SHARD: Fine-Grained Kernel Specialization with Context-Aware Hardening

With growing hardware complexity and ever-evolving user requirements, the kernel is increasingly bloated which increases its attack surface. Despite its large size, for specific applications and workloads, only a small subset of the kernel code is actually required. Kernel specialization approaches exploit this observation to either harden the kernel or restrict access to its code (debloating) on a per-application basis. However, existing approaches suffer from coarse specialization granularity and lack strict enforcement which limits their effectiveness. This paper presents SHARD, a practical framework to enforce fine-grain kernel specialization. SHARD specializes at both the application and system call levels to significantly restrict the kernel code exposed to attackers. Furthermore, SHARD introduces context-aware hardening to dynamically enable code hardening during suspicious execution contexts. SHARD implements an instance of a context-aware hardening scheme using control-flow integrity (CFI), which provides near-native performance for non-hardened executions and strong security guarantees. Our analysis of the kernel attack surface reduction with SHARD as well as concrete attacks shows that SHARD exposes 181× less kernel code than the native kernel, an order of magnitude better than existing work, and prevents 90% of the evaluated attacks. Our evaluation shows that the average performance overhead of SHARD on real-world applications is moderate—10% to 36% on NGINX, 3% to 10% on Redis, and 0% to 2.7% on the SPEC CPU 2006 benchmarks.

[1]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[2]  R. Sekar,et al.  Eternal War in Memory , 2014, IEEE Security & Privacy.

[3]  Dirk Merkel,et al.  Docker: lightweight Linux containers for consistent development and deployment , 2014 .

[4]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[5]  Trent Jaeger,et al.  Block Oriented Programming: Automating Data-Only Attacks , 2018, CCS.

[6]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[7]  Mathias Payer,et al.  SoK: Shining Light on Shadow Stacks , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[8]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[9]  Rakesh Bobba,et al.  MultiK: A Framework for Orchestrating Multiple Specialized Kernels , 2019, ArXiv.

[10]  Wei Wu,et al.  KEPLER: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities , 2019, USENIX Security Symposium.

[11]  Chenxiong Qian,et al.  RAZOR: A Framework for Post-deployment Software Debloating , 2019, USENIX Security Symposium.

[12]  Michael K. Reiter,et al.  A Software Approach to Defeating Side Channels in Last-Level Caches , 2016, CCS.

[13]  Lok-Kwong Yan,et al.  Debloating Software through Piece-Wise Compilation and Loading , 2018, USENIX Security Symposium.

[14]  Anil Kurmus,et al.  A Tale of Two Kernels: Towards Ending Kernel Hardening Wars with Split Kernel , 2014, CCS.

[15]  Hashim Sharif,et al.  Trimmer: Application Specialization for Code Debloating , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[16]  Wolfgang Schröder-Preikschat,et al.  Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring , 2013, NDSS.

[17]  Trent Jaeger,et al.  Fine-Grained Control-Flow Integrity for Kernel Software , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[18]  Dinakar Dhurjati,et al.  Secure virtual architecture: a safe execution environment for commodity operating systems , 2007, SOSP.

[19]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[20]  Wenwen Wang,et al.  Check It Again: Detecting Lacking-Recheck Bugs in OS Kernels , 2018, CCS.

[21]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[22]  Christopher Krügel,et al.  DR. CHECKER: A Soundy Analysis for Linux Kernel Drivers , 2017, USENIX Security Symposium.

[23]  Kangjie Lu,et al.  Detecting Missing-Check Bugs via Semantic- and Context-Aware Criticalness and Constraints Inferences , 2019, USENIX Security Symposium.

[24]  Ahmed M. Azab,et al.  PeX: A Permission Check Analysis Framework for Linux Kernel , 2019, USENIX Security Symposium.

[25]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[26]  Tianyin Xu,et al.  Set the Configuration for the Heart of the OS: On the Practicality of Operating System Kernel Debloating , 2020, Abstracts of the 2020 SIGMETRICS/Performance Joint International Conference on Measurement and Modeling of Computer Systems.

[27]  Wei Wu,et al.  FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities , 2018, USENIX Security Symposium.

[28]  Dongxi Liu,et al.  KASR: A Reliable and Practical Approach to Attack Surface Reduction of Commodity OS Kernels , 2018, RAID.

[29]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[30]  Mayur Naik,et al.  Effective Program Debloating via Reinforcement Learning , 2018, CCS.

[31]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[32]  Wolfgang Schröder-Preikschat,et al.  Automatic OS Kernel TCB Reduction by Leveraging Compile-Time Configurability , 2012, HotDep.

[33]  Zhe Wang,et al.  SEIMI: Efficient and Secure SMAP-Enabled Intra-process Memory Isolation , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[34]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[35]  Julian Horsch,et al.  A Leak-Resilient Dual Stack Scheme for Backward-Edge Control-Flow Integrity , 2018, AsiaCCS.

[36]  Shi-Min Hu,et al.  Effective Static Analysis of Concurrency Use-After-Free Bugs in Linux Device Drivers , 2019, USENIX Annual Technical Conference.

[37]  Angelos D. Keromytis,et al.  kGuard: Lightweight Kernel Protection against Return-to-User Attacks , 2012, USENIX Security Symposium.

[38]  Zhongshu Gu,et al.  FACE-CHANGE: Application-Driven Dynamic Kernel View Switching in a Virtual Machine , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[39]  Pierre Laperdrix,et al.  Less is More: Quantifying the Security Benefits of Debloating Web Applications , 2019, USENIX Security Symposium.