Projects per year
Abstract
Over the past decade, vulnerabilities in the Linux kernel have more than doubled, allowing control-flow hijacking attacks that compromise the entire system. To thwart these attacks, Control-Flow Integrity (CFI) has emerged as state-of-the-art. However, existing kernel CFI schemes are still limited in providing protection against these attacks, e.g., during system events and for return addresses.
In this paper, we introduce Hardware-Enforced Kernel Control-Flow Integrity (HEK-CFI), a novel approach that protects control-flow-related data during system events, as well as function pointers and return addresses, effectively mitigating control-flow hijacking attacks. HEK-CFI leverages Intel CET, specifically write-protected pages used by its shadow stack design, along with signature-based CFI to safeguard this data. To demonstrate its effectiveness, we implement a proof-of-concept and perform a case study on the Linux kernel v5.18. In our case study, HEK-CFI eliminates all illegal backward-edge targets and reduces forward-edge targets by more than 50 % compared to all existing kernel CFI schemes. We evaluate our proof-of-concept on real hardware and observe a performance overhead of 12.3 % for micro benchmarks and 1.85 % for macro benchmarks. In summary, HEK-CFI is the first solution to provide protection for both system events and return addresses. HEK-CFI also generically reduces forward control-flow targets and the performance overhead compared to existing solutions.
In this paper, we introduce Hardware-Enforced Kernel Control-Flow Integrity (HEK-CFI), a novel approach that protects control-flow-related data during system events, as well as function pointers and return addresses, effectively mitigating control-flow hijacking attacks. HEK-CFI leverages Intel CET, specifically write-protected pages used by its shadow stack design, along with signature-based CFI to safeguard this data. To demonstrate its effectiveness, we implement a proof-of-concept and perform a case study on the Linux kernel v5.18. In our case study, HEK-CFI eliminates all illegal backward-edge targets and reduces forward-edge targets by more than 50 % compared to all existing kernel CFI schemes. We evaluate our proof-of-concept on real hardware and observe a performance overhead of 12.3 % for micro benchmarks and 1.85 % for macro benchmarks. In summary, HEK-CFI is the first solution to provide protection for both system events and return addresses. HEK-CFI also generically reduces forward control-flow targets and the performance overhead compared to existing solutions.
Original language | English |
---|---|
Title of host publication | ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security |
Pages | 866-882 |
Number of pages | 17 |
ISBN (Electronic) | 979-8-4007-0482-6 |
DOIs | |
Publication status | Published - 1 Jul 2024 |
Event | 19th ACM ASIA Conference on Computer and Communications Security: ASIACCS 2024 - Singapur, Singapore Duration: 1 Jul 2024 → 5 Jul 2024 Conference number: 19 https://asiaccs2024.sutd.edu.sg/ |
Publication series
Name | ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security |
---|
Conference
Conference | 19th ACM ASIA Conference on Computer and Communications Security |
---|---|
Abbreviated title | ASIACCS 2024 |
Country/Territory | Singapore |
City | Singapur |
Period | 1/07/24 → 5/07/24 |
Internet address |
Keywords
- Kernel Control-Data Integrity
- Kernel Control-Flow Integrity
ASJC Scopus subject areas
- Computer Networks and Communications
- Computer Science Applications
- Computational Theory and Mathematics
Fingerprint
Dive into the research topics of 'Beyond the Edges of Kernel Control-Flow Hijacking Protection with HEK-CFI'. Together they form a unique fingerprint.Projects
- 1 Active
-
SEIZE - Secure Edge Devices For Industrial Zero-Trust Environments
1/01/22 → 31/12/24
Project: Research project