Chaos: Function Granularity Runtime Address Layout Space Randomization for Kernel Module
Authors: 
Zihao Chang, Jihan Lin, Haifeng Sun, Runkuang Li, Ying Wang, Bin Hu, Xiaofang Zhao, Dejun Jiang, Ninghui Sun, Sa WangAuthors Info & Claims
Zihao Chang, Jihan Lin, Haifeng Sun, Runkuang Li, Ying Wang, Bin Hu, Xiaofang Zhao, Dejun Jiang, Ninghui Sun, Sa WangAuthors Info & ClaimsPages 23 - 30
Abstract
The return-oriented programming (ROP) is a prevalent code reuse attack. It exploits vulnerabilities such as stack overflows to hijack the execution flow into the carefully chosen instruction snippet (called gadget) chain already in the memory. Address Space Layout Randomization (ASLR) is widely used to defend against code reuse attacks like ROP from hijacking control flow. However, the Linux kernel, especially the most vulnerable kernel module, only applies basic coarsegrained load-time ASLR methods. This is far from sufficient to defend against new ROP attacks. In this paper, we propose Chaos, a fine-grained runtime architecture-independent ASLR for the kernel module. Chaos adopts function granularity randomization to increase randomization entropy. It continuously performs randomization during runtime to invalidate memory disclosure. To reduce overhead, Chaos only suspends the kernel module and minimizes the running state migration efforts. We implement Chaos based on Linux 5.10 LTS on ARM64 and evaluate it using two common benchmarks. The result demonstrates that Chaos achieves fine-grained runtime ASLR for protecting kernel modules with 5% performance overhead degradation at most.
References
[1]
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2009. Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13, 1, Article 4 (nov 2009), 40 pages. https://doi.org/10.1145/1609956.1609960
[2]
Android. 2024. Security Enhancements. https://source.android.com/docs/security/enhancements#android-4-and-lower
[3]
David Bigelow, Thomas Hobson, Robert Rudd, William Streilein, and Hamed Okhravi. 2015. Timely Rerandomization for Mitigating Memory Disclosures. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Denver, Colorado, USA) (CCS '15). Association for Computing Machinery, New York, NY, USA, 268--279. https://doi.org/10.1145/2810103.2813691
[4]
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, and Dan Boneh. 2014. Hacking Blind. In 2014 IEEE Symposium on Security and Privacy. 227--242. https://doi.org/10.1109/SP.2014.22
[5]
Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, Washington, D.C., 161--176. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/carlini
[6]
Stephen Crane, Andrei Homescu, Stefan Brunthaler, Per Larsen, and Michael Franz. 2015. Thwarting Cache Side-Channel Attacks Through Dynamic Software Diversity. https://doi.org/10.14722/ndss.2015.23264
[7]
Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi, Kevin Z Snow, and Fabian Monrose. 2015. Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming. In NDSS.
