Beyond the Edges of Kernel Control-Flow Hijacking Protection with HEK-CFI

Lukas Maar, Pascal Nasahl, Stefan Mangard

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review

Abstract

Over the past decade, vulnerabilities in the Linux kernel have more than doubled, allowing control-flow hijacking attacks that compromise the entire system. To thwart these attacks, Control-Flow Integrity (CFI) has emerged as state-of-the-art. However, existing kernel CFI schemes are still limited in providing protection against these attacks, e.g., during system events and for return addresses.

In this paper, we introduce Hardware-Enforced Kernel Control-Flow Integrity (HEK-CFI), a novel approach that protects control-flow-related data during system events, as well as function pointers and return addresses, effectively mitigating control-flow hijacking attacks. HEK-CFI leverages Intel CET, specifically write-protected pages used by its shadow stack design, along with signature-based CFI to safeguard this data. To demonstrate its effectiveness, we implement a proof-of-concept and perform a case study on the Linux kernel v5.18. In our case study, HEK-CFI eliminates all illegal backward-edge targets and reduces forward-edge targets by more than 50 % compared to all existing kernel CFI schemes. We evaluate our proof-of-concept on real hardware and observe a performance overhead of 12.3 % for micro benchmarks and 1.85 % for macro benchmarks. In summary, HEK-CFI is the first solution to provide protection for both system events and return addresses. HEK-CFI also generically reduces forward control-flow targets and the performance overhead compared to existing solutions.
Original languageEnglish
Title of host publicationACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security
Pages866-882
Number of pages17
ISBN (Electronic) 979-8-4007-0482-6
DOIs
Publication statusPublished - 1 Jul 2024
Event19th ACM ASIA Conference on Computer and Communications Security: ASIACCS 2024 - Singapur, Singapore
Duration: 1 Jul 20245 Jul 2024
Conference number: 19
https://asiaccs2024.sutd.edu.sg/

Publication series

NameACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security

Conference

Conference19th ACM ASIA Conference on Computer and Communications Security
Abbreviated titleASIACCS 2024
Country/TerritorySingapore
CitySingapur
Period1/07/245/07/24
Internet address

Keywords

  • Kernel Control-Data Integrity
  • Kernel Control-Flow Integrity

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications
  • Computational Theory and Mathematics

Fingerprint

Dive into the research topics of 'Beyond the Edges of Kernel Control-Flow Hijacking Protection with HEK-CFI'. Together they form a unique fingerprint.

Cite this