Projekte pro Jahr
Abstract
Over the past decade, vulnerabilities in the Linux kernel have more than doubled, allowing control-flow hijacking attacks that compromise the entire system. To thwart these attacks, Control-Flow Integrity (CFI) has emerged as state-of-the-art. However, existing kernel CFI schemes are still limited in providing protection against these attacks, e.g., during system events and for return addresses.
In this paper, we introduce Hardware-Enforced Kernel Control-Flow Integrity (HEK-CFI), a novel approach that protects control-flow-related data during system events, as well as function pointers and return addresses, effectively mitigating control-flow hijacking attacks. HEK-CFI leverages Intel CET, specifically write-protected pages used by its shadow stack design, along with signature-based CFI to safeguard this data. To demonstrate its effectiveness, we implement a proof-of-concept and perform a case study on the Linux kernel v5.18. In our case study, HEK-CFI eliminates all illegal backward-edge targets and reduces forward-edge targets by more than 50 % compared to all existing kernel CFI schemes. We evaluate our proof-of-concept on real hardware and observe a performance overhead of 12.3 % for micro benchmarks and 1.85 % for macro benchmarks. In summary, HEK-CFI is the first solution to provide protection for both system events and return addresses. HEK-CFI also generically reduces forward control-flow targets and the performance overhead compared to existing solutions.
In this paper, we introduce Hardware-Enforced Kernel Control-Flow Integrity (HEK-CFI), a novel approach that protects control-flow-related data during system events, as well as function pointers and return addresses, effectively mitigating control-flow hijacking attacks. HEK-CFI leverages Intel CET, specifically write-protected pages used by its shadow stack design, along with signature-based CFI to safeguard this data. To demonstrate its effectiveness, we implement a proof-of-concept and perform a case study on the Linux kernel v5.18. In our case study, HEK-CFI eliminates all illegal backward-edge targets and reduces forward-edge targets by more than 50 % compared to all existing kernel CFI schemes. We evaluate our proof-of-concept on real hardware and observe a performance overhead of 12.3 % for micro benchmarks and 1.85 % for macro benchmarks. In summary, HEK-CFI is the first solution to provide protection for both system events and return addresses. HEK-CFI also generically reduces forward control-flow targets and the performance overhead compared to existing solutions.
Originalsprache | englisch |
---|---|
Titel | ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security |
Seiten | 866-882 |
Seitenumfang | 17 |
ISBN (elektronisch) | 979-8-4007-0482-6 |
DOIs | |
Publikationsstatus | Veröffentlicht - 1 Juli 2024 |
Veranstaltung | 19th ACM ASIA Conference on Computer and Communications Security: ASIACCS 2024 - Singapur, Singapur Dauer: 1 Juli 2024 → 5 Juli 2024 Konferenznummer: 19 https://asiaccs2024.sutd.edu.sg/ |
Publikationsreihe
Name | ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security |
---|
Konferenz
Konferenz | 19th ACM ASIA Conference on Computer and Communications Security |
---|---|
Kurztitel | ASIACCS 2024 |
Land/Gebiet | Singapur |
Ort | Singapur |
Zeitraum | 1/07/24 → 5/07/24 |
Internetadresse |
ASJC Scopus subject areas
- Computernetzwerke und -kommunikation
- Angewandte Informatik
- Theoretische Informatik und Mathematik
Fingerprint
Untersuchen Sie die Forschungsthemen von „Beyond the Edges of Kernel Control-Flow Hijacking Protection with HEK-CFI“. Zusammen bilden sie einen einzigartigen Fingerprint.Projekte
- 1 Laufend
-
SEIZE - Secure Edge-Geräte für industrielle Zero-Trust Umgebungen
1/01/22 → 31/12/24
Projekt: Forschungsprojekt