Nowadays, more and more Linux attackers focus their attention on the kernel rather than on userspace applications, especially in mobile and embedded devices. The Kernel Self Protection Project (KSPP) tries to eliminate whole classes of vulnerabilities that might lead to creation of successful exploits, by implementing various hardening mechanisms inside the kernel itself.
Randomization Can’t Stop BPF JIT Spray
As part of the Kernel Self Protection Project, we have been trying to push for new protection measures for the Linux kernel Berkeley Packet Filter (BPF) Just-In-Time (JIT) compiler. The BPF JIT compiler had been attacked in 2012, and some countermeasures had been developed as a resut: BPF filter offset randomization in the upstream kernel and constant blinding in Grsecurity. No attacks on the upstream kernel had been presented since.
An early poster from May 2016 describing the attack is available for download.
- Our attack is mentioned on the Grsecurity blog.
Preventing Reference Counter overflows in the Linux Kernel
We have contributed to the KSPP by working on hardening the reference counter schemes used in the Linux kernel, particularly by preventing preventing reference counter overflows. An overflown reference counter can lead to Use-After-Free, and has in fact-caused such vulnerabilities in the past (e.g. CVE-2014-2851). The original proposal, based on PAX_REFCOUNT by PaX/Grsecurity, was rejected upstream, but led to the introduction of the new refcount_t type. Our current efforts, with a total of 223 patches submitted upstream, continue converting specific reference counter use cases to this new hardened type.
- Our work is mentioned in the security things in Linux v4.11 post on codeblog.
- Our arXiv submission is mentioned in Hacker News.
Adapting Intel MPX for use in the Linux kernel
Intel MPX provides hardware supported pointer bounds checking which can be used via compiler instrumentation and operating system support. The support libraries available are however written for user-space and do not support kernel-specific functions. The hardware supported bounds storage is also, due to its memory requirements, unwieldy for use inside the kernel. Our work has thus focused on providing support for in-kernel MPX via kernel specific wrapper functions, an alternative to the bound storage mechanism, and a GCC-plugin for adapting existing MPX-instrumentation accordingly.