ABSTRACT
The number of Linux kernel vulnerabilities discovered has increased drastically over the past years. In the kernel, even simple memory safety vulnerabilities can have devastating consequences, e.g., compromising the entire system. Efforts to mitigate these vulnerabilities have so far focused mainly on control-flow hijacking attacks in the kernel. Yet, data-oriented attacks remain largely unmitigated in practice as existing mitigations are limited in providing robust security guarantees at reasonable performance overhead for multiple sensitive data objects.
In this paper, we present DOmain Protection Enforcement (DOPE), a novel kernel mitigation to protect against data-oriented attacks leveraging Intel’s new hardware feature PKS. DOPE enforces domain protection, restricting memory access to sensitive data during kernel space execution based on the principle of least privilege. Hence, in case of an exploitable kernel bug, an attacker is prevented from using sensitive data for privilege escalation. We demonstrate DOPE’s effectiveness and usefulness by implementing a proof-of-concept, protecting eight selected sensitive data objects. The proof-of-concept is realized as compiler-assisted and hardware-enforced kernel mitigation. It consists of less than 5000 lines of code on the Linux kernel 5.19 and LLVM clang 15.0.1. Our evaluation on real hardware shows an average runtime overhead of for real-world user applications. Lastly, we systematically analyze 11 state-of-the-art kernel mitigations against data-oriented attacks and illustrate that DOPE is a significant improvement in terms of security with respect to performance.
- Martín Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. 2005. Control-Flow Integrity. In CCS.Google Scholar
- Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2009. Control-flow integrity principles, implementations, and applications. TISSEC (2009).Google Scholar
- Periklis Akritidis, Cristian Cadar, Costin Raiciu, Manuel Costa, and Miguel Castro. 2008. Preventing Memory Error Exploits with WIT. In S&P.Google Scholar
- Khalid Aziz. 2019. Add support for eXclusive Page Frame Ownership. https://lwn.net/Articles/779818/Google Scholar
- Brian Belleville, Hyungon Moon, Jangseop Shin, Dongil Hwang, Joseph M Nash, Seonhwa Jung, Yeoul Na, Stijn Volckaert, Per Larsen, Yunheung Paek, 2018. Hardware assisted randomization of data. In RAID.Google Scholar
- Sandeep Bhatkar and R Sekar. 2008. Data space randomization. In DIMVA.Google Scholar
- Tyler K. Bletsch, Xuxian Jiang, Vincent W. Freeh, and Zhenkai Liang. 2011. Jump-oriented programming: a new class of code-reuse attack. In AsiaCCS.Google Scholar
- Neil Brown. 2015. RCU-walk: faster pathname lookup in Linux. https://lwn.net/Articles/649729/Google Scholar
- Erik Buchanan, Ryan Roemer, Hovav Shacham, and Stefan Savage. 2008. When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. In ACM Conference on Computer and Communications Security (CCS).Google ScholarDigital Library
- Cristian Cadar, Periklis Akritidis, Manuel Costa, Jean-Phillipe Martin, and Miguel Castro. 2008. Data randomization. (2008).Google Scholar
- Nicholas Carlini and David A. Wagner. 2014. ROP is Still Dangerous: Breaking Modern Defenses. In USENIX Security.Google Scholar
- Miguel Castro, Manuel Costa, and Tim Harris. 2006. Securing software by enforcing data-flow integrity. In OSDI.Google Scholar
- Ping Chen, Jun Xu, Zhiqiang Lin, Dongyan Xu, Bing Mao, and Peng Liu. 2015. A Practical Approach for Adaptive Data Structure Layout Randomization. In European Symposium on Research in Computer Security.Google ScholarDigital Library
- Quan Chen, Ahmed M. Azab, Guruprasad Ganesh, and Peng Ning. 2017. PrivWatcher: Non-Bypassable Monitoring and Protection of Process Credentials from Memory Corruption Attacks. In AsiaCCS.Google Scholar
