DROP THE ROP Fine-grained Control-flow Integrity for the Linux Kernel

The introduction of W^X memory policies and the subsequent mitigation of return-to-user attacks, has rendered return-oriented programming (ROP) the most prominent exploitation method of kernel-level vulnerabilities. Control-flow integrity (CFI) is an effective defense against ROP, but despite its many refinements during the past decade and its recent deployment for the protection of user-space applications, it has received significantly less attention for the kernel setting. The few existing kernel-level CFI proposals either apply an overly permissible coarse-grained policy or do not support dynamically loadable kernel modules, making their deployment impractical for Linux. In this paper we present the design and implementation of kCFI, a fine-grained CFI implementation for commodity operating systems (OS) that fully supports the Linux kernel. By combining static analysis at both the source code and binary level, kCFI generates and a more restrictive CFI policy compared to previous proposals that is enforced through the addition of control flow checks during compilation. The side-effects of kCFI are minimal, as it does not harm any OS functionality or feature, and achieves a lower overhead compared to previous solutions, in the order of 8% and 2% for micro and macro benchmarks, respectively.

[1]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[2]  Marco Ramilli,et al.  Return-Oriented Programming , 2012, IEEE Security & Privacy.

[3]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[4]  Thomas R. Gross,et al.  Fine-Grained Control-Flow Integrity Through Binary Hardening , 2015, DIMVA.

[5]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[6]  Ahmad-Reza Sadeghi,et al.  Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications , 2015, 2015 IEEE Symposium on Security and Privacy.

[7]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[8]  Ahmad-Reza Sadeghi,et al.  MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones , 2012, NDSS.

[9]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[10]  Clemens Kolbitsch,et al.  Kernel-mode exploits primer , 2007 .

[11]  Angelos D. Keromytis,et al.  kGuard: Lightweight Kernel Protection against Return-to-User Attacks , 2012, USENIX Security Symposium.

[12]  Xuxian Jiang,et al.  Mitigating code-reuse attacks with control-flow locking , 2011, ACSAC '11.

[13]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[14]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[15]  George Neville-Neil,et al.  The Design and Implementation of the FreeBSD Operating System , 2014 .

[16]  Angelos D. Keromytis,et al.  kGuard: Lightweight Kernel Protection , 2012, login Usenix Mag..

[17]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[18]  Chao Zhang,et al.  Protecting function pointers in binary , 2013, ASIA CCS '13.

[19]  Ben Niu,et al.  Per-Input Control-Flow Integrity , 2015, CCS.

[20]  Leyla Bilge,et al.  G-Free: defeating return-oriented programming through gadget-less binaries , 2010, ACSAC '10.

[21]  Felix C. Freiling,et al.  Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms , 2009, USENIX Security Symposium.

[22]  Thorsten Holz,et al.  Control-flow restrictor: compiler-based CFI for iOS , 2013, ACSAC.

[23]  Trent Jaeger,et al.  Fine-Grained Control-Flow Integrity for Kernel Software , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[24]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[25]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[26]  Herbert Bos,et al.  Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard , 2014, USENIX Security Symposium.

[27]  Sorin Lerner,et al.  SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks , 2014, NDSS.

[28]  Patroklos argp Binding the Daemon : FreeBSD Kernel Stack and Heap Exploitation , 2010 .

[29]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[30]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[31]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[32]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[33]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[34]  Zhi Wang,et al.  Defeating return-oriented rootkits with "Return-Less" kernels , 2010, EuroSys '10.

[35]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[36]  Robert H. Deng,et al.  ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks , 2014, NDSS.

[37]  Chao Zhang,et al.  VTint: Protecting Virtual Function Tables' Integrity , 2015, NDSS.

[38]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[39]  Claudia Eckert,et al.  Dynamic Hooks: Hiding Control Flow Changes within Non-Control Data , 2014, USENIX Security Symposium.

[40]  Thorsten Holz,et al.  Towards automated integrity protection of C++ virtual function tables in binary programs , 2014, ACSAC.

[41]  Dan Boneh,et al.  CCFI: Cryptographically Enforced Control Flow Integrity , 2015, CCS.

[42]  Paul A. Karger,et al.  An Augmented Capability Architecture to Support Lattice Security and Traceability of Access , 1984, 1984 IEEE Symposium on Security and Privacy.

[43]  G. Ramalingam,et al.  The undecidability of aliasing , 1994, TOPL.

[44]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[45]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[46]  G. Danezis,et al.  Combining Control-Flow Integrity and Static Analysis for Efficient and Validated Data Sandboxing , 2011 .

[47]  Angelos D. Keromytis,et al.  ret2dir: Rethinking Kernel Isolation , 2014, USENIX Security Symposium.

[48]  Angela Demke Brown,et al.  Comprehensive kernel instrumentation via dynamic binary translation , 2012, ASPLOS XVII.

[49]  Dinakar Dhurjati,et al.  Secure virtual architecture: a safe execution environment for commodity operating systems , 2007, SOSP.

[50]  Herbert Bos,et al.  ShrinkWrap: VTable Protection without Loose Ends , 2015, ACSAC 2015.

[51]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[52]  Heng Yin,et al.  vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries , 2015, NDSS.

[53]  Carl Staelin,et al.  lmbench: Portable Tools for Performance Analysis , 1996, USENIX Annual Technical Conference.

[54]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[55]  Moritz Contag,et al.  Evaluating the Effectiveness of Current Anti-ROP Defenses , 2014, RAID.