DOPE: DOmain Protection Enforcement with PKS

Authors:
Lukas Maar

Graz University of Technology, Austria

Graz University of Technology, Austria

0009-0008-1771-0064
View Profile

,
Martin Schwarzl

Independent Researcher, Austria

Independent Researcher, Austria

0009-0002-3760-1929
View Profile

,
Fabian Rauscher

Graz University of Technology, Austria

Graz University of Technology, Austria

0009-0008-7286-1156
View Profile

,
Daniel Gruss

Graz University of Technology, Austria

Graz University of Technology, Austria

0000-0002-7977-3246
View Profile

,
Stefan Mangard

Graz University of Technology, Austria

Graz University of Technology, Austria

0000-0001-9650-8041
View Profile

ACSAC '23: Proceedings of the 39th Annual Computer Security Applications ConferenceDecember 2023Pages 662–676https://doi.org/10.1145/3627106.3627113

Published:04 December 2023Publication History

ACSAC '23: Proceedings of the 39th Annual Computer Security Applications Conference

Pages 662–676

ABSTRACT

The number of Linux kernel vulnerabilities discovered has increased drastically over the past years. In the kernel, even simple memory safety vulnerabilities can have devastating consequences, e.g., compromising the entire system. Efforts to mitigate these vulnerabilities have so far focused mainly on control-flow hijacking attacks in the kernel. Yet, data-oriented attacks remain largely unmitigated in practice as existing mitigations are limited in providing robust security guarantees at reasonable performance overhead for multiple sensitive data objects.

In this paper, we present DOmain Protection Enforcement (DOPE), a novel kernel mitigation to protect against data-oriented attacks leveraging Intel’s new hardware feature PKS. DOPE enforces domain protection, restricting memory access to sensitive data during kernel space execution based on the principle of least privilege. Hence, in case of an exploitable kernel bug, an attacker is prevented from using sensitive data for privilege escalation. We demonstrate DOPE’s effectiveness and usefulness by implementing a proof-of-concept, protecting eight selected sensitive data objects. The proof-of-concept is realized as compiler-assisted and hardware-enforced kernel mitigation. It consists of less than 5000 lines of code on the Linux kernel 5.19 and LLVM clang 15.0.1. Our evaluation on real hardware shows an average runtime overhead of for real-world user applications. Lastly, we systematically analyze 11 state-of-the-art kernel mitigations against data-oriented attacks and illustrate that DOPE is a significant improvement in terms of security with respect to performance.