- Shuo Chen, Jun Xu, Emre Can Sezer, Prachi Gauriar, and Ravishankar K Iyer. 2005. Non-Control-Data Attacks Are Realistic Threats.. In USENIX Security.Google Scholar
- Chromium. 2018. PartitionAlloc Design. https://chromium.googlesource.com/chromium/src/+/lkcr/base/allocator/partition_allocator/PartitionAlloc.mdGoogle Scholar
- R. Joseph Connor, Tyler McDaniel, Jared M. Smith, and Max Schuchard. 2020. PKU Pitfalls: Attacks on PKU-based Memory Isolation Systems. In USENIX Security Symposium.Google Scholar
- Jonathan Corbet. 2012. Supervisor mode access prevention. https://lwn.net/Articles/517475/Google Scholar
- Jonathan Corbet. 2016. Defending against Rowhammer in the kernel. https://lwn.net/Articles/704920/Google Scholar
- Jonathan Corbet. 2016. Exclusive page-frame ownership. https://lwn.net/Articles/700647/Google Scholar
- Jonathan Corbet. 2018. Kernel support for control-flow enforcement. https://lwn.net/Articles/758245/Google Scholar
- Jonathan Corbet. 2020. Memory protection keys for the kernel. https://lwn.net/Articles/826554/Google Scholar
- Jonathan Corbet. 2022. Seeking an API for protection keys supervisor. https://lwn.net/Articles/894531/Google Scholar
- Jonathan Corbet. 2022. Solutions for direct-map fragmentation. https://lwn.net/Articles/894557/Google Scholar
- Standard Performance Evaluation Corporation. 2017. SPEC CPU 2017. https://www.spec.org/cpu2017/Google Scholar
- John Criswell, Nathan Dautenhahn, and Vikram Adve. 2014. KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels. In S&P.Google Scholar
- Cyril Hrubis. 2022. Linux Test Project. https://github.com/linux-test-project/ltpGoogle Scholar
- Lucas Davi, David Gens, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2017. PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables. In NDSS.Google Scholar
- Jake Edge. 2011. Extending the use of RO and NX. https://lwn.net/Articles/422487/Google Scholar
- Jake Edge. 2013. Kernel address space layout randomization. https://lwn.net/Articles/569635/Google Scholar
- Jake Edge. 2020. Control-flow integrity for the kernel. https://lwn.net/Articles/810077/Google Scholar
- Alexander J. Gaidis, Joao Moreira, Ke Sun, Alyssa Milburn, Vaggelis Atlidakis, and Vasileios P. Kemerlis. 2023. FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch Tracking. arXiv:2303.16353 (2023).Google Scholar
- Xinyang Ge, Nirupama Talele, Mathias Payer, and Trent Jaeger. 2016. Fine-Grained Control-Flow Integrity for Kernel Software. In Euro S&P.Google Scholar
- Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. 2016. Flush+Flush: A Fast and Stealthy Cache Attack. In DIMVA.Google Scholar
- Daniel Gruss, Michael Schwarz, and Moritz Lipp. 2018. Meltdown: Basics, Details, Consequences. In Black Hat USA.Google Scholar
- Jinyu Gu, Hao Li, Wentai Li, Yubin Xia, and Haibo Chen. 2022. EPK: Scalable and Efficient Memory Protection Keys. In USENIX Security.Google Scholar
- Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. 2016. Data-oriented programming: On the expressiveness of non-control data attacks. In S&P.Google Scholar
- Ralf Hund, Thorsten Holz, and Felix C. Freiling. 2009. Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. In USENIX Security.Google Scholar
- Intel. 2019. Intel 64 and IA-32 Architectures Software Developer’s Manual, Volume 4: Model-Specific Registers.Google Scholar
- Vasileios P Kemerlis, Michalis Polychronakis, and Angelos D Keromytis. 2014. ret2dir: Rethinking kernel isolation. In USENIX Security.Google Scholar
- Vasileios P. Kemerlis, Georgios Portokalidis, and Angelos D. Keromytis. 2012. kGuard: Lightweight Kernel Protection against Return-to-User Attacks. In USENIX Security.Google Scholar
- kernel.org. 2009. Virtual memory map with 4 level page tables (x86_64). https://www.kernel.org/doc/Documentation/x86/x86_64/mm.txtGoogle Scholar
- Michael Kerrisk. 2021. capabilities(7) — Linux manual page. https://man7.org/linux/man-pages/man7/capabilities.7.html.Google Scholar
- Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In S&P.Google Scholar
- Hiroki Kuzuno and Toshihiro Yamauchi. 2022. KDPM: Kernel Data Protection Mechanism Using a Memory Protection Key. International Workshop on Security (2022), 66–85.Google ScholarDigital Library
- Hiroki Kuzuno and Toshihiro Yamauchi. 2022. Prevention of Kernel Memory Corruption Using Kernel Page Restriction Mechanism. Journal of Information Processing 30 (2022), 563–576.Google ScholarCross Ref
- Hugo Lefeuvre, Vlad-Andrei Bădoiu, Yi Chien, Felipe Huici, Nathan Dautenhahn, and Pierre Olivier. 2022. Assessing the Impact of Interface Vulnerabilities in Compartmentalized Software. In NDSS.Google Scholar
- Hugo Lefeuvre, Vlad-Andrei Bădoiu, Alexander Jung, Stefan Lucian Teodorescu, Sebastian Rauch, Felipe Huici, Costin Raiciu, and Pierre Olivier. 2022. FlexOS: Towards Flexible OS Isolation. In Architectural Support for Programming Languages and Operating Systems.Google Scholar
- Guanyu Li, Dong Du, and Yubin Xia. 2020. Iso-UniK: lightweight multi-process unikernel through memory protection keys. Cybersecurity 3 (2020), 11.Google ScholarCross Ref
- Zhenpeng Lin, Yuhang Wu, and Xinyu Xing. 2022. DirtyCred: Escalating Privilege in Linux Kernel. In ACM.Google Scholar
- Moritz Lipp, Andreas Kogler, David Oswald, Michael Schwarz, Catherine Easdon, Claudio Canella, and Daniel Gruss. 2021. PLATYPUS: Software-based Power Side-Channel Attacks on x86. In S&P.Google Scholar
- Yong Liu, Jun Yao, and Xiaodong Wang. 2022. USMA: Share Kernel Code with Me. In Black Hat Asia.Google Scholar
- LLVM. 2019. The LLVM Compiler Infrastructure. https://llvm.orgGoogle Scholar
- Derrick McKee, Yianni Giannaris, Carolina Ortega Perez, Howard Shrobe, Mathias Payer, Hamed Okhravi, and Nathan Burow. 2022. Preventing Kernel Hacks with HAKC. In NDSS.Google Scholar
- Paul McKenney. 2007. What is RCU, Fundamentally?https://lwn.net/Articles/262464/Google Scholar
- Larry McVoy and Carl Staelin. 1996. Lmbench: Portable Tools for Performance Analysis. In USENIX ATC.Google Scholar
- Joao Moreira. 2022. Kernel FineIBT Support. https://lwn.net/Articles/891976/Google Scholar
- João Moreira, Sandro Rigo, Michalis Polychronakis, and Vasileios Kemerlis. 2017. DROP THE ROP Fine-grained Control-flow Integrity for the Linux Kernel. In Black Hat Asia.Google Scholar
- James Morse. 2015. arm64: kernel: Add support for Privileged Access Never. https://lwn.net/Articles/651614/Google Scholar
- Soyeon Park, Sangho Lee, Wen Xu, HyunGon Moon, and Taesoo Kim. 2019. libmpk: Software Abstraction for Intel Memory Protection Keys (Intel MPK). In USENIX ATC.Google Scholar
- Phoronix. 2022. OpenBenchmarking. https://openbenchmarking.orgGoogle Scholar
- Sergej Proskurin, Marius Momeu, Seyedhamed Ghavamnia, Vasileios P. Kemerlis, and Michalis Polychronakis. 2020. xMP: Selective Memory Protection for Kernel and User Space. In S&P.Google Scholar
- Weizhong Qiang, Jiawei Yang, Hai Jin, and Xuanhua Shi. 2018. PrivGuard: Protecting Sensitive Kernel Data From Privilege Escalation Attacks. IEEE Access 6 (2018), 46584–46594.Google ScholarCross Ref
- Nick Roessler, Lucas Atayde, Imani Palmer, Derrick McKee, Jai Pandey, Vasileios P. Kemerlis, Mathias Payer, Adam Bates, Jonathan M. Smith, Andre DeHon, and Nathan Dautenhahn. 2021. uSCOPE: A Methodology for Analyzing Least-Privilege Compartmentalization in Large Software Artifacts. In RAID.Google Scholar
- Jerome H. Saltzer and Michael D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (1975), 1278–1308.Google ScholarCross Ref
- Vasily A. Sartakov, Lluís Vilanova, and Peter Pietzuch. 2021. CubicleOS: A Library OS with Software Componentisation for Practical Isolation. In Architectural Support for Programming Languages and Operating Systems.Google Scholar
- David Schrammel, Samuel Weiser, Richard Sadek, and Stefan Mangard. 2022. Jenny: Securing Syscalls for PKU-based Memory Isolation Systems. In USENIX Security Symposium.Google Scholar
