KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels

Criswell, John; Dautenhahn, Nathan; Adve, Vikram

doi:10.1109/sp.2014.26

Cited by 135 publications

(103 citation statements)

References 22 publications

Supporting

Mentioning

102

Contrasting

Order By: Relevance

“…However, recent attacks against coarse-grained CFI [35], [46] have illustrated the security risks of imprecision. This has spurred interest in fine-grained CFI [30], [60], [69], sometimes called complete or ideal CFI; however, this has been deemed "very expensive" [46]. Several proposed hardware mechanisms are directly targeted at speeding up CFI [21], [34]; here we achieve CFI using a generic hardware mechanism in a formally verified way.…”

Section: Control-flow Integrity Micro-policymentioning

confidence: 99%

“…The PUMP mechanism supports finegrained CFI with average runtime overheads below 2% [39]. Previous formal verification efforts for CFI include ARMor [89] and KCoFI [30]. Like most work on CFI, they use inline reference monitoring [44]; their verification targets a small-TCB component, which validates that the right checks were inserted in the instrumented binary before its execution is allowed.…”

Section: Control-flow Integrity Micro-policymentioning

confidence: 99%

“…This ensures a very small TCB but also extremely long validation times [63]. The verification of KCoFI [30] targets a relatively compact Coq model that only focuses on certain aspects and is not related formally to the implementation.…”

Section: Control-flow Integrity Micro-policymentioning

confidence: 99%

See 2 more Smart Citations

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Amorim¹,

Dénès

Giannarakis

et al. 2015

2015 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

Abstract-Recent advances in hardware design have demonstrated mechanisms allowing a wide range of low-level security policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a high-level "symbolic machine," and we use this methodology to define and formally verify micro-policies for dynamic sealing, compartmentalization, control-flow integrity, and memory safety; in addition, we show how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the symbolic machine instantiated with the policy's rules embodies a high-level specification characterizing a useful security property. Last, we show how the symbolic machine itself can be implemented in terms of a hardware rule cache and a software controller.

show abstract

Section: Control-flow Integrity Micro-policymentioning

confidence: 99%

Section: Control-flow Integrity Micro-policymentioning

confidence: 99%

See 1 more Smart Citation

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Amorim¹,

Dénès

Giannarakis

et al. 2015

2015 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

show abstract

“…This isolation can be used both to protect applications from an untrusted OS as well as to protect the OS itself from internal threats. For example, KCoFI [7] uses Secure Virtual Architecture [9] to isolate the OS from a run-time checker. The checker instruments the OS and monitors its activities to guarantee the control-flow integrity of the OS itself.…”

Section: Related Workmentioning

confidence: 99%

“…Virtualization-like mechanisms can also be used to support various forms of application hardening against untrusted OSs. Examples of this include KCoFi [7] based on the Secure Virtual Architecture [9], Overshadow [5], Inktag [14], and Virtual Ghost [8]. All these cases rely crucially on memory isolation to provide the required security guarantees, typically by virtualizing the memory management unit (MMU) hardware.…”

Section: Introductionmentioning

confidence: 99%

Trustworthy Memory Isolation of Linux on Embedded Devices

Nemati

Dam

Guanciale

et al. 2015

Trust and Trustworthy Computing

View full text Add to dashboard Cite

Abstract. The isolation of security critical components from an untrusted OS allows to both protect applications and to harden the OS itself, for instance by run-time monitoring. Virtualization of the memory subsystem is a key component to provide such isolation. We present the design, implementation and verification of a virtualization platform for the ARMv7-A processor family. Our design is based on direct paging, an MMU virtualization mechanism previously introduced by Xen for the x86 architecture, and used later with minor variants by the Secure Virtual Architecture, SVA. We show that the direct paging mechanism can be implemented using a compact design, suitable for formal verification down to a low level of abstraction, without penalizing system performance. The verification is performed using the HOL4 theorem prover and uses a detailed model of the ARMv7-A ISA, including the MMU. We prove memory isolation of the hosted components along with information flow security for an abstract top level model of the virtualization mechanism. The abstract model is refined down to a HOL4 transition system closely resembling a C implementation. The virtualization mechanism is demonstrated on real hardware via a hypervisor capable of hosting Linux as an untrusted guest. 1

show abstract

ShadowMonitor: An Effective In-VM Monitoring Framework with Hardware-Enforced Isolation

Shi

Cui

et al. 2018

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels

Cited by 135 publications

References 22 publications

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Trustworthy Memory Isolation of Linux on Embedded Devices

ShadowMonitor: An Effective In-VM Monitoring Framework with Hardware-Enforced Isolation

Contact Info

Product

Resources

About