On Kernel's Safety in the Spectre Era (And KASLR is Formally Dead)
Pages 1091 - 1105
Abstract
The efficacy of address space layout randomization has been formally demonstrated in a shared-memory model by Abadi et al., contingent on specific assumptions about victim programs. However, modern operating systems, implementing layout randomization in the kernel, diverge from these assumptions and operate on a separate memory model with communication through system calls. In this work, we relax Abadi et al.'s language assumptions while demonstrating that layout randomization offers a comparable safety guarantee in a system with memory separation. However, in practice, speculative execution and side-channels are recognized threats to layout randomization. We show that kernel safety cannot be restored for attackers capable of using side-channels and speculative execution and introduce a new condition, that allows us to formally prove kernel safety in the Spectre era. Our research demonstrates that under this condition, the system remains safe without relying on layout randomization. We also demonstrate that our condition can be sensibly weakened, leading to enforcement mechanisms that can guarantee kernel safety for safe system calls in the Spectre era.
References
[1]
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-Flow Integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security (Alexandria, VA, USA) (CCS '05). Association for Computing Machinery, New York, NY, USA, 340--353. https://doi.org/10.1145/1102120.1102165
[2]
Martín Abadi and Jérémy Planul. 2013. On Layout Randomization for Arrays and Functions. In Principles of Security and Trust, David Basin and John C. Mitchell (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 167--185.
[3]
Martín Abadi, Jérémy Planul, and Gordon D. Plotkin. 2014. Layout Randomization and Nondeterminism. Springer International Publishing, Cham, 1--39. https://doi.org/10.1007/978-3-319-06880-0_1
[4]
Martín Abadi and Gordon D. Plotkin. 2012. On Protection by Layout Randomization. ACM Trans. Inf. Syst. Secur. 15, 2, Article 8 (jul 2012), 29 pages. https://doi.org/10.1145/2240276.2240279
[5]
Basavesh Ammanaghatta Shivakumar, Gilles Barthe, Benjamin Grégoire, Vincent Laporte, and Swarn Priya. 2022. Enforcing Fine-grained Constant-time Policies. In Proceedings of the 2022 ACMSIGSAC Conference on Computer and Communications Security (Los Angeles, CA, USA) (CCS '22). Association for Computing Machinery, New York, NY, USA, 83--96. https://doi.org/10.1145/3548606.3560689
[6]
Sean Noble Anderson, Roberto Blanco, Leonidas Lampropoulos, Benjamin C. Pierce, and Andrew Tolmach. 2023. Formalizing Stack Safety as a Security Property. In 2023 IEEE 36th Computer Security Foundations Symposium (CSF). IEEE, New York, NY, USA, 356--371. https://doi.org/10.1109/CSF57540.2023.00037
[7]
Arthur Azevedo de Amorim, Cătălin Hriţcu, and Benjamin C. Pierce. 2018. The Meaning of Memory Safety. In Principles of Security and Trust, Lujo Bauer and Ralf Küsters (Eds.). Springer International Publishing, Cham, 79--105.
[8]
Enrico Barberis, Pietro Frigo, Marius Muench, Herbert Bos, and Cristiano Giuffrida. 2022. Branch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacks. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 971--988. https://www.usenix.org/conference/usenixsecurity22/presentation/barberis
[9]
Gilles Barthe, Gustavo Betarte, Juan Campo, Carlos Luna, and David Pichardie. 2014. System-Level Non-Interference for Constant-Time Cryptography. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (Scottsdale, Arizona, USA) (CCS '14). Association for Computing Machinery, New York, NY, USA, 1267--1279. https://doi.org/10.1145/2660267.2660283
[10]
Gilles Barthe, Sunjay Cauligi, Benjamin Grégoire, Adrien Koutsos, Kevin Liao, Tiago Oliveira, Swarn Priya, Tamara Rezk, and Peter Schwabe. 2021. High-Assurance Cryptography in the Spectre Era. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, New York, NY, USA, 1884--1901. https://doi.org/10.1109/ SP40001.2021.00046
[11]
Emery D. Berger and Benjamin G. Zorn. 2006. DieHard: Probabilistic Memory Safety for Unsafe Languages. In Proceedings of the 27th ACM SIGPLAN Conference on Programming Language Design and Implementation (Ottawa, Ontario, Canada) (PLDI '06). Association for Computing Machinery, New York, NY, USA, 158--168. https://doi.org/10.1145/1133981.1134000
[12]