[8]
Jake Edge. 2013. Kernel address space layout randomization. https://lwn.net/Articles/569635/
[9]
Xinyang Ge, Nirupama Talele, Mathias Payer, and Trent Jaeger. 2016. Fine-Grained Control-Flow Integrity for Kernel Software. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P). 179--194. https://doi.org/10.1109/EuroSP.2016.24
[10]
Cristiano Giuffrida, Anton Kuijsten, and Andrew S. Tanenbaum. 2012. Enhanced Operating System Security Through Efficient and Finegrained Address Space Randomization. In 21st USENIX Security Symposium (USENIX Security 12). USENIX Association, Bellevue, WA, 475--490. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/giuffrida
[11]
Cristiano Giuffrida, Anton Kuijsten, and Andrew S. Tanenbaum. 2012. Enhanced Operating System Security Through Efficient and Finegrained Address Space Randomization. In 21st USENIX Security Symposium (USENIX Security 12). USENIX Association, Bellevue, WA, 475--490. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/giuffrida
[12]
Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, and Stefan Mangard. 2016. Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (Vienna, Austria) (CCS '16). Association for Computing Machinery, New York, NY, USA, 368--379. https://doi.org/10.1145/2976749.2978356
[13]
Jorrit N. Herder, Herbert Bos, Ben Gras, Philip Homburg, and Andrew S. Tanenbaum. 2006. Reorganizing UNIX for Reliability. In Advances in Computer Systems Architecture, 11th Asia-Pacific Conference, ACSAC 2006, Shanghai, China, September 6-8, 2006, Proceedings (Lecture Notes in Computer Science, Vol. 4186), Chris R. Jesshope and Colin Egan (Eds.). Springer, 81--94. https://doi.org/10.1007/11859802_8
[14]
Jason Hiser, Anh Nguyen-Tuong, Michele Co, Matthew Hall, and Jack W. Davidson. 2012. ILR: Where'd My Gadgets Go?. In 2012 IEEE Symposium on Security and Privacy. 571--585. https://doi.org/10.1109/SP.2012.39
[15]
Hong Hu, Zheng Leong Chua, Sendroiu Adrian, Prateek Saxena, and Zhenkai Liang. 2015. Automatic Generation of Data-Oriented Exploits. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, Washington, D.C., 177--192. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/hu
[16]
Ralf Hund, Carsten Willems, and Thorsten Holz. 2013. Practical Timing Side Channel Attacks against Kernel Space ASLR. In 2013 IEEE Symposium on Security and Privacy. 191--205. https://doi.org/10.1109/SP.2013.23
[17]
Yeongjin Jang, Sangho Lee, and Taesoo Kim. 2016. Breaking Kernel Address Space Layout Randomization with Intel TSX. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (Vienna, Austria) (CCS '16). Association for Computing Machinery, New York, NY, USA, 380--392. https://doi.org/10.1145/2976749.2978321
[18]
The kernel development community. 2024. Virtio on Linux. https://docs.kernel.org/driver-api/virtio/virtio.html
[19]
Chongkyung Kil, Jinsuk Jun, Christopher Bookholt, Jun Xu, and Peng Ning. 2006. Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software. In 2006 22nd Annual Computer Security Applications Conference (ACSAC'06). 339--348. https://doi.org/10.1109/ACSAC.2006.9
[20]
Kangjie Lu, Wenke Lee, Stefan Nürnberger, and Michael Backes. 2016. How to Make ASLR Win the Clone Wars: Runtime Re-Randomization. In NDSS.
[21]
John Lambert Michael Howard, Matt Miller and Matt Thomlinson. 2010. Windows ISV Software Security Defenses. https://learn.microsoft.com/en-us/previous-versions/bb430720(v=msdn.10)?redirectedfrom=MSDN
[22]
Ruslan Nikolaev, Hassan Nadeem, Cathlyn Stone, and Binoy Ravindran. 2022. Adelie: continuous address space layout re-randomization for Linux drivers. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (Lausanne, Switzerland) (ASPLOS '22). Association for Computing Machinery, New York, NY, USA, 483--498. https://doi.org/10.1145/3503222.3507779
[23]
Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. 2012. Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization. In 2012 IEEE Symposium on Security and Privacy. 601--615. https://doi.org/10.1109/SP.2012.41
[24]
Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. 2012. Return-Oriented Programming: Systems, Languages, and Applications. ACM Trans. Inf. Syst. Secur. 15, 1, Article 2 (mar 2012), 34 pages. https://doi.org/10.1145/2133375.2133377
[25]
Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. 2015. Counterfeit Objectoriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In 2015 IEEE Symposium on Security and Privacy. 745--762. https://doi.org/10.1109/SP.2015.51
[26]
Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2013. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. 2013 IEEE Symposium on Security and Privacy (2013), 574--588. https://api.semanticscholar.org/CorpusID:2026441
[27]
Raoul Strackx, Yves Younan, Pieter Philippaerts, Frank Piessens, Sven Lachmund, and Thomas Walter. 2009. Breaking the memory secrecy assumption. In Proceedings of the Second European Workshop on System Security (Nuremburg, Germany) (EUROSEC '09). Association for Computing Machinery, New York, NY, USA, 1--8. https://doi.org/10.1145/1519144.1519145
[28]
PaX Team. 2003. Adress Space Layout Randomization. https://pax.grsecurity.net/docs/aslr.txt
[29]
Zhe Wang, Chenggang Wu, Jianjun Li, Yuanming Lai, Xiangyu Zhang, Wei-Chung Hsu, and Yueqiang Cheng. 2017. ReRanz: A Light-Weight Virtual Machine to Mitigate Memory Disclosure Attacks. In Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (Xi'an, China) (VEE '17). Association for Computing Machinery, New York, NY, USA, 143--156. https://doi.org/10.1145/3050748.3050752
[30]
Richard Wartell, Vishwath Mohan, Kevin W. Hamlen, and Zhiqiang Lin. 2012. Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (Raleigh, North Carolina, USA) (CCS '12). Association for Computing Machinery, New York, NY, USA, 157--168. https://doi.org/10.1145/2382196.2382216
[31]
Wikipedia. 2024. Executable-space protection. https://en.wikipedia.org/wiki/Executable-space_protection
[32]
Wikipedia. 2024. Fisher-Yates shuffle. https://en.wikipedia.org/wiki/Fisher-Yates_shuffle
[33]
Wikipedia. 2024. Return-oriented programming. https://en.wikipedia.org/wiki/Return-oriented_programming
[34]
David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis, Junfeng Yang, and William Aiello. 2016. Shuffler: Fast and Deployable Continuous Code Re-Randomization. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). USENIX Association, Savannah, GA, 367--382. https://www.usenix.org/conference/osdi16/technical-sessions/presentation/williams-king
[35]
Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, László Szekeres, Stephen McCamant, Dawn Song, and Wei Zou. 2013. Practical Control Flow Integrity and Randomization for Binary Executables. In 2013 IEEE Symposium on Security and Privacy. 559--573. https://doi.org/10.1109/SP.2013.44
[36]
Mingwei Zhang and R. Sekar. 2013. Control Flow Integrity for COTS Binaries. In 22nd USENIX Security Symposium (USENIX Security 13). USENIX Association, Washington, D.C., 337--352.
Index Terms
- Chaos: Function Granularity Runtime Address Layout Space Randomization for Kernel Module
Recommendations
Adelie: continuous address space layout re-randomization for Linux drivers
ASPLOS '22: Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating SystemsWhile address space layout randomization (ASLR) has been extensively studied for user-space programs, the corresponding OS kernel's KASLR support remains very limited, making the kernel vulnerable to just-in-time (JIT) return-oriented programming (ROP) ...
Smokestack: thwarting DOP attacks with runtime stack layout randomization
CGO 2019: Proceedings of the 2019 IEEE/ACM International Symposium on Code Generation and OptimizationMemory corruption vulnerabilities in type-unsafe languages are often exploited to perform a control-flow hijacking attack, in which an attacker uses vulnerabilities to corrupt control data in the program to eventually gain control over the execution of ...
The Illusion of Randomness: An Empirical Analysis of Address Space Layout Randomization Implementations
CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications SecurityAddress Space Layout Randomization (ASLR) is a crucial defense mechanism employed by modern operating systems to mitigate exploitation by randomizing processes? memory layouts. However, the stark reality is that real-world implementations of ASLR are ...
Comments
Information & Contributors
Information
Published In
September 2024
150 pages
ISBN:9798400711053
DOI:10.1145/3678015
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 04 September 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
Conference
APSys '24
Sponsor:
Acceptance Rates
APSys '24 Paper Acceptance Rate 20 of 44 submissions, 45%;
Overall Acceptance Rate 169 of 430 submissions, 39%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 184Total Downloads
- Downloads (Last 12 months)184
- Downloads (Last 6 weeks)56
Reflects downloads up to 12 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in