References

Martín Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. 2005. Control-Flow Integrity. In CCS.Google Scholar
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2009. Control-flow integrity principles, implementations, and applications. TISSEC (2009).Google Scholar
Periklis Akritidis, Cristian Cadar, Costin Raiciu, Manuel Costa, and Miguel Castro. 2008. Preventing Memory Error Exploits with WIT. In S&P.Google Scholar
Khalid Aziz. 2019. Add support for eXclusive Page Frame Ownership. https://lwn.net/Articles/779818/Google Scholar
Brian Belleville, Hyungon Moon, Jangseop Shin, Dongil Hwang, Joseph M Nash, Seonhwa Jung, Yeoul Na, Stijn Volckaert, Per Larsen, Yunheung Paek, 2018. Hardware assisted randomization of data. In RAID.Google Scholar
Sandeep Bhatkar and R Sekar. 2008. Data space randomization. In DIMVA.Google Scholar
Tyler K. Bletsch, Xuxian Jiang, Vincent W. Freeh, and Zhenkai Liang. 2011. Jump-oriented programming: a new class of code-reuse attack. In AsiaCCS.Google Scholar
Neil Brown. 2015. RCU-walk: faster pathname lookup in Linux. https://lwn.net/Articles/649729/Google Scholar
Erik Buchanan, Ryan Roemer, Hovav Shacham, and Stefan Savage. 2008. When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. In ACM Conference on Computer and Communications Security (CCS).Google ScholarDigital Library
Cristian Cadar, Periklis Akritidis, Manuel Costa, Jean-Phillipe Martin, and Miguel Castro. 2008. Data randomization. (2008).Google Scholar
Nicholas Carlini and David A. Wagner. 2014. ROP is Still Dangerous: Breaking Modern Defenses. In USENIX Security.Google Scholar
Miguel Castro, Manuel Costa, and Tim Harris. 2006. Securing software by enforcing data-flow integrity. In OSDI.Google Scholar
Ping Chen, Jun Xu, Zhiqiang Lin, Dongyan Xu, Bing Mao, and Peng Liu. 2015. A Practical Approach for Adaptive Data Structure Layout Randomization. In European Symposium on Research in Computer Security.Google ScholarDigital Library
Quan Chen, Ahmed M. Azab, Guruprasad Ganesh, and Peng Ning. 2017. PrivWatcher: Non-Bypassable Monitoring and Protection of Process Credentials from Memory Corruption Attacks. In AsiaCCS.Google Scholar
Shuo Chen, Jun Xu, Emre Can Sezer, Prachi Gauriar, and Ravishankar K Iyer. 2005. Non-Control-Data Attacks Are Realistic Threats.. In USENIX Security.Google Scholar
Chromium. 2018. PartitionAlloc Design. https://chromium.googlesource.com/chromium/src/+/lkcr/base/allocator/partition_allocator/PartitionAlloc.mdGoogle Scholar
R. Joseph Connor, Tyler McDaniel, Jared M. Smith, and Max Schuchard. 2020. PKU Pitfalls: Attacks on PKU-based Memory Isolation Systems. In USENIX Security Symposium.Google Scholar
Jonathan Corbet. 2012. Supervisor mode access prevention. https://lwn.net/Articles/517475/Google Scholar
Jonathan Corbet. 2016. Defending against Rowhammer in the kernel. https://lwn.net/Articles/704920/Google Scholar
Jonathan Corbet. 2016. Exclusive page-frame ownership. https://lwn.net/Articles/700647/Google Scholar
Jonathan Corbet. 2018. Kernel support for control-flow enforcement. https://lwn.net/Articles/758245/Google Scholar
Jonathan Corbet. 2020. Memory protection keys for the kernel. https://lwn.net/Articles/826554/Google Scholar
Jonathan Corbet. 2022. Seeking an API for protection keys supervisor. https://lwn.net/Articles/894531/Google Scholar
Jonathan Corbet. 2022. Solutions for direct-map fragmentation. https://lwn.net/Articles/894557/Google Scholar
Standard Performance Evaluation Corporation. 2017. SPEC CPU 2017. https://www.spec.org/cpu2017/Google Scholar
John Criswell, Nathan Dautenhahn, and Vikram Adve. 2014. KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels. In S&P.Google Scholar
Cyril Hrubis. 2022. Linux Test Project. https://github.com/linux-test-project/ltpGoogle Scholar
Lucas Davi, David Gens, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2017. PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables. In NDSS.Google Scholar
Jake Edge. 2011. Extending the use of RO and NX. https://lwn.net/Articles/422487/Google Scholar
Jake Edge. 2013. Kernel address space layout randomization. https://lwn.net/Articles/569635/Google Scholar
Jake Edge. 2020. Control-flow integrity for the kernel. https://lwn.net/Articles/810077/Google Scholar
Alexander J. Gaidis, Joao Moreira, Ke Sun, Alyssa Milburn, Vaggelis Atlidakis, and Vasileios P. Kemerlis. 2023. FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch Tracking. arXiv:2303.16353 (2023).Google Scholar
Xinyang Ge, Nirupama Talele, Mathias Payer, and Trent Jaeger. 2016. Fine-Grained Control-Flow Integrity for Kernel Software. In Euro S&P.Google Scholar
Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. 2016. Flush+Flush: A Fast and Stealthy Cache Attack. In DIMVA.Google Scholar
Daniel Gruss, Michael Schwarz, and Moritz Lipp. 2018. Meltdown: Basics, Details, Consequences. In Black Hat USA.Google Scholar
Jinyu Gu, Hao Li, Wentai Li, Yubin Xia, and Haibo Chen. 2022. EPK: Scalable and Efficient Memory Protection Keys. In USENIX Security.Google Scholar
Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. 2016. Data-oriented programming: On the expressiveness of non-control data attacks. In S&P.Google Scholar
Ralf Hund, Thorsten Holz, and Felix C. Freiling. 2009. Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. In USENIX Security.Google Scholar
Intel. 2019. Intel 64 and IA-32 Architectures Software Developer’s Manual, Volume 4: Model-Specific Registers.Google Scholar
Vasileios P Kemerlis, Michalis Polychronakis, and Angelos D Keromytis. 2014. ret2dir: Rethinking kernel isolation. In USENIX Security.Google Scholar
Vasileios P. Kemerlis, Georgios Portokalidis, and Angelos D. Keromytis. 2012. kGuard: Lightweight Kernel Protection against Return-to-User Attacks. In USENIX Security.Google Scholar
kernel.org. 2009. Virtual memory map with 4 level page tables (x86_64). https://www.kernel.org/doc/Documentation/x86/x86_64/mm.txtGoogle Scholar
Michael Kerrisk. 2021. capabilities(7) — Linux manual page. https://man7.org/linux/man-pages/man7/capabilities.7.html.Google Scholar
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In S&P.Google Scholar
Hiroki Kuzuno and Toshihiro Yamauchi. 2022. KDPM: Kernel Data Protection Mechanism Using a Memory Protection Key. International Workshop on Security (2022), 66–85.Google ScholarDigital Library
