Kguard: Lightweight Kernel Protection Against Return-To-User Attacks
kGuard: Lightweight Kernel Protection against Return-to-user Attacks VasileiosP.Kemerlis GeorgiosPortokalidis AngelosD.Keromytis Network Security Lab Department of Computer Science Columbia University, New York, NY, USA {vpk, porto, angelos}@cs.columbia.edu Abstract Such return-to-user (ret2usr) attacks have affected all major OSs, including Windows [60], Linux [16, 18], Return-to-user (ret2usr) attacks exploit the operating sys- and FreeBSD [19, 59, 61], while they are not limited to tem kernel, enabling local users to hijack privileged ex- x86 systems [23], but have also targeted the ARM [30], ecution paths and execute arbitrary code with elevated DEC [31], and PowerPC [25] architectures. privileges. Current defenses have proven to be inade- There are numerous reasons to why attacks against the quate, as they have been repeatedly circumvented, in- kernel are becoming more common. First and foremost, cur considerable overhead, or rely on extended hypervi- processes running with administrative privileges have be- sors and special hardware features. We present kGuard, come harder to exploit due to the various defense mech- a compiler plugin that augments the kernel with com- anisms adopted by modern OSs [34,52]. Second, NULL pact inline guards, which prevent ret2usr with low per- pointer dereference errors had not received significant at- formance and space overhead. kGuard can be used with tention, until recently, exactly because they were thought any operating system that features a weak separation be- impractical and too difficult to exploit. In fact, 2009 has tween kernel and user space, requires no modifications been proclaimed, by some security researchers, as “the to the OS, and is applicable to both 32- and 64-bit ar- year of the kernel NULL pointer dereference flaw”[15].
[Show full text]