TY - GEN
T1 - KŘX
T2 - 12th European Conference on Computer Systems, EuroSys 2017
AU - Pomonis, Marios
AU - Petsios, Theofilos
AU - Keromytis, Angelos D.
AU - Polychronakis, Michalis
AU - Kemerlis, Vasileios P.
N1 - Publisher Copyright: © 2017 Copyright held by the owner/author(s).
PY - 2017/4/23
Y1 - 2017/4/23
N2 - The abundance of memory corruption and disclosure vulnerabilities in kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As more strict memory isolation mechanisms between the kernel and user space, like Intel's SMEP, become commonplace, attackers increasingly rely on code reuse techniques to exploit kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, such as web browsers, in kernel exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of certain code snippets and construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a "read XOR execute" (ŘX) memory safety policy is an effective defense against the exploitation of userland software, but so far this approach has not been applied for the protection of the kernel itself. In this paper, we fill this gap by presenting kŘX: a kernel hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kŘX is readily applicable to the x86-64 Linux kernel and can benefit from hardware support (e.g., MPX on modern Intel CPUs) to optimize performance. In full protection mode, kŘX incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available.
AB - The abundance of memory corruption and disclosure vulnerabilities in kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As more strict memory isolation mechanisms between the kernel and user space, like Intel's SMEP, become commonplace, attackers increasingly rely on code reuse techniques to exploit kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, such as web browsers, in kernel exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of certain code snippets and construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a "read XOR execute" (ŘX) memory safety policy is an effective defense against the exploitation of userland software, but so far this approach has not been applied for the protection of the kernel itself. In this paper, we fill this gap by presenting kŘX: a kernel hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kŘX is readily applicable to the x86-64 Linux kernel and can benefit from hardware support (e.g., MPX on modern Intel CPUs) to optimize performance. In full protection mode, kŘX incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available.
KW - Code diversification
KW - Execute-only memory
UR - https://www.scopus.com/pages/publications/85019244937
U2 - 10.1145/3064176.3064216
DO - 10.1145/3064176.3064216
M3 - Conference contribution
T3 - Proceedings of the 12th European Conference on Computer Systems, EuroSys 2017
SP - 420
EP - 436
BT - Proceedings of the 12th European Conference on Computer Systems, EuroSys 2017
PB - Association for Computing Machinery, Inc
Y2 - 23 April 2017 through 26 April 2017
ER -