Claudio Canella, Michael Schwarz, Martin Haubenwallner, Martin Schwarzl, and Daniel Gruss. 2020. KASLR: Break It, Fix It, Repeat. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (Taipei, Taiwan) (ASIA CCS '20). Association for Computing Machinery, New York, NY, USA, 481--493. https://doi.org/10.1145/3320269.3384747
[13]
Chandler Carruth. 2018. Speculative Load Hardening. https://llvm.org/docs/SpeculativeLoadHardening.html
[14]
Sunjay Cauligi, Craig Disselkoen, Klaus v. Gleissenthall, Dean Tullsen, Deian Stefan, Tamara Rezk, and Gilles Barthe. 2020. Constant-time foundations for the new spectre era. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (London, UK) (PLDI 2020). Association for Computing Machinery, New York, NY, USA, 913--926. https://doi.org/10.1145/3385412.3385970
[15]
Yueqi Chen, Zhenpeng Lin, and Xinyu Xing. 2020. A Systematic Study of Elastic Objects in Kernel Exploitation. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, USA) (CCS '20). Association for Computing Machinery, New York, NY, USA, 1165--1184. https://doi.org/10.1145/3372297.3423353
[16]
Jonathan Corbet. 2012. Supervisor mode access prevention. https://lwn.net/Articles/517475/
[17]
Lesly-Ann Daniel, Marton Bognar, Job Noorman, Sébastien Bardin, Tamara Rezk, and Frank Piessens. 2023. ProSpeCT: Provably Secure Speculation for the Constant-Time Policy. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, 7161--7178. https://www.usenix.org/conference/usenixsecurity23/presentation/daniel
[18]
Davide Davoli, Martin Avanzini, and Tamara Rezk. 2024. On Kernel's Safety in the Spectre Era (Extended Version). arXiv:2406.07278
[19]
Theo de Raadt. 2017. OpenBSD 6.3. https://www.openbsd.org/33.html
[20]
Jake Edge. 2013. Kernel address space layout randomization. https://lwn.net/Articles/569635/
[21]
Stephen Fischer. 2011. Supervisor Mode Execution Protection. https://www.ncsi.com/nsatc11/presentations/wednesday/emerging_technologies/fischer.pdf
[22]
Thomas Garnier. 2016. Randomizing the Linux kernel heap freelists. https://mxatone.medium.com/randomizing-the-linux-kernel-heap-freelists-b899bb99c767
[23]
Xinyang Ge, Nirupama Talele, Mathias Payer, and Trent Jaeger. 2016. Fine-Grained Control-Flow Integrity for Kernel Software. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, New York, NY, USA, 179--194. https://doi.org/10.1109/EuroSP.2016.24
[24]
J. A. Goguen and J. Meseguer. 1982. Security Policies and Security Models. In 1982 IEEE Symposium on Security and Privacy. IEEE, New York, NY, USA, 11 pages. https://doi.org/10.1109/SP.1982.10014
[25]
Enes Göktas, Kaveh Razavi, Georgios Portokalidis, Herbert Bos, and Cristiano Giuffrida. 2020. Speculative Probing: Hacking Blind in the Spectre Era. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, USA) (CCS '20). Association for Computing Machinery, New York, NY, USA, 1871--1885. https://doi.org/10.1145/3372297.3417289
[26]
Daniel Gruss, Moritz Lipp, Michael Schwarz, Richard Fellner, Clémentine Maurice, and Stefan Mangard. 2017. KASLR is Dead: Long Live KASLR. In Engineering Secure Software and Systems, Eric Bodden, Mathias Payer, and Elias Athanasopoulos (Eds.). Springer International Publishing, Cham, 161--176.
[27]
Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, and Stefan Mangard. 2016. Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (Vienna, Austria) (CCS '16). Association for Computing Machinery, New York, NY, USA, 368--379. https://doi.org/10.1145/2976749.2978356
[28]
Marco Guarnieri, Boris Köpf, José F. Morales, Jan Reineke, and Andrés Sánchez. 2020. Spectector: Principled Detection of Speculative Information Flows. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, New York, NY, USA, 1--19. https://doi.org/10.1109/SP40000.2020.00011
[29]
Marco Guarnieri, Boris Köpf, Jan Reineke, and Pepe Vila. 2021. Hardware-Software Contracts for Secure Speculation. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, New York, NY, USA, 1868--1883. https://doi.org/10.1109/SP40001.2021.00036
[30]
Ralf Hund, Carsten Willems, and Thorsten Holz. 2013. Practical Timing Side Channel Attacks against Kernel Space ASLR. In 2013 IEEE Symposium on Security and Privacy. IEEE, New York, NY, USA, 191--205. https://doi.org/10.1109/SP.2013.23
[31]
Apple Inc. 2011. Mac OS X has you Covered. http://www.apple.com/macosx/security/
[32]
Intel Corporation 2023. Intel ®64 and IA-32 Architectures Software Developer's Manual. Intel Corporation.
