Abstract
Over the past decade, vulnerabilities in the Linux kernel have more than doubled, allowing control-flow hijacking attacks that compromise the entire system. To thwart these attacks, Control-Flow Integrity (CFI) has emerged as state-of-the-art. However, existing kernel CFI schemes are still limited in providing protection against these attacks, e.g., during system events and for return addresses.
In this paper, we introduce Hardware-Enforced Kernel Control-Flow Integrity (HEK-CFI), a novel approach that protects control-flow-related data during system events, as well as function pointers and return addresses, effectively mitigating control-flow hijacking attacks. HEK-CFI leverages Intel CET, specifically write-protected pages used by its shadow stack design, along with signature-based CFI to safeguard this data. To demonstrate its effectiveness, we implement a proof-of-concept and perform a case study on the Linux kernel v5.18. In our case study, HEK-CFI eliminates all illegal backward-edge targets and reduces forward-edge targets by more than 50 % compared to all existing kernel CFI schemes. We evaluate our proof-of-concept on real hardware and observe a performance overhead of 12.3 % for micro benchmarks and 1.85 % for macro benchmarks. In summary, HEK-CFI is the first solution to provide protection for both system events and return addresses. HEK-CFI also generically reduces forward control-flow targets and the performance overhead compared to existing solutions.
In this paper, we introduce Hardware-Enforced Kernel Control-Flow Integrity (HEK-CFI), a novel approach that protects control-flow-related data during system events, as well as function pointers and return addresses, effectively mitigating control-flow hijacking attacks. HEK-CFI leverages Intel CET, specifically write-protected pages used by its shadow stack design, along with signature-based CFI to safeguard this data. To demonstrate its effectiveness, we implement a proof-of-concept and perform a case study on the Linux kernel v5.18. In our case study, HEK-CFI eliminates all illegal backward-edge targets and reduces forward-edge targets by more than 50 % compared to all existing kernel CFI schemes. We evaluate our proof-of-concept on real hardware and observe a performance overhead of 12.3 % for micro benchmarks and 1.85 % for macro benchmarks. In summary, HEK-CFI is the first solution to provide protection for both system events and return addresses. HEK-CFI also generically reduces forward control-flow targets and the performance overhead compared to existing solutions.
| Originalsprache | englisch |
|---|---|
| Titel | ACM Asia Conference on Computer and Communications Security (ASIA CCS ’24) |
| Seitenumfang | 17 |
| ISBN (elektronisch) | 979-8-4007-0482-6 |
| DOIs | |
| Publikationsstatus | Angenommen/In Druck - 1 Juli 2024 |
| Veranstaltung | 19th ACM ASIA Conference on Computer and Communications Security: ACM ASIACCS 2024 - Singapur, Singapur Dauer: 1 Juli 2024 → 5 Juli 2024 |
Publikationsreihe
| Name | ACM International Conference Proceeding Series |
|---|
Konferenz
| Konferenz | 19th ACM ASIA Conference on Computer and Communications Security |
|---|---|
| Kurztitel | ACM ASIACCS 2024 |
| Land/Gebiet | Singapur |
| Ort | Singapur |
| Zeitraum | 1/07/24 → 5/07/24 |