research-article

kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse

Authors:

Marios Pomonis,

Theofilos Petsios,

Angelos D. Keromytis,

Michalis Polychronakis,

Vasileios P. KemerlisAuthors Info & Claims

EuroSys '17: Proceedings of the Twelfth European Conference on Computer Systems

Pages 420 - 436

https://doi.org/10.1145/3064176.3064216

Published: 23 April 2017 Publication History

Abstract

The abundance of memory corruption and disclosure vulnerabilities in kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As more strict memory isolation mechanisms between the kernel and user space, like Intel's SMEP, become commonplace, attackers increasingly rely on code reuse techniques to exploit kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, such as web browsers, in kernel exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of certain code snippets and construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a "read XOR execute" (R^X) memory safety policy is an effective defense against the exploitation of userland software, but so far this approach has not been applied for the protection of the kernel itself.

In this paper, we fill this gap by presenting kR^X: a kernel hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR^X is readily applicable to the x86-64 Linux kernel and can benefit from hardware support (e.g., MPX on modern Intel CPUs) to optimize performance. In full protection mode, kR^X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available.

References

[1]

CVE-2010-3437, September 2010.

[2]

Analysis of jailbreakme v3 font exploit. https://goo.gl/RGsgzc, July 2011.

[3]

CVE-2013-2094, February 2013.

[4]

CVE-2013-6282, October 2013.

[5]

CVE-2015-3036, April 2015.

[6]

CVE-2015-3290, April 2015.

[7]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-Flow Integrity. In Proc. of ACM CCS, pages 340--353, 2005.

Digital Library

[8]

Andrea Bittau. Linux Kernel < 3.8.9 (x86_64) 'perf_swevent_init' Privilege Escalation. https://www.exploit-db.com/exploits/26131/, June 2013.

[9]

A. M. Azab, P. Ning, J. Shah, Q. Chen, R. Bhutkar, G. Ganesh, J. Ma, and W. Shen. Hypervision Across Worlds: Real-time Kernel Protection from the ARM TrustZone Secure World. In Proc. of ACM CCS, pages 90--102, 2014.

Digital Library

[10]

M. Backes and S. Nürnberger. Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing. In Proc. of USENIX Sec, pages 433--447, 2014.

[11]

M. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nürnberger, and J. Pewny. You Can Run but You Can'T Read: Preventing Disclosure Exploits in Executable Code. In Proc. of ACM CCS, pages 1342--1353, 2014.

Digital Library

[12]

M. Ben-Yehuda, M. D. Day, Z. Dubitzky, M. Factor, N. Har'El, A. Gordon, A. Liguori, O. Wasserman, and B.-A. Yassour. The Turtles Project: Design and Implementation of Nested Virtualization. In Proc. of USENIX OSDI, pages 423--436, 2010.

[13]

S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient Techniques for Comprehensive Protection from Memory Error Exploits. In Proc. of USENIX Sec, pages 255--270, 2005.

[14]

D. Bigelow, T. Hobson, R. Rudd, W. Streilein, and H. Okhravi. Timely Rerandomization for Mitigating Memory Disclosures. In Proc. of ACM CCS, pages 268--279, 2015.

Digital Library

[15]

J. Bonwick. The Slab Allocator: An Object-Caching Kernel Memory Allocator. In Proc. of USENIX Summer, pages 87--98, 1994.

[16]

D. P. Bovet. Special sections in Linux binaries. https://lwn.net/Articles/531148/, January 2013.

[17]

D. P. Bovet and M. Cesati. Understanding the Linux Kernel, chapter Modules, pages 842--851. O'Reilly Media, 3rd edition, 2005.

[18]

Brad Spengler and Sorbo. Linux perf_swevent_init Privilege Escalation. https://goo.gl/eLgE48, March 2014.

[19]

K. Braden, S. Crane, L. Davi, M. Franz, P. Larsen, C. Liebchen, and A.-R. Sadeghi. Leakage-Resilient Layout Randomization for Mobile Devices. In Proc. of NDSS, 2016.

[20]

N. Carlini and D. Wagner. ROP is Still Dangerous: Breaking Modern Defenses. In Proc. of USENIX Sec, pages 385--399, 2014.

Digital Library

[21]

N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. In Proc. of USENIX Sec, pages 161--176, 2015.

Digital Library

[22]

M. Castro, M. Costa, and T. Harris. Securing software by enforcing data-flow integrity. In Proc. of USENIX OSDI, pages 147--160, 2006.

[23]

S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-Oriented Programming without Returns. In Proc. of ACM CCS, pages 559--572, 2010.

Digital Library

[24]

M. Conti, S. Crane, L. Davi, M. Franz, P. Larsen, C. Liebchen, M. Negro, M. Qunaibit, and A.-R. Sadeghi. Losing Control: On the Effectiveness of Control-Flow Integrity Under Stack Attacks. In Proc. of ACM CCS, pages 952--963, 2015.

Digital Library

[25]

K. Cook. Kernel Self Protection Project. https://goo.gl/KsN0t8.

[26]

F. J. Corbató and V. A. Vyssotsky. Introduction and Overview of the Multics System. In Proc. of AFIPS, pages 185--196, 1965.

Digital Library

[27]

J. Corbet. An updated guide to debugfs. https://lwn.net/Articles/334546/, May 2009.

[28]

J. Corbet. Supervisor mode access prevention. https://lwn.net/Articles/517475/, October 2012.

[29]

J. Corbet. BPF: the universal in-kernel virtual machine. https://lwn.net/Articles/599755/, May 2014.

[30]

J. Corbet. Supporting Intel MPX in Linux. https://lwn.net/Articles/582712/, January 2014.

[31]

S. Crane, P. Larsen, S. Brunthaler, and M. Franz. Booby Trapping Software. In Proc. of NSPW, pages 95--106, 2013.

Digital Library

[32]

S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical Code Randomization Resilient to Memory Disclosure. In Proc. of IEEE S&P, pages 763--780, 2015.

Digital Library

[33]

S. J. Crane, S. Volckaert, F. Schuster, C. Liebchen, P. Larsen, L. Davi, A.-R. Sadeghi, T. Holz, B. De Sutter, and M. Franz. It's a TRaP: Table Randomization and Protection Against Function-Reuse Attacks. In Proc. of ACM CCS, pages 243--255, 2015.

Digital Library

[34]

J. Criswell, N. Dautenhahn, and V. Adve. KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels. In Proc. of IEEE S&P, pages 292--307, 2014.

Digital Library

[35]

N. Dautenhahn, T. Kasampalis, W. Dietz, J. Criswell, and V. Adve. Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation. In Proc. of ACM ASPLOS, pages 191--206, 2015.

Digital Library

[36]

L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In Proc. of USENIX Sec, pages 401--416, 2014.

Digital Library

[37]

L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming. In Proc. of NDSS, 2015.

[38]

L. V. Davi, A. Dmitrienko, S. Nürnberger, and A.-R. Sadeghi. Gadge Me if You Can: Secure and Efficient Ad-hoc Instruction-level Randomization for x86 and ARM. In Proc. of ACM ASIACCS, pages 299--310, 2013.

Digital Library

[39]

S. Designer. Getting around non-executable stack (and fix). http://seclists.org/bugtraq/1997/Aug/63, August 1997.

[40]

J. Edge. Kernel address space layout randomization. https://lwn.net/Articles/569635/, October 2013.

[41]

K. Elphinstone and G. Heiser. From L3 to seL4: What Have We Learnt in 20 Years of L4 Microkernels? In Proc. of ACM SOSP, pages 133--150, 2013.

Digital Library

[42]

I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. In Proc. of ACM CCS, pages 901--913, 2015.

Digital Library

[43]

Exploit Database. EBD-20201, August 2012.

[44]

Exploit Database. EBD-31346, February 2014.

[45]

Exploit Database. EBD-33516, May 2014.

[46]

GCC online documentation. Intel 386 and AMD x86-64 Options. https://goo.gl/38gK86.

[47]

X. Ge, N. Talele, M. Payer, and T. Jaeger. Fine-Grained Control-Flow Integrity for Kernel Software. In Proc. of IEEE EuroS&P, 2016.

[48]

J. Geffner. VENOM: Virtualized Environment Neglected Operations Manipulation. http://venom.crowdstrike.com, May 2015.

[49]

D. Geneiatakis, G. Portokalidis, V. P. Kemerlis, and A. D. Keromytis. Adaptive Defenses for Commodity Software through Virtual Application Partitioning. In Proc. of CCS, pages 133--144, 2012.

Digital Library

[50]

M. Gillespie. Best Practices for Paravirtualization Enhancements from Intel® Virtualization Technology: EPT and VT-d. https://goo.gl/LLlAZK, January 2015.

[51]

J. Gionta, W. Enck, and P. Ning. HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities. In Proc. of ACM CODASPY, pages 325--336, 2015.

Digital Library

[52]

J. Gionta, W. Enck, and P. Larsen. Preventing Kernel Code-Reuse Attacks Through Disclosure Resistant Code Diversification. In Proc. of IEEE CNS, 2016.

[53]

C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum. Enhanced Operating System Security Through Efficient and Finegrained Address Space Randomization. In Proc. of USENIX Sec, pages 475--490, 2012.

[54]

E. Göktaş, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of Control: Overcoming Control-Flow Integrity. In Proc. of IEEE S&P, pages 575--589, 2014.

Digital Library

[55]

E. Göktaş, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard. In Proc. of USENIX Sec, pages 417--432, 2014.

Digital Library

[56]

D. Hansen. [RFC] x86: Memory protection keys. https://lwn.net/Articles/643617/, May 2015.

[57]

J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. Davidson. ILR: Where'd My Gadgets Go? In Proc. of IEEE S&P, pages 571--585, 2012.

Digital Library

[58]

R. Hund, T. Holz, and F. C. Freiling. Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. In Proc. of USENIX Sec, pages 384--398, 2009.

[59]

Intel Corporation. Intel® 64 and IA-32 Architectures Software Developer's Manual, April 2015.

[60]

Intel Corporation. Intel® Memory Protection Extensions Enabling Guide, January 2016.

[61]

Intel® OS Guard (SMEP). Intel® Xeon® Processor E5-2600 V2 Product Family Technical Overview. https://goo.gl/mS5Ile, October 2013.

[62]

V. P. Kemerlis, G. Portokalidis, and A. D. Keromytis. kGuard: Lightweight Kernel Protection against Return-to-user Attacks. In Proc. of USENIX Sec, pages 459--474, 2012.

[63]

V. P. Kemerlis, M. Polychronakis, and A. D. Keromytis. ret2dir: Rethinking Kernel Isolation. In Proc. of USENIX Sec, pages 957--972, 2014.

Digital Library

[64]

C. Kil, J. Jim, C. Bookholt, J. Xu, and P. Ning. Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software. In Proc. of ACSAC, pages 339--348, 2006.

Digital Library

[65]

T. J. Killian. Processes as Files. In Proc. of USENIX Summer, pages 203--207, 1984.

[66]

A. Kleen. Memory Layout on amd64 Linux. https://goo.gl/BtvguP, July 2004.

[67]

E. J. Koldinger, J. S. Chase, and S. J. Eggers. Architecture Support for Single Address Space Operating Systems. In Proc. of ACM ASPLOS, pages 175--186, 1992.

Digital Library

[68]

M. Krause. CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs. http://www.openwall.com/lists/oss-security/2013/03/05/13, March 2013.

[69]

G. Kroah-Hartman. udev -- A Userspace Implementation of devfs. In Proc. of OLS, pages 263--271, 2003.

[70]

V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-Pointer Integrity. In Proc. of USENIX OSDI, pages 147--163, 2014.

[71]

M. Larkin. Kernel W^X Improvements In OpenBSD. In Hackfest, 2015.

[72]

P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. SoK: Automated Software Diversity. In Proc. of IEEE S&P, pages 276--291, 2014.

Digital Library

[73]

J. Lee, H. Ham, I. Kim, and J. Song. POSTER: Page Table Manipulation Attack. In Proc. of ACM CCS, pages 1644--1646, 2015.

Digital Library

[74]

J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating Return-Oriented Rootkits With "Return-less" Kernels. In Proc. of EuroSys, pages 195--208, 2010.

Digital Library

[75]

S. Liakh. NX protection for kernel data. https://lwn.net/Articles/342266/, July 2009.

[76]

Linux Cross Reference. Linux kernel release 3.19. http://lxr.free-electrons.com/source/arch/x86/kernel/cpu/perf_event_intel_uncore_snb.c?v=3.19#L565.

[77]

Y. Liu, T. Zhou, K. Chen, H. Chen, and Y. Xia. Thwarting Memory Disclosure with Efficient Hypervisor-enforced Intra-domain Isolation. In Proc. of ACM CCS, pages 1607--1619, 2015.

Digital Library

[78]

K. Lu, C. Song, B. Lee, S. P. Chung, T. Kim, and W. Lee. ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks. In Proc. of ACM CCS, pages 280--291, 2015.

Digital Library

[79]

K. Lu, S. Nürnberger, M. Backes, and W. Lee. How to Make ASLR Win the Clone Wars: Runtime Re-Randomization. In Proc. of NDSS, 2016.

[80]

K. Lu, C. Song, T. Kim, and W. Lee. UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages. In Proc. of ACM CCS, pages 920--932, 2016.

Digital Library

[81]

C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In Proc. of ACM PLDI, pages 190--200, 2005.

Digital Library

[82]

M. Matz, J. Hubička, A. Jaeger, and M. Mitchell. System V Application Binary Interface. http://www.x86-64.org/documentation/abi.pdf, October 2013.

[83]

S. McCamant and G. Morrisett. Evaluating SFI for a CISC Architecture. In Proc. of USENIX Sec, pages 209--224, 2006.

[84]

L. McVoy and C. Staelin. lmbench: Portable Tools for Performance Analysis. In Proc. of USENIX ATC, pages 279--294, 1996.

[85]

B. Niu and G. Tan. Modular Control-flow Integrity. In Proc. of ACM PLDI, pages 577--587, 2014.

Digital Library

[86]

B. Niu and G. Tan. Per-Input Control-Flow Integrity. In Proc. of ACM CCS, pages 914--926, 2015.

Digital Library

[87]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization. In Proc. of IEEE S&P, pages 601--615, 2012.

Digital Library

[88]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. In Proc. of USENIX Sec, pages 447--462, 2013.

[89]

PaX Team. UDEREF/amd64. https://goo.gl/iPuOVZ, April 2010.

[90]

PaX Team. Better kernels with GCC plugins. https://lwn.net/Articles/461811/, October 2011.

[91]

PaX Team. RAP: RIP ROP. In Hackers 2 Hackers Conference (H2HC), 2015.

[92]

M. Payer, A. Barresi, and T. R. Gross. Fine-Grained Control-Flow Integrity through Binary Hardening. In Proc. of DIMVA, pages 144--164, 2015.

Digital Library

[93]

E. Perla and M. Oldani. A Guide To Kernel Exploitation: Attacking the Core, chapter Stairway to Successful Kernel Exploitation, pages 47--99. Elsevier, 2010.

[94]

N. L. Petroni, Jr. and M. Hicks. Automated Detection of Persistent Kernel Control-Flow Attacks. In Proc. of ACM CCS, pages 103--115, 2007.

Digital Library

[95]

J. Pewny and T. Holz. Control-flow Restrictor: Compiler-based CFI for iOS. In Proc. of ACSAC, pages 309--318, 2013.

Digital Library

[96]

G. J. Popek and D. A. Farber. A Model for Verification of Data Security in Operating Systems. Commun. ACM, 21(9): 737--749, September 1978.

Digital Library

[97]

PTS. Phoronix Test Suite. http://www.phoronix-test-suite.com.

[98]

R. Riley, X. Jiang, and D. Xu. Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing. In Proc. of RAID, pages 1--20, 2008.

Digital Library

[99]

D. Rosenberg. kptr_restrict for hiding kernel pointers. https://lwn.net/Articles/420403/, December 2010.

[100]

P. Sarbinowski, V. P. Kemerlis, C. Giuffrida, and E. Athanasopoulos. VTPin: Practical VTable Hijacking Protection for Binaries. In Proc. of ACSAC, pages 448--459, 2016.

Digital Library

[101]

F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In Proc. of IEEE S&P, pages 745--762, 2015.

Digital Library

[102]

SecurityFocus. Linux Kernel 'perf_counter_open()' Local Buffer Overflow Vulnerability, September 2009.

[103]

D. Sehr, R. Muth, C. L. Biffle, V. Khimenko, E. Pasko, B. Yee, K. Schimpf, and B. Chen. Adapting Software Fault Isolation to Contemporary CPU Architectures. In Proc. of USENIX Sec, pages 1--11, 2010.

