TUM Logo

Introducing CFI into the Linux Kernel

Introducing CFI into the Linux Kernel

Supervisor(s): Sergej Proskurin
Status: finished
Topic: Integrity Measures (CFI etc.)
Author: Charlie Pascal Groh
Submission: 2019-09-16
Type of Thesis: Masterthesis

Description

OS kernels are a worthwhile target for adversaries, because exploiting them is a convenient way 
to gain root privileges. Furthermore, due to the huge code base and monolithic design of most kernels,
they often contain vulnerabilities and although state-of-the-art kernels implement several
self-protection mechanisms, modern kernel exploits are still able to circumvent or break all of them.
To achieve this, attackers leverage code-reuse attacks which tamper with the control-flow and abuse
existing code to execute arbitrary instruction sequences. To defend against code-reuse attacks, control-flow integrity (CFI) protects the genuine control-flow
against hijacking attempts. For x86 processors, Intel aims to provide hardware-accelerated CFI via the
extension Intel CET. In particular, it enforces that the jump targets of indirect jumps and calls are
marked with a newly introduced instruction and it uses a shadow stack to protect the control-flow on
function returns. However, up to now, Intel only released a specification and there exists no
processor implementing it. In this thesis, we overcome this issue and enhance the security of existing systems by hardening the
Linux kernel with a CFI schema that provides similar security guarantees as Intel CET, but can be
deployed on legacy hardware. To achieve backward-edge CFI, we patch the Linux source code to create
shadow stacks for the ordinary stacks in the kernel and we modify GCC to instrument the pro- and epilogues
of functions with code that uses the new shadow stack to duplicate the return address on it. Moreover,
we achieve forward-edge CFI by using GCC to instrument indirect jumps and calls with checks that
restrict them to compile-time defined jump targets. Furthermore, we develop a new, cryptographic
approach that protects shadow stacks against malicious modifications by leveraging a hash chain to
detect manipulations of return addresses. Finally, we evaluate our CFI schema on two benchmark suites
and report an average overhead of 1.12% for our forward-edge CFI schema, 4.50% for the shadow stack
without protection against modifications, and 78.09% for the hash chain based integrity guard.