Beyond the Edges of Kernel Control-Flow Hijacking Protection with HEK-CFI

Lukas Maar, Pascal Nasahl, Stefan Mangard

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandBegutachtung

Abstract

Over the past decade, vulnerabilities in the Linux kernel have more than doubled, allowing control-flow hijacking attacks that compromise the entire system. To thwart these attacks, Control-Flow Integrity (CFI) has emerged as state-of-the-art. However, existing kernel CFI schemes are still limited in providing protection against these attacks, e.g., during system events and for return addresses.

In this paper, we introduce Hardware-Enforced Kernel Control-Flow Integrity (HEK-CFI), a novel approach that protects control-flow-related data during system events, as well as function pointers and return addresses, effectively mitigating control-flow hijacking attacks. HEK-CFI leverages Intel CET, specifically write-protected pages used by its shadow stack design, along with signature-based CFI to safeguard this data. To demonstrate its effectiveness, we implement a proof-of-concept and perform a case study on the Linux kernel v5.18. In our case study, HEK-CFI eliminates all illegal backward-edge targets and reduces forward-edge targets by more than 50 % compared to all existing kernel CFI schemes. We evaluate our proof-of-concept on real hardware and observe a performance overhead of 12.3 % for micro benchmarks and 1.85 % for macro benchmarks. In summary, HEK-CFI is the first solution to provide protection for both system events and return addresses. HEK-CFI also generically reduces forward control-flow targets and the performance overhead compared to existing solutions.
Originalspracheenglisch
TitelACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security
Seiten866-882
Seitenumfang17
ISBN (elektronisch) 979-8-4007-0482-6
DOIs
PublikationsstatusVeröffentlicht - 1 Juli 2024
Veranstaltung19th ACM ASIA Conference on Computer and Communications Security: ASIACCS 2024 - Singapur, Singapur
Dauer: 1 Juli 20245 Juli 2024
Konferenznummer: 19
https://asiaccs2024.sutd.edu.sg/

Publikationsreihe

NameACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security

Konferenz

Konferenz19th ACM ASIA Conference on Computer and Communications Security
KurztitelASIACCS 2024
Land/GebietSingapur
OrtSingapur
Zeitraum1/07/245/07/24
Internetadresse

ASJC Scopus subject areas

  • Computernetzwerke und -kommunikation
  • Angewandte Informatik
  • Theoretische Informatik und Mathematik

Fingerprint

Untersuchen Sie die Forschungsthemen von „Beyond the Edges of Kernel Control-Flow Hijacking Protection with HEK-CFI“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren