Enforcing Data Flow Integrity For Operating System Kernels

Most commercial operating systems are developed from unsafe programming languages and face a variety of memory safety attacks.The operating system kernel is usually the security foundation of the whole system and must be protected.The protected objects cover the entire operating system's kernel code and all kernel data.Among them,dynamic kernel data is difficult to protect due to its indefinable storage location and variability.Most existing solutions only provide coarse-grained protection for general control data(e.g.,function pointers and return addresses),but not cover special control data(e.g.,return addresses in interrupt context)and non-control data(e.g.,branch data).However,relevant researchers have demonstrated that these coarse-grained protection systems for control data can be bypassed by the latest attacks.For this reason,the paper designs and implements a kernel protection system with data flow integrity.Compared with the previous systems,this system can protect the control data and non-control data in the operating system kernel,and can enforce fine-grained Control Flow Integrity(CFI)and Data Flow Integrity(DFI)to prevent memory safety attacks on the kernel.CFI is not only an important part of DFI but also the foundation and premise of DFI.Only when a fine-grained CFI is implemented can it ensure the effectiveness of DFI.First of all,in order to obtain the fine-grained control flow graph which is necessary to implement CFI,the paper proposes a retrofitted context-sensitive and field-sensitive points-to analysis for the kernel intermediate-representation code(IR),and improves the accuracy for the obtained control flow graph.The main innovation of this analysis is to introduce a new vector called struct location vector,which is used to infer the targets of each indirect function call.The main basis for introducing the vector is that there is a large number of initialization and assignment operations on function pointers in the kernel space,and a function pointer is always located in the same field of the same structure in its entire lifetime.Secondly,in order to solve the problem of Destination Equivalence in the CFI protection,the paper adopts the method called indexed hooks,to instrument the indirect transfer instructions in the kernel by modifying the compiler backend and replace the code pointers in both code and data sections with the respective table indexes through binary rewriting.Finally,in order to completely protect the interrupt control data,the paper proposes a hypervisor-based defense mechanism,which backs up the control information to the hypervisor when an interrupt occurs and verifies the information when the interrupt returns.Thus,it enforces the fine-grained CFI for the kernel.In order to protect the non-control data in the kernel to enforce DFI,the paper adopts the technique called Write Integrity Testing(WIT).WIT was chosen because it observes that the write operations to branch data in the kernel are far less than the read operations,which thus can greatly reduce the number of checks that need to be performed.For this reason,the paper implements a compile-time and a runtime component.First of all,in the compiling stage,it computes the set of data objects that can be written by each instruction in the kernel through a points-to analysis for IR.At the same time,in order to reduce the space and time overhead,it excludes those safe write instructions by the write safety analysis for IR.Finally,in the running stage,it modifies the compiler backend to instrument all unsafe write instructions in the kernel,so that prevents the instruction from modifying data objects that were not allowed by the static analysis.Thus,it enforces the DFI for the kernel.Based on the open source LLVM compiler,the paper have implemented a prototype protection system for the Linux 3.14 kernel and performed a comprehensive security and performance evaluation.The evaluation results show that the system can prevent all attacks based on control data and non-control data,with an acceptable performance overhead introduced.