kGuard: lightweight kernel protection against return-to-user attacks

  • Authors:
  • Vasileios P. Kemerlis;Georgios Portokalidis;Angelos D. Keromytis

  • Affiliations:
  • Network Security Lab, Department of Computer Science, Columbia University, New York, NY;Network Security Lab, Department of Computer Science, Columbia University, New York, NY;Network Security Lab, Department of Computer Science, Columbia University, New York, NY

  • Venue:
  • Security'12 Proceedings of the 21st USENIX conference on Security symposium
  • Year:
  • 2012

Quantified Score

Hi-index 0.00

Visualization

Abstract

Return-to-user (ret2usr) attacks exploit the operating system kernel, enabling local users to hijack privileged execution paths and execute arbitrary code with elevated privileges. Current defenses have proven to be inadequate, as they have been repeatedly circumvented, incur considerable overhead, or rely on extended hypervisors and special hardware features. We present kGuard, a compiler plugin that augments the kernel with compact inline guards, which prevent ret2usr with low performance and space overhead. kGuard can be used with any operating system that features a weak separation between kernel and user space, requires no modifications to the OS, and is applicable to both 32-and 64-bit architectures. Our evaluation demonstrates that Linux kernels compiled with kGuard become impervious to a variety of control-flow hijacking exploits. kGuard exhibits lower overhead than previouswork, imposing on average an overhead of 11.4% on system call and I/O latency on ×86 OSs, and 10.3% on x86-64. The size of a kGuard-protected kernel grows between 3.5% and 5.6%, due to the inserted checks, while the impact on real-life applications is minimal (≤1%).