[33]
The kernel development community. 2023. Page Table Isolation (PTI). https://www.kernel.org/doc/html/next/x86/pti.html
[34]
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss,Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, New York, NY, USA, 1--19. https://doi.org/10.1109/SP.2019.00002
[35]
Jakob Koschel, Pietro Borrello, Daniele Cono D'Elia, Herbert Bos, and Cristiano Giuffrida. 2023. Uncontained: Uncovering Container Confusion in the Linux Kernel. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, 5055--5072. https://www.usenix.org/conference/usenixsecurity23/presentation/koschel
[36]
Jakob Koschel, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2020. Tag-Bleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs. In 2020 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, New York, NY, USA, 309--321. https://doi.org/10.1109/EuroSP48549.2020.00027
[37]
Jinku Li, Zhi Wang, Tyler Bletsch, Deepa Srinivasan, Michael Grace, and Xuxian Jiang. 2011. Comprehensive and Efficient Protection of Kernel Control Data. IEEE Transactions on Information Forensics and Security 6, 4 (2011), 1404--1417. https://doi.org/10.1109/TIFS.2011.2159712
[38]
Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 973--990. https://www.usenix.org/conference/usenixsecurity18/presentation/lipp
[39]
Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 973--990. https://www.usenix.org/conference/usenixsecurity18/presentation/lipp
[40]
William Liu, Joseph Ravichandran, and Mengjia Yan. 2023. EntryBleed: A Universal KASLR Bypass against KPTI on Linux. In Proceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy (Toronto, Canada) (HASP '23). Association for Computing Machinery, New York, NY, USA, 10--18. https://doi.org/10.1145/3623652.3623669
[41]
Ziqin Liu, Zhenpeng Lin, Yueqi Chen, Yuhang Wu, Yalong Zou, Dongliang Mu, and Xinyu Xing. 2023. Towards Unveiling Exploitation Potential With Multiple Error Behaviors for Kernel Bugs. IEEE Transactions on Dependable and Secure Computing 21, 1 (2023), 1--18. https://doi.org/10.1109/TDSC.2023.3246170
[42]
A. Mambretti, A. Sandulescu, A. Sorniotti,W. Robertson, E. Kirda, and A. Kurmus. 2021. Bypassing memory safety mechanisms through speculative control flow hijacks. In 2021 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE Computer Society, Los Alamitos, CA, USA, 633--649. https://doi.org/10. 1109/EuroSP51992.2021.00048
[43]
Tarjei Mandt. 2013. Attacking the iOS Kernel: A Look at 'evasi0n'. https://papers.put.as/papers/ios/2013/NISlecture201303.pdf
[44]
Ed Maste. 2023. Address Space Layout Randomization (ASLR). https://wiki.freebsd.org/AddressSpaceLayoutRandomization
[45]
Alexandra E. Michael, Anitha Gollamudi, Jay Bosamiya, Evan Johnson, Aidan Denlinger, Craig Disselkoen, ConradWatt, Bryan Parno, Marco Patrignani,Marco Vassena, and Deian Stefan. 2023. MSWasm: Soundly Enforcing Memory-Safe Execution of Unsafe Code, In Proceedings of the 50th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages. Proc. ACM Program. Lang. 7, Article 15, 30 pages. https://doi.org/10.1145/3571208
[46]
João Moreira, Sandro Rigo, Michalis Polychronakis, and Vasileios P Kemerlis. 2017. DROP THE ROP Fine-grained Control-flow Integrity for the Linux Kernel.
