kGuard: Lightweight Kernel
Protection against Return-to-User
Authors: Vasileios P. Kemerlis Georgios Portokalidis
Angelos D. Keromytis
Presenter: Behnaz Hassanshahi
Problem Statement
• Kernel exploitation
Kernel-level memory corruption
Traditionally: Code injection – (Code Reuse)ROP
Recently: Run user land code (ret2user attacks)
Return to User Attacks
• The root problem stems from the weak
separation of user and kernel spaces.
– Shared process/kernel model for Performance
– Kernel code can do anything in user land, so if it is
abused, attacker can force it to run the shell code
in user space.
– Over-writing kernel-level control data(e.g., return
addresses, jump tables, function pointers) with
user space addresses.
Return to User Attacks
• Example: exploiting a NULL pointer
dereference error to launch a ret2user attack
Vulnerable program
Return to User Attacks
malicious process invokes “sendfile” system
call with offending arguments
libc wrapper traps to the OS via “sysenter”
system call handler of Linux
(sysenter_do_call()) is executed which
resolves the kernel address of sys-sendfile
Privileged execution continues until
sock_sendpage() is invoked
the value of sendpage pointer is NULL
control is transferred to address 0
malicious process has mmapped page 0 and
dropped a function pointer of his own at
address 0, the kernel will call that function
pointer in kernel mode
Existing Defense Mechanisms
CFI and Program Shepherding
Intel SMEP
– Doesn`t prevent kernel from accessing user “data”
• Inline monitoring and code diversification
– Adding “Control Flow Assertions” at compile time
before every indirect control transfer
• E.g., call, jmp and ret in x86
• CFAR : compares the branch target with lower kernel
address 0xC00000
• CFAm :
– Branch target is within the kernel address space
– Memory address where the branch target is loaded from is
also in kernel space
• Example CFA guard
Bypassing kGuard
• Bypass trampolines
1. Find two computed branch instructions
whose operands can be reliably overwritten
2. Overwrite the value (branch target)
of the first with the address of the second
3. Overwrite the value of the second with
a user-space address
4. Solution: Code inflation and CFA motion
Code Inflation
• Reshapes the Kernel text at
at compile time
CFA Motion
Relocation of protected branches at boot time
• The implementation consists of a plugin for
• At RTL level, after most of the important
Effectiveness on Privilege Escalation
Performance Evaluation
Performance Evaluation – latency
overhead and code diversification
Conclusion and Discussion
• In near future all memory regions will be
• Randomization of the address at which kernel
is loaded
• Intel SMEP vs kGuard
– Performance
– Side channel attacks

similar documents