Hiroki Kuzuno and Toshihiro Yamauchi. 2022. Prevention of Kernel Memory Corruption Using Kernel Page Restriction Mechanism. Journal of Information Processing 30 (2022), 563–576.Google ScholarCross Ref
Hugo Lefeuvre, Vlad-Andrei Bădoiu, Yi Chien, Felipe Huici, Nathan Dautenhahn, and Pierre Olivier. 2022. Assessing the Impact of Interface Vulnerabilities in Compartmentalized Software. In NDSS.Google Scholar
Hugo Lefeuvre, Vlad-Andrei Bădoiu, Alexander Jung, Stefan Lucian Teodorescu, Sebastian Rauch, Felipe Huici, Costin Raiciu, and Pierre Olivier. 2022. FlexOS: Towards Flexible OS Isolation. In Architectural Support for Programming Languages and Operating Systems.Google Scholar
Guanyu Li, Dong Du, and Yubin Xia. 2020. Iso-UniK: lightweight multi-process unikernel through memory protection keys. Cybersecurity 3 (2020), 11.Google ScholarCross Ref
Zhenpeng Lin, Yuhang Wu, and Xinyu Xing. 2022. DirtyCred: Escalating Privilege in Linux Kernel. In ACM.Google Scholar
Moritz Lipp, Andreas Kogler, David Oswald, Michael Schwarz, Catherine Easdon, Claudio Canella, and Daniel Gruss. 2021. PLATYPUS: Software-based Power Side-Channel Attacks on x86. In S&P.Google Scholar
Yong Liu, Jun Yao, and Xiaodong Wang. 2022. USMA: Share Kernel Code with Me. In Black Hat Asia.Google Scholar
LLVM. 2019. The LLVM Compiler Infrastructure. https://llvm.orgGoogle Scholar
Derrick McKee, Yianni Giannaris, Carolina Ortega Perez, Howard Shrobe, Mathias Payer, Hamed Okhravi, and Nathan Burow. 2022. Preventing Kernel Hacks with HAKC. In NDSS.Google Scholar
Paul McKenney. 2007. What is RCU, Fundamentally?https://lwn.net/Articles/262464/Google Scholar
Larry McVoy and Carl Staelin. 1996. Lmbench: Portable Tools for Performance Analysis. In USENIX ATC.Google Scholar
Joao Moreira. 2022. Kernel FineIBT Support. https://lwn.net/Articles/891976/Google Scholar
João Moreira, Sandro Rigo, Michalis Polychronakis, and Vasileios Kemerlis. 2017. DROP THE ROP Fine-grained Control-flow Integrity for the Linux Kernel. In Black Hat Asia.Google Scholar
James Morse. 2015. arm64: kernel: Add support for Privileged Access Never. https://lwn.net/Articles/651614/Google Scholar
Soyeon Park, Sangho Lee, Wen Xu, HyunGon Moon, and Taesoo Kim. 2019. libmpk: Software Abstraction for Intel Memory Protection Keys (Intel MPK). In USENIX ATC.Google Scholar
Phoronix. 2022. OpenBenchmarking. https://openbenchmarking.orgGoogle Scholar
Sergej Proskurin, Marius Momeu, Seyedhamed Ghavamnia, Vasileios P. Kemerlis, and Michalis Polychronakis. 2020. xMP: Selective Memory Protection for Kernel and User Space. In S&P.Google Scholar
Weizhong Qiang, Jiawei Yang, Hai Jin, and Xuanhua Shi. 2018. PrivGuard: Protecting Sensitive Kernel Data From Privilege Escalation Attacks. IEEE Access 6 (2018), 46584–46594.Google ScholarCross Ref
Nick Roessler, Lucas Atayde, Imani Palmer, Derrick McKee, Jai Pandey, Vasileios P. Kemerlis, Mathias Payer, Adam Bates, Jonathan M. Smith, Andre DeHon, and Nathan Dautenhahn. 2021. uSCOPE: A Methodology for Analyzing Least-Privilege Compartmentalization in Large Software Artifacts. In RAID.Google Scholar
Jerome H. Saltzer and Michael D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (1975), 1278–1308.Google ScholarCross Ref
Vasily A. Sartakov, Lluís Vilanova, and Peter Pietzuch. 2021. CubicleOS: A Library OS with Software Componentisation for Practical Isolation. In Architectural Support for Programming Languages and Operating Systems.Google Scholar
David Schrammel, Samuel Weiser, Richard Sadek, and Stefan Mangard. 2022. Jenny: Securing Syscalls for PKU-based Memory Isolation Systems. In USENIX Security Symposium.Google Scholar
David Schrammel, Samuel Weiser, Stefan Steinegger, Martin Schwarzl, Michael Schwarz, Stefan Mangard, and Daniel Gruss. 2020. Donky: Domain Keys–Efficient In-Process Isolation for RISC-V and x86. In USENIX Security.Google Scholar
Mark Seaborn. 2015. Exploiting the DRAM rowhammer bug to gain kernel privileges. http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.htmlGoogle Scholar
Chengyu Song, Byoungyoung Lee, Kangjie Lu, William R. Harris, Taesoo Kim, and Wenke Lee. 2016. Enforcing Kernel Security Invariants with Data Flow Integrity. In NDSS.Google Scholar
Mincheol Sung, Pierre Olivier, Stefan Lankes, and Binoy Ravindran. 2020. Intra-Unikernel Isolation with Intel Memory Protection Keys. In ACM.Google Scholar
Yoo Sungbae, Park Jinbum, Kim Seolheui, Kim Yeji, and Kim Taesoo. 2022. In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication. In USENIX Security.Google Scholar
The Linux Kernel. 2021. File system drivers (Part 2). https://linux-kernel-labs.github.io/refs/heads/master/labs/filesystems_part2.htmlGoogle Scholar
The Linux Kernel. 2022. Index Nodes. https://www.kernel.org/doc/html/latest/filesystems/ext4/inodes.htmlGoogle Scholar
The Linux Kernel. 2022. Locking. https://www.kernel.org/doc/html/latest/filesystems/locking.htmlGoogle Scholar
The Linux Kernel. 2022. Memory Allocation Guide. https://docs.kernel.org/core-api/memory-allocation.html?highlight=kmem_cache_allocGoogle Scholar
The Linux Kernel. 2022. Memory Protection Keys. https://www.kernel.org/doc/html/latest/core-api/protection-keys.htmlGoogle Scholar
Anjo Vahldiek-Oberwagner, Eslam Elnikety, Nuno O. Duarte, Michael Sammler, Peter Druschel, and Deepak Garg. 2019. ERIM: Secure and Efficient In-process Isolation with Memory Protection Keys. In USENIX Security.Google Scholar
Alexios Voulimeneas, Jonas Vinck, Ruben Mechelinck, and Stijn Volckaert. 2022. You Shall Not (by)Pass! Practical, Secure, and Fast PKU-Based Sandboxing. In EuroSys.Google Scholar
Emmett Witchel, Junghwan Rhee, and Krste Asanović. 2005. Mondrix: Memory Isolation for Linux Using Mondriaan Memory Protection. In ACM SIGOPS Operating Systems Review.Google ScholarDigital Library
Jidong Xiao, Hai Huang, and Haining Wang. 2015. Kernel data attack is a realistic security threat. In International Conference on Security and Privacy in Communication Systems.Google ScholarCross Ref
Toshihiro Yamauchi, Yohei Akao, Ryota Yoshitani, Yuichi Nakamura, and Masaki Hashimoto. 2021. Additional kernel observer: privilege escalation attack prevention mechanism focusing on system call privilege changes. International Journal of Information Security 20 (2021).Google ScholarDigital Library

