UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages

Operating system kernel is the de facto trusted computing base for most computer systems. To secure the OS kernel, many security mechanisms, e.g., kASLR and StackGuard, have been increasingly deployed to defend against attacks (e.g., code reuse attack). However, the effectiveness of these protections has been proven to be inadequate-there are many information leak vulnerabilities in the kernel to leak the randomized pointer or canary, thus bypassing kASLR and StackGuard. Other sensitive data in the kernel, such as cryptographic keys and file caches, can also be leaked. According to our study, most kernel information leaks are caused by uninitialized data reads. Unfortunately, existing techniques like memory safety enforcements and dynamic access tracking tools are not adequate or efficient enough to mitigate this threat. In this paper, we propose UniSan, a novel, compiler-based approach to eliminate all information leaks caused by uninitialized read in the OS kernel. UniSan achieves this goal using byte-level, flow-sensitive, context-sensitive, and field-sensitive initialization analysis and reachability analysis to check whether an allocation has been fully initialized when it leaves kernel space; if not, it automatically instruments the kernel to initialize this allocation. UniSan's analyses are conservative to avoid false negatives and are robust by preserving the semantics of the OS kernel. We have implemented UniSan as passes in LLVM and applied it to the latest Linux kernel (x86_64) and Android kernel (AArch64). Our evaluation showed that UniSan can successfully prevent 43 known and many new uninitialized data leak vulnerabilities. Further, 19 new vulnerabilities in the latest kernels have been confirmed by Linux and Google. Our extensive performance evaluation with LMBench, ApacheBench, Android benchmarks, and the SPEC benchmarks also showed that UniSan imposes a negligible performance overhead.

[1]  Angelos D. Keromytis,et al.  kGuard: Lightweight Kernel Protection against Return-to-User Attacks , 2012, USENIX Security Symposium.

[2]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[3]  Emery D. Berger,et al.  DieHard: probabilistic memory safety for unsafe languages , 2006, PLDI '06.

[4]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[5]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[6]  Xi Chen,et al.  StackArmor: Comprehensive Protection From Stack-based Memory Error Vulnerabilities for Binaries , 2015, NDSS.

[7]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[8]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[9]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[10]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[11]  Alfons Crespo,et al.  Detecting Stack Based Kernel Information Leaks , 2014, SOCO-CISIS-ICEUTE.

[12]  Anil Kurmus,et al.  A Tale of Two Kernels: Towards Ending Kernel Hardening Wars with Split Kernel , 2014, CCS.

[13]  James Cheney,et al.  Region-based memory management in cyclone , 2002, PLDI '02.

[14]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[15]  Tal Garfinkel,et al.  Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation , 2005, USENIX Security Symposium.

[16]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[17]  Vitaly Shmatikov,et al.  Eternal Sunshine of the Spotless Machine: Protecting Privacy with Ephemeral Channels , 2012, OSDI.

[18]  Periklis Akritidis,et al.  Cling: A Memory Allocator to Mitigate Dangling Pointers , 2010, USENIX Security Symposium.

[19]  Ben Hardekopf,et al.  The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code , 2007, PLDI '07.

[20]  Nicholas Nethercote,et al.  Using Valgrind to Detect Undefined Value Errors with Bit-Precision , 2005, USENIX Annual Technical Conference, General Track.

[21]  Milo M. K. Martin,et al.  WatchdogLite: Hardware-Accelerated Compiler-Based Pointer Checking , 2014, CGO '14.

[22]  Changwoo Min,et al.  Cross-checking semantic correctness: the case of finding file system bugs , 2015, SOSP.

[23]  Carl Staelin,et al.  lmbench: Portable Tools for Performance Analysis , 1996, USENIX Annual Technical Conference.

[24]  Sebastian Burckhardt,et al.  Effective Data-Race Detection for the Kernel , 2010, OSDI.

[25]  William R. Harris,et al.  Enforcing Kernel Security Invariants with Data Flow Integrity. , 2016, NDSS 2016.

[26]  Qin Zhao,et al.  Practical memory checking with Dr. Memory , 2011, International Symposium on Code Generation and Optimization (CGO 2011).

[27]  Angelos D. Keromytis,et al.  ret2dir: Rethinking Kernel Isolation , 2014, USENIX Security Symposium.

[28]  Jingling Xue,et al.  Accelerating Dynamic Detection of Uses of Undefined Values with Static Value-Flow Analysis , 2014, CGO '14.

[29]  Alvin Cheung,et al.  Undefined behavior: what happened to my code? , 2012, APSys.

[30]  Xi Wang,et al.  Improving Integer Security for Systems with KINT , 2012, OSDI.

[31]  Konstantin Serebryany,et al.  MemorySanitizer: Fast detector of uninitialized memory use in C++ , 2015, 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[32]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[33]  Dinakar Dhurjati,et al.  SAFECode: enforcing alias analysis for weakly typed languages , 2005, PLDI '06.

[34]  Xi Wang,et al.  Linux kernel vulnerabilities: state-of-the-art defenses and open problems , 2011, APSys.