Abstract:
The operating system kernel is often the security foundation for the whole system. To prevent attacks, control-flow integrity (CFI) has been proposed to ensure that any c...Show MoreMetadata
Abstract:
The operating system kernel is often the security foundation for the whole system. To prevent attacks, control-flow integrity (CFI) has been proposed to ensure that any control transfer during the program's execution never deviates from its control-flow graph (CFG). Existing CFI solutions either work in user space or are coarse-grained; thus they cannot be readily deployed in kernels or are vulnerable to state-of-the-art attacks. In this paper, we present Fine-CFI, a system that enforces fine-grained CFI for operating system kernels. Unlike previous systems, Fine-CFI constructs the kernel's fine-grained CFG with a retrofitted context-sensitive and field-sensitive pointer analysis, then enforces CFI with this CFG. At the same time, Fine-CFI provides comprehensive protection to the control data in the kernel's interrupt context. Combining the above two kinds of protection, we can thus defeat those formidable ret2usr and kernel code-reuse attacks. We have developed a compiler-based prototype and implemented this technique in Linux 3.14 kernel. Our evaluation indicates that Fine-CFI prevents all the gadgets found by an open-source gadget-finding tool from being misused, as well as all the attacks from the RIPE benchmark and malicious attempts to modify control data in the interrupt context; and it also reduces the number of indirect control-flow targets by 99.998%, thus largely raising the bar for attackers. Our evaluation also shows that the performance overhead introduced by Fine-CFI is less than 10% on average.
Published in: IEEE Transactions on Information Forensics and Security ( Volume: 13, Issue: 6, June 2018)