- David Schrammel, Samuel Weiser, Stefan Steinegger, Martin Schwarzl, Michael Schwarz, Stefan Mangard, and Daniel Gruss. 2020. Donky: Domain Keys–Efficient In-Process Isolation for RISC-V and x86. In USENIX Security.Google Scholar
- Mark Seaborn. 2015. Exploiting the DRAM rowhammer bug to gain kernel privileges. http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.htmlGoogle Scholar
- Chengyu Song, Byoungyoung Lee, Kangjie Lu, William R. Harris, Taesoo Kim, and Wenke Lee. 2016. Enforcing Kernel Security Invariants with Data Flow Integrity. In NDSS.Google Scholar
- Mincheol Sung, Pierre Olivier, Stefan Lankes, and Binoy Ravindran. 2020. Intra-Unikernel Isolation with Intel Memory Protection Keys. In ACM.Google Scholar
- Yoo Sungbae, Park Jinbum, Kim Seolheui, Kim Yeji, and Kim Taesoo. 2022. In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication. In USENIX Security.Google Scholar
- The Linux Kernel. 2021. File system drivers (Part 2). https://linux-kernel-labs.github.io/refs/heads/master/labs/filesystems_part2.htmlGoogle Scholar
- The Linux Kernel. 2022. Index Nodes. https://www.kernel.org/doc/html/latest/filesystems/ext4/inodes.htmlGoogle Scholar
- The Linux Kernel. 2022. Locking. https://www.kernel.org/doc/html/latest/filesystems/locking.htmlGoogle Scholar
- The Linux Kernel. 2022. Memory Allocation Guide. https://docs.kernel.org/core-api/memory-allocation.html?highlight=kmem_cache_allocGoogle Scholar
- The Linux Kernel. 2022. Memory Protection Keys. https://www.kernel.org/doc/html/latest/core-api/protection-keys.htmlGoogle Scholar
- Anjo Vahldiek-Oberwagner, Eslam Elnikety, Nuno O. Duarte, Michael Sammler, Peter Druschel, and Deepak Garg. 2019. ERIM: Secure and Efficient In-process Isolation with Memory Protection Keys. In USENIX Security.Google Scholar
- Alexios Voulimeneas, Jonas Vinck, Ruben Mechelinck, and Stijn Volckaert. 2022. You Shall Not (by)Pass! Practical, Secure, and Fast PKU-Based Sandboxing. In EuroSys.Google Scholar
- Emmett Witchel, Junghwan Rhee, and Krste Asanović. 2005. Mondrix: Memory Isolation for Linux Using Mondriaan Memory Protection. In ACM SIGOPS Operating Systems Review.Google ScholarDigital Library
- Jidong Xiao, Hai Huang, and Haining Wang. 2015. Kernel data attack is a realistic security threat. In International Conference on Security and Privacy in Communication Systems.Google ScholarCross Ref
- Toshihiro Yamauchi, Yohei Akao, Ryota Yoshitani, Yuichi Nakamura, and Masaki Hashimoto. 2021. Additional kernel observer: privilege escalation attack prevention mechanism focusing on system call privilege changes. International Journal of Information Security 20 (2021).Google ScholarDigital Library
Index Terms
- DOPE: DOmain Protection Enforcement with PKS
Recommendations
Protection Against Denial of Service Attacks
Denial of service (DoS) is a prevalent threat in today's networks because DoS attacks are easy to launch, while defending a network resource against them is disproportionately difficult. Despite the extensive research in recent years, DoS attacks ...
Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks
USENIX-SS'06: Proceedings of the 15th conference on USENIX Security Symposium - Volume 15Policy-based confinement, employed in SELinux and specification-based intrusion detection systems, is a popular approach for defending against exploitation of vulnerabilities in benign software. Conventional access control policies employed in these ...
Confining root programs with domain and type enforcement (DTE)
SSYM'96: Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6The pervasive use of the root privilege is a central problem for UNIX security because an attacker who subverts a single root program gains complete control over a computing system. Domain and type enforcement (DTE) is a strong, configurable operating ...
Comments