Adelie: Continuous Address Space Layout Re-randomization for Linux Drivers

01/20/2022
by   Ruslan Nikolaev, et al.
0

While address space layout randomization (ASLR) has been extensively studied for user-space programs, the corresponding OS kernel's KASLR support remains very limited, making the kernel vulnerable to just-in-time (JIT) return-oriented programming (ROP) attacks. Furthermore, commodity OSs such as Linux restrict their KASLR range to 32 bits due to architectural constraints (e.g., x86-64 only supports 32-bit immediate operands for most instructions), which makes them vulnerable to even unsophisticated brute-force ROP attacks due to low entropy. Most in-kernel pointers remain static, exacerbating the problem when pointers are leaked. Adelie, our kernel defense mechanism, overcomes KASLR limitations, increases KASLR entropy, and makes successful ROP attacks on the Linux kernel much harder to achieve. First, Adelie enables the position-independent code (PIC) model so that the kernel and its modules can be placed anywhere in the 64-bit virtual address space, at any distance apart from each other. Second, Adelie implements stack re-randomization and address encryption on modules. Finally, Adelie enables efficient continuous KASLR for modules by using the PIC model to make it (almost) impossible to inject ROP gadgets through these modules regardless of gadget's origin. Since device drivers (typically compiled as modules) are often developed by third parties and are typically less tested than core OS parts, they are also often more vulnerable. By fully re-randomizing device drivers, the last two contributions together prevent most JIT ROP attacks since vulnerable modules are very likely to be a starting point of an attack. Furthermore, some OS instances in virtualized environments are specifically designated to run device drivers, where drivers are the primary target of JIT ROP attacks. Our evaluation shows high efficiency of Adelie's approach. [full abstract is in the paper]

READ FULL TEXT

page 1

page 2

page 3

page 4

research
03/11/2019

IskiOS: Lightweight Defense Against Kernel-Level Code-Reuse Attacks

Commodity operating systems such as Windows, Linux, and MacOS X form the...
research
07/05/2020

Breaking and Fixing Destructive Code Read Defenses

Just-in-time return-oriented programming (JIT-ROP) is a powerful memory ...
research
04/17/2023

AVX Timing Side-Channel Attacks against Address Space Layout Randomization

Modern x86 processors support an AVX instruction set to boost performanc...
research
09/20/2019

Making Code Re-randomization Practical with MARDU

Defense techniques such as Data Execution Prevention (DEP) and Address S...
research
10/07/2019

Measuring Attack Surface Reduction in the Presence of Code (Re-)Randomization

Just-in-time return-oriented programming (JIT-ROP) technique allows one ...
research
09/22/2021

VIA: Analyzing Device Interfaces of Protected Virtual Machines

Both AMD and Intel have presented technologies for confidential computin...
research
02/20/2020

LibrettOS: A Dynamically Adaptable Multiserver-Library OS

We present LibrettOS, an OS design that fuses two paradigms to simultane...

Please sign up or login with your details

Forgot password? Click here to reset