Fine-grained control-flow integrity for kernel software

Xinyang Ge, Nirupama Talele, Mathias Payer, Trent Ray Jaeger

Research output: Chapter in Book/Report/Conference proceedingConference contribution

30 Citations (Scopus)

Abstract

Modern systems assume that privileged software always behaves as expected, however, such assumptions may not hold given the prevalence of kernel vulnerabilities. One idea is to employ defenses to restrict how adversaries may exploit such vulnerabilities, such as Control-Flow Integrity (CFI), which restricts execution to a Control-Flow Graph (CFG). However, proposed applications of CFI enforcement to kernel software are too coarse-grained to restrict the adversary effectively and either fail to enforce CFI comprehensively or are very expensive. We present a mostly-automated approach for retrofitting kernel software that leverages features of such software to enable comprehensive, efficient, fine-grained CFI enforcement. We achieve this goal by leveraging two insights. We first leverage the conservative function pointer usage patterns found in the kernel source code to develop a method to compute fine-grained CFGs for kernel software. Second, we identify two opportunities for removing CFI instrumentation relative to prior optimization techniques: reusing existing kernel instrumentation and creating direct transfers, where possible. Using these insights, we show how to choose optimized defenses for kernels to handle system events, enabling comprehensive and efficient CFI enforcement. We evaluate the effectiveness of the proposed fine-grained CFI instrumentation by applying the retrofitting approach comprehensively to FreeBSD, the MINIX microkernel system, and MINIX's user-space servers, and applying this approach partly to the BitVisor hypervisor. We show that our approach eliminates over 70% of the indirect targets relative to the best current, fine-grained CFI techniques, while our optimizations reduce the instrumentation necessary to enforce coarse-grained CFI. The performance improvement due to our optimizations ranges from 51%/25% for MINIX to 12%/17% for FreeBSD for the average/maximum microbenchmark overhead. The evaluation shows that fine-grained CFI instrumentation can be computed for kernel software in practice and can be enforced more efficiently than coarse-grained CFI instrumentation.

Original languageEnglish (US)
Title of host publicationProceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages179-194
Number of pages16
ISBN (Electronic)9781509017515
DOIs
StatePublished - May 9 2016
Event1st IEEE European Symposium on Security and Privacy, EURO S and P 2016 - Saarbruecken, Germany
Duration: Mar 21 2016Mar 24 2016

Publication series

NameProceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016

Other

Other1st IEEE European Symposium on Security and Privacy, EURO S and P 2016
CountryGermany
CitySaarbruecken
Period3/21/163/24/16

Fingerprint

Flow control
Retrofitting
Flow graphs
Servers

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications

Cite this

Ge, X., Talele, N., Payer, M., & Jaeger, T. R. (2016). Fine-grained control-flow integrity for kernel software. In Proceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016 (pp. 179-194). [7467354] (Proceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/EuroSP.2016.24
Ge, Xinyang ; Talele, Nirupama ; Payer, Mathias ; Jaeger, Trent Ray. / Fine-grained control-flow integrity for kernel software. Proceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016. Institute of Electrical and Electronics Engineers Inc., 2016. pp. 179-194 (Proceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016).
@inproceedings{29633a38d9264cf6bc2d7d77ca5d412d,
title = "Fine-grained control-flow integrity for kernel software",
abstract = "Modern systems assume that privileged software always behaves as expected, however, such assumptions may not hold given the prevalence of kernel vulnerabilities. One idea is to employ defenses to restrict how adversaries may exploit such vulnerabilities, such as Control-Flow Integrity (CFI), which restricts execution to a Control-Flow Graph (CFG). However, proposed applications of CFI enforcement to kernel software are too coarse-grained to restrict the adversary effectively and either fail to enforce CFI comprehensively or are very expensive. We present a mostly-automated approach for retrofitting kernel software that leverages features of such software to enable comprehensive, efficient, fine-grained CFI enforcement. We achieve this goal by leveraging two insights. We first leverage the conservative function pointer usage patterns found in the kernel source code to develop a method to compute fine-grained CFGs for kernel software. Second, we identify two opportunities for removing CFI instrumentation relative to prior optimization techniques: reusing existing kernel instrumentation and creating direct transfers, where possible. Using these insights, we show how to choose optimized defenses for kernels to handle system events, enabling comprehensive and efficient CFI enforcement. We evaluate the effectiveness of the proposed fine-grained CFI instrumentation by applying the retrofitting approach comprehensively to FreeBSD, the MINIX microkernel system, and MINIX's user-space servers, and applying this approach partly to the BitVisor hypervisor. We show that our approach eliminates over 70{\%} of the indirect targets relative to the best current, fine-grained CFI techniques, while our optimizations reduce the instrumentation necessary to enforce coarse-grained CFI. The performance improvement due to our optimizations ranges from 51{\%}/25{\%} for MINIX to 12{\%}/17{\%} for FreeBSD for the average/maximum microbenchmark overhead. The evaluation shows that fine-grained CFI instrumentation can be computed for kernel software in practice and can be enforced more efficiently than coarse-grained CFI instrumentation.",
author = "Xinyang Ge and Nirupama Talele and Mathias Payer and Jaeger, {Trent Ray}",
year = "2016",
month = "5",
day = "9",
doi = "10.1109/EuroSP.2016.24",
language = "English (US)",
series = "Proceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "179--194",
booktitle = "Proceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016",
address = "United States",

}

Ge, X, Talele, N, Payer, M & Jaeger, TR 2016, Fine-grained control-flow integrity for kernel software. in Proceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016., 7467354, Proceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016, Institute of Electrical and Electronics Engineers Inc., pp. 179-194, 1st IEEE European Symposium on Security and Privacy, EURO S and P 2016, Saarbruecken, Germany, 3/21/16. https://doi.org/10.1109/EuroSP.2016.24

Fine-grained control-flow integrity for kernel software. / Ge, Xinyang; Talele, Nirupama; Payer, Mathias; Jaeger, Trent Ray.

Proceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016. Institute of Electrical and Electronics Engineers Inc., 2016. p. 179-194 7467354 (Proceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Fine-grained control-flow integrity for kernel software

AU - Ge, Xinyang

AU - Talele, Nirupama

AU - Payer, Mathias

AU - Jaeger, Trent Ray

PY - 2016/5/9

Y1 - 2016/5/9

N2 - Modern systems assume that privileged software always behaves as expected, however, such assumptions may not hold given the prevalence of kernel vulnerabilities. One idea is to employ defenses to restrict how adversaries may exploit such vulnerabilities, such as Control-Flow Integrity (CFI), which restricts execution to a Control-Flow Graph (CFG). However, proposed applications of CFI enforcement to kernel software are too coarse-grained to restrict the adversary effectively and either fail to enforce CFI comprehensively or are very expensive. We present a mostly-automated approach for retrofitting kernel software that leverages features of such software to enable comprehensive, efficient, fine-grained CFI enforcement. We achieve this goal by leveraging two insights. We first leverage the conservative function pointer usage patterns found in the kernel source code to develop a method to compute fine-grained CFGs for kernel software. Second, we identify two opportunities for removing CFI instrumentation relative to prior optimization techniques: reusing existing kernel instrumentation and creating direct transfers, where possible. Using these insights, we show how to choose optimized defenses for kernels to handle system events, enabling comprehensive and efficient CFI enforcement. We evaluate the effectiveness of the proposed fine-grained CFI instrumentation by applying the retrofitting approach comprehensively to FreeBSD, the MINIX microkernel system, and MINIX's user-space servers, and applying this approach partly to the BitVisor hypervisor. We show that our approach eliminates over 70% of the indirect targets relative to the best current, fine-grained CFI techniques, while our optimizations reduce the instrumentation necessary to enforce coarse-grained CFI. The performance improvement due to our optimizations ranges from 51%/25% for MINIX to 12%/17% for FreeBSD for the average/maximum microbenchmark overhead. The evaluation shows that fine-grained CFI instrumentation can be computed for kernel software in practice and can be enforced more efficiently than coarse-grained CFI instrumentation.

AB - Modern systems assume that privileged software always behaves as expected, however, such assumptions may not hold given the prevalence of kernel vulnerabilities. One idea is to employ defenses to restrict how adversaries may exploit such vulnerabilities, such as Control-Flow Integrity (CFI), which restricts execution to a Control-Flow Graph (CFG). However, proposed applications of CFI enforcement to kernel software are too coarse-grained to restrict the adversary effectively and either fail to enforce CFI comprehensively or are very expensive. We present a mostly-automated approach for retrofitting kernel software that leverages features of such software to enable comprehensive, efficient, fine-grained CFI enforcement. We achieve this goal by leveraging two insights. We first leverage the conservative function pointer usage patterns found in the kernel source code to develop a method to compute fine-grained CFGs for kernel software. Second, we identify two opportunities for removing CFI instrumentation relative to prior optimization techniques: reusing existing kernel instrumentation and creating direct transfers, where possible. Using these insights, we show how to choose optimized defenses for kernels to handle system events, enabling comprehensive and efficient CFI enforcement. We evaluate the effectiveness of the proposed fine-grained CFI instrumentation by applying the retrofitting approach comprehensively to FreeBSD, the MINIX microkernel system, and MINIX's user-space servers, and applying this approach partly to the BitVisor hypervisor. We show that our approach eliminates over 70% of the indirect targets relative to the best current, fine-grained CFI techniques, while our optimizations reduce the instrumentation necessary to enforce coarse-grained CFI. The performance improvement due to our optimizations ranges from 51%/25% for MINIX to 12%/17% for FreeBSD for the average/maximum microbenchmark overhead. The evaluation shows that fine-grained CFI instrumentation can be computed for kernel software in practice and can be enforced more efficiently than coarse-grained CFI instrumentation.

UR - http://www.scopus.com/inward/record.url?scp=84978153207&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84978153207&partnerID=8YFLogxK

U2 - 10.1109/EuroSP.2016.24

DO - 10.1109/EuroSP.2016.24

M3 - Conference contribution

AN - SCOPUS:84978153207

T3 - Proceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016

SP - 179

EP - 194

BT - Proceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016

PB - Institute of Electrical and Electronics Engineers Inc.

ER -

Ge X, Talele N, Payer M, Jaeger TR. Fine-grained control-flow integrity for kernel software. In Proceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016. Institute of Electrical and Electronics Engineers Inc. 2016. p. 179-194. 7467354. (Proceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016). https://doi.org/10.1109/EuroSP.2016.24