Index Terms

DOPE: DOmain Protection Enforcement with PKS
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Protection Against Denial of Service Attacks

Denial of service (DoS) is a prevalent threat in today's networks because DoS attacks are easy to launch, while defending a network resource against them is disproportionately difficult. Despite the extensive research in recent years, DoS attacks ...
Read More
Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks
USENIX-SS'06: Proceedings of the 15th conference on USENIX Security Symposium - Volume 15

Policy-based confinement, employed in SELinux and specification-based intrusion detection systems, is a popular approach for defending against exploitation of vulnerabilities in benign software. Conventional access control policies employed in these ...
Read More
Confining root programs with domain and type enforcement (DTE)
SSYM'96: Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6

The pervasive use of the root privilege is a central problem for UNIX security because an attacker who subverts a single root program gains complete control over a computing system. Domain and type enforcement (DTE) is a strong, configurable operating ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in

ACSAC '23: Proceedings of the 39th Annual Computer Security Applications Conference
December 2023
836 pages
ISBN:9798400708862
DOI:10.1145/3627106

Copyright © 2023 Owner/Author
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 4 December 2023
Check for updates
Badges
- Artifacts Evaluated & Functional / v1.1
Qualifiers
- research-article
- Research
- Refereed limited
Conference

Acceptance Rates
Overall Acceptance Rate104of497submissions,21%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 226
  Total Downloads
- Downloads (Last 12 months)226
- Downloads (Last 6 weeks)54
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

DOPE: DOmain Protection Enforcement with PKS

ACSAC '23: Proceedings of the 39th Annual Computer Security Applications Conference

ABSTRACT

References

Cited By

Index Terms

Recommendations

Protection Against Denial of Service Attacks

Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks

Confining root programs with domain and type enforcement (DTE)