Nowadays, more and more Linux attackers focus their attention on the kernel rather than on userspace applications, especially in mobile and embedded devices. The Kernel Self Protection Project (KSPP) tries to eliminate whole classes of vulnerabilities that might lead to creation of successful exploits, by implementing various hardening mechanisms inside the kernel itself.

Randomization Can’t Stop BPF JIT Spray

As part of the Kernel Self Protection Project, we have been trying to push for new protection measures for the Linux kernel Berkeley Packet Filter (BPF) Just-In-Time (JIT) compiler. The BPF JIT compiler had been attacked in 2012, and some countermeasures had been developed as a resut: BPF filter offset randomization in the upstream kernel and constant blinding in Grsecurity. No attacks on the upstream kernel had been presented since.

We are going to present an improved version of the 2012 attack, which works on modern 4.4 kernels, at Black Hat Europe 2016 in November.

Posters

An early poster from May 2016 describing the attack is available for download.

Citations

Preventing Reference Counter overflows in the Linux Kernel

We have contributed to the KSPP by working on hardening the reference counter schemes used in the Linux kernel, particularly by preventing preventing reference counter overflows. An overflown reference counter can lead to Use-After-Free, and has in fact-caused such vulnerabilities in the past (e.g. CVE-2014-2851). The original proposal, based on PAX_REFCOUNT by PaX/Grsecurity, was rejected upstream, but led to the introduction of the new refcount_t type. Our current efforts, with a total of 223 patches submitted upstream, continue converting specific reference counter use cases to this new hardened type.

Linux kernel refcount_t patch details

Posters

N/A

Citations

Adapting Intel MPX for use in the Linux kernel

Intel MPX provides hardware supported pointer bounds checking which can be used via compiler instrumentation and operating system support. The support libraries available are however written for user-space and do not support kernel-specific functions. The hardware supported bounds storage is also, due to its memory requirements, unwieldy for use inside the kernel. Our work has thus focused on providing support for in-kernel MPX via kernel specific wrapper functions, an alternative to the bound storage mechanism, and a GCC-plugin for adapting existing MPX-instrumentation accordingly.

Posters

N/A

Citations

N/A

Doctoral Dissertations