or
sec_random_state-
>poolinfo
). The coefficients are initialized upon
system startup, and must never be changed during
the execution of the kernel. The attack violates
these invariants when it zeroes the coefficients of
the polynomial. Gibraltar detects this attack when
the invariants are violated.
Gibraltar infers the invariant shown in Figure 15
on the formats list on our system, which has two
registered binary formats. The size of the list is
constant after the system starts, and changes only
when a new binary format is installed. Because
this attack inserts a new binary format, it changes
the length of the formats list violating the invari-
ant in Figure 10; consequently, Gibraltar detects
this attack.
Disable PRNG Attack
The invariants inferred by Gibraltar on our system
for the random fops and urandom fops are shown
in Figure 14. The attack code changes the values
of the above two function pointers, violating the
invariants. As with Attack 1, this attack can also
be detected using SBCFI.
invariants and false positives
Invariants.
As discussed in Section 3, Gibraltar
uses Daikon to infer invariants; these invariants
express properties of both individual objects, as
well as collections of objects (e.g., all objects of
the same type; invariants inferred over linked
Figure 14. Invariants inferred for the PRNG function pointers. These are replaced to point to attacker
specified code, thereby disabling the PRNG.
Search WWH ::
Custom Search