Presented at
Black Hat Asia 2017,
March 30, 2017, 3:30 p.m.
(60 minutes).
<div>The introduction of W^X memory policies and the subsequent mitigation of return-to-user attacks, tackled the efficiency of code injection techniques on the exploitation of kernel-level vulnerabilities, rendering return-oriented programming (ROP) into one of the most prominent adversaries for system security. Control-Flow Integrity (CFI) is an effective defense against ROP, but despite its many refinements during the past decade and its recent deployment for the protection of user-space applications, it has received significantly less attention for the kernel setting. The few existing kernel-level CFI proposals either apply an overly permissible coarse-grained policy, which can be easily bypassed by sophisticated ROP attacks, or do not support dynamically loadable kernel modules.</div><div><br></div><div>We present the design and implementation of kCFI, a pure CFI implementation with fine granularity for commodity operating systems (OS), and the first of its kind capable of fully supporting the Linux kernel. By combining static analysis at both the source code and binary level, kCFI generates a more restrictive CFI policy when compared to previous proposals. By injecting control flow checks to kernel binaries during compilation time, kCFI enforces this policy without harming any OS feature. Also, kCFI does not rely on memory secrecy for enforcing its policies, being effective even in the presence of memory disclosure attacks. The observed overheads are of 8% and 2% for micro and macro benchmarks, respectively.</div>
Presenters:
-
João Moreira
- Phd Student, University of Campinas
João Moreira is a systems security researcher from the University of Campinas (UNICAMP). During his Ph.D., João worked on protection mechanisms against control flow hijacking in kernel space, what led to the achievement of kCFI, the first pure Control-Flow Integrity implementation with fine-granularity fully capable of supporting the Linux kernel. In his past, João also collaborated with the Nmap project and was a speaker at H2HC and Ekoparty hacking conferences.
Links:
Similar Presentations: