Abstract

Return-to-user (ret2usr) attacks exploit the operating system kernel, enabling local users to hijack privileged execution paths and execute arbitrary code with elevated privileges. Current defenses have proven to be inadequate, as they have been repeatedly circumvented, incur considerable overhead, or rely on extended hypervisors and special hardware features. We present kGuard, a compiler plugin that augments the kernel with compact inline guards, which prevent ret2usr with low performance and space overhead. kGuard can be used with any operating system that features a weak separation between kernel and user space, requires no modifications to the OS, and is applicable to both 32- and 64-bit architectures. Our evaluation demonstrates that Linux kernels compiled with kGuard become impervious to a variety of control-flow hijacking exploits. kGuard exhibits lower overhead than previous work, imposing on average an overhead of 11.4% on system call and I/O latency on x86 OSs, and 10.3% on x86-64. The size of a kGuard-protected kernel grows between 3.5% and 5.6%, due to the inserted checks, while the impact on real-life applications is minimal (∼1.03%).

Publications

"kGuard: Lightweight Kernel Protection against Return-to-user Attacks"
Vasileios P. Kemerlis, Georgios Portokalidis, and Angelos D. Keromytis.
In Proceedings of the 21st USENIX Security Symposium (USENIX Sec). August 2012, Bellevue, WA.

"kGuard: Lightweight Kernel Protection"
Vasileios P. Kemerlis, Georgios Portokalidis, Elias Athanasopoulos, and Angelos D. Keromytis.
USENIX ;login: Magazine, 37(6), December 2012.

Source code

kGuard is now available for download under GNU General Public License v3 GNU General Public License 3 Logo.svg
The release contains the source code of kGuard.

kguard-src.tar.gz (26KB)