Abstract
The abundance of memory corruption and disclosure vulnerabilities in kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As stricter memory isolation mechanisms between the kernel and user space become commonplace, attackers increasingly rely on code reuse techniques to exploit kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, as in web browsers, in kernel exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of code snippets in order to construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a “read XOR execute” (R∧X) memory safety policy is an effective defense against the exploitation of userland software, but so far this approach has not been applied for the protection of the kernel itself.
In this article, we fill this gap by presenting kR∧X: a kernel-hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR∧X is readily applicable to x86 Linux kernels (both 32b and 64b) and can benefit from hardware support (segmentation on x86, MPX on x86-64) to optimize performance. In full protection mode, kR∧X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available, and 1.32% when memory segmentation is in use.
Index Terms
Kernel Protection Against Just-In-Time Code Reuse
Recommendations
kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse
EuroSys '17: Proceedings of the Twelfth European Conference on Computer SystemsThe abundance of memory corruption and disclosure vulnerabilities in kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As more strict memory isolation mechanisms between the kernel and user space, ...
Breaking and Fixing Destructive Code Read Defenses
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications ConferenceJust-in-time return-oriented programming (JIT-ROP) is a powerful memory corruption attack that bypasses various forms of code randomization. Execute-only memory (XOM) can potentially prevent these attacks, but requires source code. In contrast, ...
From Fine Grained Code Diversity to JIT-ROP to Execute-Only Memory: The Cat and Mouse Game Between Attackers and Defenders Continues
MTD '15: Proceedings of the Second ACM Workshop on Moving Target DefenseToday's software monoculture creates asymmetric threats. An attacker needs to find only one way in, while defenders need to guard a lot of ground. Adversaries can fully debug and perfect their attacks on their own computers, exactly replicating the ...






Comments