Fine-Grained Control-Flow Integrity for Kernel Software

Ge, Xinyang; Talele, Nirupama; Payer, Mathias; Jaeger, Trent

doi:10.1109/eurosp.2016.24

Cited by 85 publications

(77 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…This approach can be applied to a wider range of kernel software and prevents more attacks than KRGuard. On the other hand, as mentioned above, because KRGuard deploys the hardware function LBR and limits the target function, the overhead of KRGuard is smaller than that of [13]. In addition, we think that KRGuard can easily be applied to the Linux kernel because the mechanism is very simple.…”

Section: Related Workmentioning

confidence: 98%

See 1 more Smart Citation

Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features

Yamauchi

Akao

2017

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYAn operating system is an essential piece of software that manages hardware and software resources. Thus, attacks on an operating system kernel using kernel rootkits pose a particularly serious threat. Detecting an attack is difficult when the operating system kernel is infected with a kernel rootkit. For this reason, handling an attack will be delayed causing an increase in the amount of damage done to a computer system. In this paper, we propose Kernel Rootkits Guard (KRGuard), which is a new method to detect kernel rootkits that monitors branch records in the kernel space. Since many kernel rootkits make branches that differ from the usual branches in the kernel space, KRGuard can detect these differences by using the hardware features of commodity processors. Our evaluation shows that KRGuard can detect kernel rootkits that involve new branches in the system call handler processing with small overhead. key words: kernel rootkit detection, last branch record, operating system, system security

show abstract

Section: Related Workmentioning

confidence: 98%

“…Ge et al [13] proposed a mostly automated approach to produce and enforce fine-grained CFI policies comprehensively for kernel software with low overhead. This approach can be applied to a wider range of kernel software and prevents more attacks than KRGuard.…”

Section: Related Workmentioning

confidence: 99%

Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features

Yamauchi

Akao

2017

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

show abstract

“…Further, we are particularly interested in calltarget reduction analysis as this is the most used metric (see AIR [59], fAIR [49], and AIA [16] -however, these metrics average the results) to compare CFI defenses against each other. At the time of writing this paper, none of the existing CFI metrics can tell how secure a program is after a certain CFI policy was applied; as such, we do not claim that by using our CT R metric we can provide more security guarantees than other metrics, but rather CT R provides absolute values rather than averaging them.…”

Section: Introductionmentioning

confidence: 99%

Analyzing control flow integrity with LLVM-CFI

Muntean

Neumayer

Lin

et al. 2019

Proceedings of the 35th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Control-flow hijacking attacks are used to perform malicious computations. Current solutions for assessing the attack surface after a control flow integrity (CFI) policy was applied can measure only indirect transfer averages in the best case without providing any insights w.r.t. the absolute calltarget reduction per callsite, and gadget availability. Further, tool comparison is underdeveloped or not possible at all. CFI has proven to be one of the most promising protections against control flow hijacking attacks, thus many efforts have been made to improve CFI in various ways. However, there is a lack of systematic assessment of existing CFI protections.In this paper, we present LLVM-CFI, a static source code analysis framework for analyzing state-of-the-art static CFI protections based on the Clang/LLVM compiler framework. LLVM-CFI works by precisely modeling a CFI policy and then evaluating it within a unified approach. LLVM-CFI helps determine the level of security offered by different CFI protections, after the CFI protections were deployed, thus providing an important step towards exploit creation/prevention and stronger defenses. We have used LLVM-CFI to assess eight state-of-the-art static CFI defenses on real-world programs such as Google Chrome and Apache Httpd. LLVM-CFI provides a precise analysis of the residual attack surfaces, and accordingly ranks CFI policies against each other. LLVM-CFI also successfully paves the way towards construction of COOP-like code reuse attacks and elimination of the remaining attack surface by disclosing protected calltargets under eight restrictive CFI policies. CCS CONCEPTS• Security and privacy → Systems security; • Software and application security;

show abstract

“…In addition to securing user-level application software against such threats, it has also been applied to harden smartphones [14,39,49], embedded systems [3], hypervisors [63], and operating system kernels [13,25,33]. CFI-enforcing hardware is also being investigated [15,16,18,24,28,42,68,70].…”

Section: Scalabilitymentioning

confidence: 99%

Object Flow Integrity

Wang

Xiaoyang

Hamlen

2017

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Object flow integrity (OFI) augments control-flow integrity (CFI) and software fault isolation (SFI) protections with secure, first-class support for binary object exchange across inter-module trust boundaries. This extends both source-aware and source-free CFI and SFI technologies to a large class of previously unsupported software: those containing immutable system modules with large, objectoriented APIs-which are particularly common in component-based, event-driven consumer software. It also helps to protect these intermodule object exchanges against confused deputy-assisted vtable corruption and counterfeit object-oriented programming attacks.A prototype implementation for Microsoft Component Object Model demonstrates that OFI is scalable to large interfaces on the order of tens of thousands of methods, and exhibits low overheads of under 1% for some common-case applications. Significant elements of the implementation are synthesized automatically through a principled design inspired by type-based contracts.

show abstract

Fine-Grained Control-Flow Integrity for Kernel Software

Cited by 85 publications

References 27 publications

Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features

Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features

Analyzing control flow integrity with LLVM-CFI

Object Flow Integrity

Contact Info

Product

Resources

About