[104]

H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In Proc. of ACM CCS, pages 552--61, 2007.

Digital Library

[105]

K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In Proc. of IEEE S&P, pages 574--588, 2013.

[106]

K. Z. Snow, R. Rogowski, J. Werner, H. Koo, F. Monrose, and M. Polychronakis. Return to the Zombie Gadgets: Undermining Destructive Code Reads via Code Inference Attacks. In Proc. of IEEE S&P, pages 954--968, 2016.

[107]

C. Song, B. Lee, K. Lu, W. Harris, T. Kim, and W. Lee. Enforcing Kernel Security Invariants with Data Flow Integrity. In Proc. of NDSS, 2016.

[108]

B. Spengler. Enlightenment Linux Kernel Exploitation Framework. https://goo.gl/hDymQg, December 2014.

[109]

A. Tang, S. Sethumadhavan, and S. Stolfo. Heisenbyte: Thwarting Memory Disclosure Attacks Using Destructive Code Reads. In Proc. of ACM CCS, pages 256--267, 2015.

Digital Library

[110]

D. L. C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. Architectural Support for Copy and Tamper Resistant Software. In Proc. of ACM ASPLOS, pages 168--177, 2000.

Digital Library

[111]

C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM. In Proc. of USENIX Sec, pages 941--955, 2014.

Digital Library

[112]

A. van de Ven. Debug option to write-protect rodata: the write protect logic and config option. https://goo.gl/shDf0o, November 2005.

[113]

A. van de Ven. Add -fstack-protector support to the kernel. https://lwn.net/Articles/193307/, July 2006.

[114]

S. Vogl, R. Gawlik, B. Garmany, T. Kittel, J. Pfoh, C. Eckert, and T. Holz. Dynamic Hooks: Hiding Control Flow Changes Within Non-control Data. In Proc. of USENIX Sec, pages 813--828, 2014.

[115]

R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient Software-based Fault Isolation. In Proc. of ACM SOSP, pages 203--216, 1993.

Digital Library

[116]

X. Wang, Y. Chen, Z. Wang, Y. Qi, and Y. Zhou. SecPod: a Framework for Virtualization-based Security Systems. In Proc. of USENIX ATC, pages 347--360, 2015.

[117]

Z. Wang and X. Jiang. HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity. In Proc. of IEEE S&P, pages 380--395, 2010.

Digital Library

[118]

R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code. In Proc. of ACM CCS, pages 157--168, 2012.

Digital Library

[119]

J. Werner, G. Baltas, R. Dallara, N. Otternes, K. Snow, F. Monrose, and M. Polychronakis. No-Execute-After-Read: Preventing Code Disclosure in Commodity Software. In Proc. of ACM ASIACCS.

Digital Library

[120]

D. Williams-King, G. Gobieski, K. Williams-King, J. P. Blake, X. Yuan, P. Colp, M. Zheng, V. P. Kemerlis, J. Yang, and W. Aiello. Shuffler: Fast and Deployable Continuous Code Re-Randomization. In Proc. of USENIX OSDI, pages 367--382, 2016.

[121]

R. Wojtczuk. Exploiting "BadIRET" vulnerability (CVE-2014-9322, Linux kernel privilege escalation). https://goo.gl/bSEhBI, February 2015.

[122]

W. Xu and Y. Fu. Own Your Android! Yet Another Universal Root. In Proc. of USENIX WOOT, 2015.

[123]

B. Yee, D. Sehr, G. Dardyk, B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. In Proc. of IEEE S&P, pages 79--93, 2009.

Digital Library

[124]

F. Yu. Enable/Disable Supervisor Mode Execution Protection. https://goo.gl/utKHno, May 2011.

[125]

C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical Control Flow Integrity and Randomization for Binary Executables. In Proc. of IEEE S&P, pages 559--573, 2013.