[47]
Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly Compatible and Complete Spatial Memory Safety for c. SIGPLAN Not. 44, 6 (jun 2009), 245--258. https://doi.org/10.1145/1543135.1542504
[48]
Android Open Source Project. 2022. Kernel Hardening. https://source.android.com/docs/core/architecture/kernel/hardening
[49]
Liam Proven. 2022. Linux 6.1: Rust to hit mainline kernel. https://www.theregister.com/2022/10/05/rust_kernel_pull_request_pulled/
[50]
Joseph Ravichandran, Weon Taek Na, Jay Lang, and Mengjia Yan. 2022. PACMAN: Attacking ARM Pointer Authentication with Speculative Execution. In Proceedings of the 49th Annual International Symposium on Computer Architecture (New York, New York) (ISCA '22). Association for Computing Machinery, New York, NY, USA, 685--698. https://doi.org/10.1145/3470496.3527429
[51]
Elena Reshetova, Hans Liljestrand, Andrew Paverd, and N Asokan. 2018. Toward Linux kernel memory safety. Software: Practice and Experience 48, 12 (2018), 2237--2256.
[52]
Mark Rutland. 2017. ARMv8. 3 Pointer Authentication.
[53]
Michael S and Vitaly Nikolenko. 2022. Linux kernel heap feng shui in 2022. https://duasynt.com/blog/linux-kernel-heap-feng-shui-2022
[54]
SecurityScorecard. 2022. Threat overview for Linux Kernel. https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html
[55]
Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. 2004. On the Effectiveness of Address-Space Randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security (Washington DC, USA) (CCS '04). Association for Computing Machinery, New York, NY, USA, 298--307. https://doi.org/10.1145/1030083.1030124
[56]
Andrew S. Tanenbaum and Herbert Bos. 2014. Modern Operating Systems (4th ed.). Prentice Hall Press, USA.
[57]
PaX Team. 2003. Documentation for the PaX project. https://pax.grsecurity.net/docs/
[58]
Marco Vassena, Craig Disselkoen, Klaus von Gleissenthall, Sunjay Cauligi, Rami Gökhan K'c', Ranjit Jhala, Dean Tullsen, and Deian Stefan. 2021. Automatically eliminating speculative leaks from cryptographic code with blade. Proc. ACM Program. Lang. 5, POPL, Article 49 (jan 2021), 30 pages. https://doi.org/10.1145/3434330
[59]
ZhiWang and Xuxian Jiang. 2010. HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity. In 2010 IEEE Symposium on Security and Privacy. IEEE, New York, NY, USA, 380--395. https://doi.org/10.1109/SP.2010.30
[60]
OfirWeisse, Ian Neal, Kevin Loughlin, Thomas F.Wenisch, and Baris Kasikci. 2019. NDA: Preventing Speculative Execution Attacks at Their Source. In Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture (Columbus, OH, USA) (MICRO '52). Association for Computing Machinery, New York, NY, USA, 572--586. https://doi.org/10.1145/3352460.3358306
[61]
Jiyong Yu, Mengjia Yan, Artem Khyzha, Adam Morrison, Josep Torrellas, and Christopher W. Fletcher. 2019. Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data. In Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture (Columbus, OH, USA) (MICRO '52). Association for Computing Machinery, New York, NY, USA, 954--968. https://doi.org/10.1145/3352460.3358274
Index Terms
- On Kernel's Safety in the Spectre Era (And KASLR is Formally Dead)
Recommendations
Return-Oriented Programming: Systems, Languages, and Applications
Special Issue on Computer and Communications SecurityWe introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences ...
CryptSan: Leveraging ARM Pointer Authentication for Memory Safety in C/C++
SAC '23: Proceedings of the 38th ACM/SIGAPP Symposium on Applied ComputingMemory safety bugs remain in the top ranks of security vulnerabilities, even after decades of research on their detection and prevention. Various mitigations have been proposed for C/C++, ranging from language dialects to instrumentation. Among these, ...
Efficient memory safety for TinyOS
SenSys '07: Proceedings of the 5th international conference on Embedded networked sensor systemsReliable sensor network software is difficult to create: applications are concurrent and distributed, hardware-based memory protection is unavailable, and severe resource constraints necessitate the use of unsafe, low-level languages. Our work improves ...
Comments
Information & Contributors
Information
Published In
December 2024
5188 pages
ISBN:9798400706363
DOI:10.1145/3658644
- General Chairs:
- Bo Luo,
- Xiaojing Liao,
- Jun Xu,
- Program Chairs:
- Engin Kirda,
- David Lie
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 December 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
CCS '24
Sponsor:
CCS '24: ACM SIGSAC Conference on Computer and Communications Security
October 14 - 18, 2024
UT, Salt Lake City, USA
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 62Total Downloads
- Downloads (Last 12 months)62
- Downloads (Last 6 weeks)62
Reflects downloads up to 12 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in