[126]

M. Zhang and R. Sekar. Control Flow Integrity for COTS Binaries. In Proc. of USENIX Sec, pages 337--352, 2013.

Digital Library

Cited By

Kuzuno HYamauchi T(2023)Identification of Vulnerable Kernel Code Using Kernel Tracing MechanismJournal of Information Processing10.2197/ipsjjip.31.78831(788-801)Online publication date: 2023
https://doi.org/10.2197/ipsjjip.31.788
Gaidis AMoreira JSun KMilburn AAtlidakis VKemerlis V(2023)FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch TrackingProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607219(527-546)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607219
Christou GNtousakis GLahtinen EIoannidis SKemerlis VVasilakis N(2023)BinWrap: Hybrid Protection against Native Node.js Add-onsProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3590330(429-442)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3590330
Show More Cited By

kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse
1. Security and privacy
  1. Systems security

Recommendations

Kernel Protection Against Just-In-Time Code Reuse

The abundance of memory corruption and disclosure vulnerabilities in kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As stricter memory isolation mechanisms between the kernel and user space ...
Breaking and Fixing Destructive Code Read Defenses
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

Just-in-time return-oriented programming (JIT-ROP) is a powerful memory corruption attack that bypasses various forms of code randomization. Execute-only memory (XOM) can potentially prevent these attacks, but requires source code. In contrast, ...
From Fine Grained Code Diversity to JIT-ROP to Execute-Only Memory: The Cat and Mouse Game Between Attackers and Defenders Continues
MTD '15: Proceedings of the Second ACM Workshop on Moving Target Defense

Today's software monoculture creates asymmetric threats. An attacker needs to find only one way in, while defenders need to guard a lot of ground. Adversaries can fully debug and perfect their attacks on their own computers, exactly replicating the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSys '17: Proceedings of the Twelfth European Conference on Computer Systems

April 2017

648 pages

ISBN:9781450349383

DOI:10.1145/3064176

Copyright © 2017 ACM.

Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

EuroSys '17

Sponsor:

SIGOPS

EuroSys '17: Twelfth EuroSys Conference 2017

April 23 - 26, 2017

Belgrade, Serbia

Acceptance Rates

Overall Acceptance Rate 241 of 1,308 submissions, 18%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

48
Total Citations
View Citations
611
Total Downloads

Downloads (Last 12 months)40
Downloads (Last 6 weeks)1

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kuzuno HYamauchi T(2023)Identification of Vulnerable Kernel Code Using Kernel Tracing MechanismJournal of Information Processing10.2197/ipsjjip.31.78831(788-801)Online publication date: 2023
https://doi.org/10.2197/ipsjjip.31.788
Gaidis AMoreira JSun KMilburn AAtlidakis VKemerlis V(2023)FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch TrackingProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607219(527-546)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607219
Christou GNtousakis GLahtinen EIoannidis SKemerlis VVasilakis N(2023)BinWrap: Hybrid Protection against Native Node.js Add-onsProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3590330(429-442)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3590330
Zeng KLin ZLu KXing XWang RDoupé AShoshitaishvili YBao TMeng WJensen CCremers CKirda E(2023)RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel ProtectionsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623220(3093-3107)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623220
Berlakovich FBrunthaler SFedorova ANarayanan DDi Luna GQuerzoni L(2023)R2C: AOCR-Resilient Diversity with Reactive and Reflective CamouflageProceedings of the Eighteenth European Conference on Computer Systems10.1145/3552326.3587439(488-504)Online publication date: 8-May-2023
https://dl.acm.org/doi/10.1145/3552326.3587439
Choi WSeo MLee SKang B(2023)SuM: Efficient Shadow Stack Protection on ARM Cortex-MComputers & Security10.1016/j.cose.2023.103568(103568)Online publication date: Oct-2023
https://doi.org/10.1016/j.cose.2023.103568
Li YCai JBao YChung Y(2023)What you can read is what you can't executeComputers & Security10.1016/j.cose.2023.103377(103377)Online publication date: Jul-2023
https://doi.org/10.1016/j.cose.2023.103377
Cole MPrakash A(2023)Simplex: Repurposing Intel Memory Protection Extensions for Secure StorageSecure IT Systems10.1007/978-3-031-22295-5_12(215-233)Online publication date: 1-Jan-2023
https://doi.org/10.1007/978-3-031-22295-5_12
Shen ZDharsee KCriswell J(2022)Randezvous: Making Randomization Effective on MCUsProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567970(28-41)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3567970
Nikolaev RNadeem HStone CRavindran BFalsafi BFerdman MLu SWenisch T(2022)Adelie: continuous address space layout re-randomization for Linux driversProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507779(483-498)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507779
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents