微信服务号

微信订阅号

2025年6月16日 15:57 星期一
首页 > 过刊浏览>2024年第35卷第7期 >3332-3354. DOI:10.13328/j.cnki.jos.006923
PDF HTML阅读 XML下载 导出引用 引用提醒
基于eBPF的内核堆漏洞动态缓解机制
作者:
作者简介:

王子成(1996-),男,博士生,主要研究领域为操作系统安全,漏洞攻击利用;郭迎港(1997-),男,博士生,主要研究领域为操作系统安全,形式化建模;钟炳南(1991-),男,博士生,主要研究领域为信息安全,操作系统;陈越琦(1995-),男,博士,助理教授,主要研究领域为系统安全,软件安全;曾庆凯(1963-),男,博士,教授,博士生导师,CCF高级会员,主要研究领域为信息安全,分布计算

通讯作者:

曾庆凯, E-mail: zqk@nju.edu.cn

中图分类号:

TP311

基金项目:

国家自然科学基金(61772266, 61431008)


Dynamic Mitigation Solution Based on eBPF Against Kernel Heap Vulnerabilities
Author:
  • 摘要
    • | |
  • 访问统计
    • |
  • 参考文献 [87]
    • |
  • 相似文献 [20]
    • | | |
  • 文章评论
    摘要:

    内核堆漏洞是目前操作系统安全的主要威胁之一, 用户层攻击者通过触发漏洞能够泄露或修改内核敏感信息, 破坏内核控制流, 甚至获取root权限. 但是由于漏洞的数量和复杂性剧增, 从漏洞首次被报告到开发者给出修复补丁(patch)往往需要较长时间, 而内核现阶段采用的缓解机制均能被稳定绕过. 为此提出一种基于eBPF的内核堆漏洞动态缓解框架, 用于在修复时间窗口中降低内核安全风险. 动态缓解框架采取数据对象空间随机化策略, 在每次分配时为漏洞报告中涉及的数据对象分配随机地址, 并充分利用eBPF的动态、安全特性将空间随机化对象在运行时注入内核, 使得攻击者无法准确放置攻击负载, 堆漏洞几乎无法被利用. 评估40个真实内核堆漏洞, 并收集12个绕过现有缓解机制的攻击程序进行进一步分析和实验, 证实动态缓解框架提供充足的安全性. 性能测试表明, 即使在严苛情况下, 大量分配的4类数据对象仅对系统造成约1%的性能损耗和可以忽略不计的内存损耗, 同时增加保护对象的数量几乎不引入额外性能损耗. 所提机制对比相关工作适用范围更广, 安全性更强, 而且无需安全专家发布的漏洞补丁, 可以根据漏洞报告生成缓解程序, 具备广阔应用前景.

    Abstract:

    Kernel heap vulnerability is currently one of the main threats to operating system security. User-space attackers can leak or modify sensitive kernel information, disrupt kernel control flow, and even gain root privilege by triggering a vulnerability. However, due to the rapid increase in the number and complexity of vulnerabilities, it often takes a long time from when a vulnerability is first reported to when the developer issues a patch, and kernel mitigation mechanisms currently adopted are usually steadily bypassed. Therefore, this study proposes an eBPF-based dynamic mitigation framework for kernel heap vulnerabilities, so as to reduce kernel security risks during the time window fixing. The framework adopts data object space randomization to assign random addresses to the data objects involved in vulnerability reports at each allocation. In addition, it takes full advantage of the dynamic and secure features of eBPF to inject space-randomized objects into the kernel during runtime, so the attacker cannot place any attack payload accurately, and the heap vulnerabilities are almost unexploitable. This study evaluates 40 real kernel heap vulnerabilities and collects 12 attacks that bypass the existing mitigation mechanisms for further analysis and tests. As a result, it verifies that the dynamic mitigation framework provides sufficient security. Performance tests show that even under severe conditions, the four types of data objects only cause performance loss of about 1% and negligible memory loss to the system, and there is almost no additional performance loss when the number of protected objects increases. Compared with related work, the mechanism in this study has a wider scope of application and stronger security, and it does not require vulnerability patches issued by security experts. Furthermore, it can generate mitigation procedures according to vulnerability reports and has a broad application prospect.

    参考文献
    [1] Lee B, Song CY, Jang Y, Wang TL, Kim T, Lu L, Lee W. Preventing use-after-free with dangling pointers nullification. In: Proc. of the 22nd Annual Network and Distributed System Security Symp. San Diego: NDSS, 2015.
    [2] NVD. National Vulnerability Database. 2022. https://nvd.nist.gov/
    [3] Nagarakatte S, Zhao JZ, Martin MMK, Zdancewic S. SoftBound: Highly compatible and complete spatial memory safety for C. In: Proc. of the 30th ACM SIGPLAN Conf. on Programming Language Design and Implementation. Dublin: ACM, 2009. 245–258.
    [4] Nagarakatte S, Zhao JZ, Martin MMK, Zdancewic S. CETS: Compiler enforced temporal safety for C. In: Proc. of the 2010 Int’l Symp. on Memory Management. Toronto: ACM, 2010. 31–40.
    [5] 刘翔, 童薇, 刘景宁, 冯丹, 陈劲龙. 动态内存分配器研究综述. 计算机学报, 2018, 41(10): 2359–2378. [doi: 10.11897/SP.J.1016.2018.02359]
    Liu X, Tong W, Liu JN, Feng D, Chen JL. A review of dynamic memory allocator research. Chinese Journal of Computers, 2018, 41(10): 2359–2378 (in Chinese with English abstract). [doi: 10.11897/SP.J.1016.2018.02359]
    [6] Zeng K, Chen YQ, Cho H, Xing XY, Doupé A, Shoshitaishvili Y, Bao T. Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability. In: Proc. of the 31st USENIX Security Symp. Boston: USENIX Association, 2022. 71–88.
    [7] Xu W, Li JR, Shu JL, Yang WB, Xie TY, Zhang YY, Gu DW. From collision to exploitation: Unleashing use-after-free vulnerabilities in linux kernel. In: Proc. of the 22nd ACM SIGSAC Conf. on Computer and Communications Security. Denver: ACM, 2015. 414–425.
    [8] Chen YQ, Xing XY. SLAKE: Facilitating slab manipulation for exploiting vulnerabilities in the Linux kernel. In: Proc. of the 2019 ACM SIGSAC Conf. on Computer and Communications Security. London: ACM, 2019. 1707–1722.
    [9] Wu W, Chen YQ, Xu J, Xing XY, Gong XR, Zou W. FUZE: Towards facilitating exploit generation for kernel use-after-free vulnerabilities. In: Proc. of the 27th USENIX Conf. on Security Symp. Baltimore: USENIX Association, 2018. 781–797.
    [10] Alexopoulos N, Brack M, Wagner JP, Grube T, Mühlhäuser M. How long do vulnerabilities live in the code? A large-scale empirical measurement study on FOSS vulnerability lifetimes. In: Proc. of the 31st USENIX Security Symp. Boston: USENIX Association, 2022. 359–376.
    [11] 杨松涛, 陈凯翔, 王准, 张超. 面向缓解机制评估的自动化信息泄露方法. 软件学报, 2022, 33(6): 2082–2096. http://www.jos.org.cn/1000-9825/6570.htm
    Yang ST, Chen KX, Wang Z, Zhang C. Exploit-oriented automated information leakage. Ruan Jian Xue Bao/Journal of Software, 2022, 33(6): 2082–2096 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/6570.htm
    [12] Palit T, Monrose F, Polychronakis M. Mitigating data leakage by protecting memory-resident sensitive data. In: Proc. of the 35th Annual Computer Security Applications Conf. San Juan: ACM, 2019. 598–611.
    [13] mm: SLAB freelist randomization. 2021. https://lwn.net/Articles/685047/
    [14] Linux kernel heap quarantine versus use-after-free exploits. 2022. https://a13xp0p0v.github.io/2020/11/30/slab-quarantine.html
    [15] Introduce struct layout randomization plugin. 2021. https://lwn.net/Articles/723997/
    [16] Lin ZP. How AUTOSLAB changes the memory unsafety game. 2021. https://grsecurity.net/how_autoslab_changes_the_memory_unsafety_game
    [17] Improve bit diffusion for freelist ptr obfuscation. 2022. https://lore.kernel.org/lkml/202003051623.AF4F8CB@keescook/
    [18] Gregg B. BPF internals tracing examples (eBPF). 2021. https://www.brendangregg.com/Slides/LISA2021_BPF_Internals.pdf
    [19] Lin ZP, Wu YH, Xing XY. DirtyCred: Escalating privilege in Linux kernel. In: Proc. of the 2022 ACM SIGSAC Conf. on Computer and Communications Security. Los Angeles: ACM, 2022. 1963–1976.
    [20] Gens D, Schmitt S, Davi L, Sadeghi AR. K-Miner: Uncovering memory corruption in Linux. In: Proc. of the 25th Annual Network and Distributed System Security Symp. San Diego: NDSS, 2018.
    [21] Manès VJM, Jang D, Ryu C, Kang BB. Domain Isolated Kernel: A lightweight sandbox for untrusted kernel extensions. Computers & Security, 2018, 74: 130–143. [doi: 10.1016/j.cose.2018.01.009]
    [22] Göktas E, Razavi K, Portokalidis G, Bos H, Giuffrida C. Speculative probing: Hacking blind in the Spectre era. In: Proc. of the 2020 ACM SIGSAC Conf. on Computer and Communications Security. ACM, 2020. 1871–1885.
    [23] Tian DJ, Hernandez G, Choi JI, Frost V, Johnson PC, Butler KR. LBM: A security framework for peripherals within the Linux kernel. In: Proc. of the 2019 IEEE Symp. on Security and Privacy. San Francisco: IEEE, 2019. 967–984.
    [24] Szekeres L, Payer M, Wei T, Song D. SoK: Eternal war in memory. In: Proc. of the 2013 IEEE Symp. on Security and Privacy. Berkeley: IEEE, 2013. 48–62.
    [25] Chen WT, Zou XC, Li GR, Qian ZY. KOOBE: Towards facilitating exploit generation of kernel out-of-bounds write vulnerabilities. In: Proc. of the 29th USENIX Conf. on Security Symp. USENIX Association, 2020. 1093–1110.
    [26] Caballero J, Grieco G, Marron M, Nappa A. Undangle: Early detection of dangling pointers in use-after-free and double-free vulnerabilities. In: Proc. of the 2012 Int’l Symp. on Software Testing and Analysis. Minneapolis: ACM, 2012. 133–143.
    [27] Chen YQ, Lin ZP, Xing XY. A systematic study of elastic objects in kernel exploitation. In: Proc. of the 2020 ACM SIGSAC Conf. on Computer and Communications Security. ACM, 2020. 1165–1184.
    [28] Add naive detection of double free. 2022. https://lore.kernel.org/lkml/20200625215548.389774-3-keescook@chromium.org/
    [29] Weaknesses in Linux kernel heap hardening. 2021. https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html
    [30] Bit flipping attacks against free list pointer obfuscation. 2021. https://blog.infosectcbr.com.au/2020/04/bit-flipping-attacks-against-free-list.html
    [31] Erdős M, Ainsworth S, Jones TM. MineSweeper: A “clean sweep” for drop-in use-after-free prevention. In: Proc. of the 27th ACM Int’l Conf. on Architectural Support for Programming Languages and Operating Systems. Lausanne: ACM, 2022. 212–225.
    [32] Liu DP, Zhang MW, Wang HN. A robust and efficient defense against use-after-free exploits via concurrent pointer sweeping. In: Proc. of the 2018 ACM SIGSAC Conf. on Computer and Communications Security. Toronto: ACM, 2018. 1635–1648.
    [33] Ainsworth S, Jones TM. MarkUs: Drop-in use-after-free prevention for low-level languages. In: Proc. of the 2020 IEEE Symp. on Security and Privacy. San Francisco: IEEE, 2020. 578–591.
    [34] Chen P, Xu J, Lin ZQ, Xu DY, Mao B, Liu P. A practical approach for adaptive data structure layout randomization. In: Proc. of the 20th European Symp. on Research in Computer Security. Vienna: Springer, 2015. 69–89.
    [35] Kim J, Jang D, Jeong Y, Kang BB. POLaR: Per-allocation object layout randomization. In: Proc. of the 49th Annual IEEE/IFIP Int’l Conf. on Dependable Systems and Networks. Portland: IEEE, 2019. 505–516.
    [36] Gershuni E, Amit N, Gurfinkel A, Narodytska N, Navas JA, Rinetzky N, Ryzhyk L, Sagiv M. Simple and precise static analysis of untrusted Linux kernel extensions. In: Proc. of the 40th ACM SIGPLAN Conf. on Programming Language Design and Implementation. Phoenix: ACM, 2019. 1069–1084.
    [37] Xhonneux M, Duchene F, Bonaventure O. Leveraging eBPF for programmable network functions with IPv6 segment routing. In: Proc. of the 14th Int’l Conf. on emerging Networking EXperiments and Technologies. Heraklion: ACM, 2018. 67–72.
    [38] Zhong YH, Li HY, Wu YJ, Zarkadas I, Tao J, Mesterhazy E, Makris M, Yang JF, Tai A, Stutsman R, Cidon A. XRP: In-kernel storage functions with eBPF. In: Proc. of the 16th USENIX Symp. on Operating Systems Design and Implementation. Carlsbad: OSDI, 2022. 375–393.
    [39] Park S, Zhou DY, Qian YC, Calciu I, Kim T, Kashyap S. Application-informed kernel synchronization primitives. In: Proc. of the 16th USENIX Symp. on Operating Systems Design and Implementation. Carlsbad: OSDI, 2022. 667–682.
    [40] Kaffes K, Humphries JT, Mazières D, Kozyrakis C. Syrup: User-defined scheduling across the stack. In: Proc. of the 28th ACM SIGOPS Symp. on Operating Systems Principles. ACM, 2021. 605–620.
    [41] He Y, Zou ZH, Sun K, Liu ZT, Xu K, Wang Q, Shen C, Wang Z, Li Q. RapidPatch: Firmware hotpatching for real-time embedded devices. In: Proc. of the 31st USENIX Security Symp. Boston: USENIX Association, 2022. 2225–2242.
    [42] Sun H, Shen YH, Liu JZ, Xu YR, Jiang Y. KSG: Augmenting kernel fuzzing with system call specification generation. In: Proc. of the 2022 USENIX Annual Technical Conf. Carlsbad: USENIX Association, 2022. 351–366.
    [43] Novark G, Berger ED. DieHarder: Securing the heap. In: Proc. of the 17th ACM Conf. on Computer and Communications Security. Chicago: ACM, 2010. 573–584.
    [44] Silvestro S, Liu HY, Liu TY, Lin ZQ, Liu TP. Guarder: A tunable secure allocator. In: Proc. of the 27th USENIX Security Symp. Baltimore: USENIX Association, 2018. 117–133.
    [45] Silvestro S, Liu HY, Crosser C, Lin ZQ, Liu TP. FreeGuard: A faster secure heap allocator. In: Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security. Dallas: ACM, 2017. 2389–2403.
    [46] Di Luna GA, Italiano D, Massarelli L, Österlund S, Giuffrida C, Querzoni L. Who’s debugging the debuggers? Exposing debug information bugs in optimized binaries. In: Proc. of the 26th ACM Int’l Conf. on Architectural Support for Programming Languages and Operating Systems. ACM, 2021. 1034–1045.
    [47] eBPF: Introduction, Tutorials & Community Resources. 2022. https://ebpf.io/
    [48] Emamdoost N, Wu QS, Lu KJ, McCamant S. Detecting kernel memory leaks in specialized modules with ownership reasoning. In: Proc. of the 28th Annual Network and Distributed System Security Symp. NDSS, 2021.
    [49] Heelan S, Melham T, Kroening D. Automatic heap layout manipulation for exploitation. In: Proc. of the 27th USENIX Conf. on Security Symp. Baltimore: USENIX Association, 2018. 763–779.
    [50] CVE. CVE-2010-2959. 2010. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2959
    [51] CVE. CVE-2017-7533. 2017. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7533
    [52] CVE. CVE-2021-22555. 2021. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22555
    [53] CVE. CVE-2022-34918. 2022. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34918
    [54] CVE. CVE-2017-7184. 2017. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7184
    [55] CVE. CVE-2016-8655. 2016. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655
    [56] CVE. CVE-2021-26708. 2021. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26708
    [57] CVE. CVE-2020-16119. 2020. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16119
    [58] CVE. CVE-2017-10661. 2017. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10661
    [59] CVE. CVE-2016-10150. 2016. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10150
    [60] CVE. CVE-2017-11176. 2017. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11176
    [61] CVE. CVE-2017-15649. 2017. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15649
    [62] Li YW, Dolan-Gavitt B, Weber S, Cappos J. Lock-in-Pop: Securing privileged operating system kernels by keeping on the beaten path. In: Proc. of the 2017 USENIX Conf. on USENIX Annual Technical Conf. Santa Clara: USENIX Association, 2017. 1–13.
    [63] McVoy L, Staelin C. LMBench: Portable tools for performance analysis. In: Proc. of the 1996 Conf. on USENIX Annual Technical Conf. San Diego: USENIX Association, 1996. 23.
    [64] Linux Hardware Reviews & Performance Benchmarks, Open-source News. 2022. https://www.phoronix.com/
    [65] Ren X, Rodrigues K, Chen LY, Vega C, Stumm M, Yuan D. An analysis of performance evolution of Linux’s core operations. In: Proc. of the 27th ACM Symp. on Operating Systems Principles. Huntsville: ACM, 2019. 554–569.
    [66] Suchy B, Campanoni S, Hardavellas N, Dinda P. CARAT: A case for virtual memory through compiler-and runtime-based address translation. In: Proc. of the 41st ACM SIGPLAN Conf. on Programming Language Design and Implementation. London: ACM, 2020. 329–345.
    [67] Fisher-Yates shuffle. 2022. https://algorithm-wiki.csail.mit.edu/wiki/Fisher%E2%80%93Yates_Shuffle
    [68] Roessler N, Chien Y, Atayde L, Yang PR, Palmer I, Gray L, Dautenhahn N. Lossless instruction-to-object memory tracing in the Linux kernel. In: Proc. of the 14th ACM Int’l Conf. on Systems and Storage. Haifa: ACM, 2021. 2.
    [69] CVE. CVE-2017-7308. 2022. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308
    [70] Ubuntu Livepatch Service. 2022. https://ubuntu.com/security/livepatch
    [71] Oracle Ksplice. 2022. https://ksplice.oracle.com/
    [72] Live Kernel Patching Using kGraft. 2022. https://documentation.suse.com/sles/12-SP4/html/SLES-kgraft/index.html
    [73] Introducing kpatch: Dynamic kernel patching. 2022. https://www.redhat.com/en/blog/introducing-kpatch-dynamic-kernel-patching
    [74] An introduction to KProbes. 2022. https://lwn.net/Articles/132196/
    [75] Yun I, Kapil D, Kim T. Automatic techniques to systematically discover new heap exploitation primitives. In: Proc. of the 29th USENIX Security Symp. USENIX Association, 2020. 1111–1128.
    [76] Van Der Kouwe E, Nigade V, Giuffrida C. DangSan: Scalable use-after-free detection. In: Proc. of the 12th European Conf. on Computer Systems. Belgrade: ACM, 2017. 405–419.
    [77] 王豫, 高凤娟, 马可欣, 司徒凌云, 王林章, 陈碧欢, 刘杨, 赵建华, 李宣东. 垂悬指针检测与防御方法. 软件学报, 2020, 31(6): 1600–1618. http://www.jos.org.cn/1000-9825/5994.htm
    Wang Y, Gao FJ, Ma KX, Situ LY, Wang LZ, Chen BH, Liu Y, Zhao JH, Li XD. Detecting and preventing dangling pointers. Ruan Jian Xue Bao/Journal of Software, 2020, 31(6): 1600-1618 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5994.htm
    [78] Cho H, Park J, Oest A, Bao T, Wang RY, Shoshitaishvili Y, Doupé A, Ahn GJ. ViK: Practical mitigation of temporal memory safety violations through object ID inspection. In: Proc. of the 27th ACM Int’l Conf. on Architectural Support for Programming Languages and Operating Systems. Lausanne: ACM, 2022. 271–284.
    [79] Dang THY, Maniatis P, Wagner DA. Oscar: A practical page-permissions-based scheme for thwarting dangling pointers. In: Proc. of the 26th USENIX Security Symp. Vancouver: USENIX Association, 2017. 815–832.
    [80] Shen ZK, Dolan-Gavitt B. HeapExpo: Pinpointing promoted pointers to prevent use-after-free vulnerabilities. In: Proc. of the 2020 Annual Computer Security Applications Conf. Austin: ACM, 2020. 454–465.
    [81] Proskurin S, Momeu M, Ghavamnia S, Kemerlis VP, Polychronakis M. xMP: Selective memory protection for kernel and user space. In: Proc. of the 2020 IEEE Symp. on Security and Privacy. San Francisco: IEEE, 2020. 563–577.
    [82] Song CY, Lee B, Lu KJ, Harris W, Kim T, Lee W. Enforcing kernel security invariants with data flow integrity. In: Proc. of the 23rd Annual Network and Distributed System Security Symp. San Diego: NDSS, 2016.
    [83] Abubakar M, Ahmad A, Fonseca P, Xu DY. SHARD: Fine-grained kernel specialization with context-aware hardening. In: Proc. of the 30th USENIX Security Symp. USENIX Association, 2021. 2435–2452.
    [84] Berger ED, Zorn BG. DieHard: Probabilistic memory safety for unsafe languages. ACM SIGPLAN Notices, 2006, 41(6): 158–168. [doi: 10.1145/1133255.1134000]
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

王子成,郭迎港,钟炳南,陈越琦,曾庆凯.基于eBPF的内核堆漏洞动态缓解机制.软件学报,2024,35(7):3332-3354

复制
分享
文章指标
  • 点击次数:883
  • 下载次数: 2019
  • HTML阅读次数: 832
  • 引用次数: 0
历史
  • 收稿日期:2022-09-05
  • 最后修改日期:2022-11-18
  • 在线发布日期: 2023-08-30
  • 出版日期: 2024-07-06
文章二维码
友情链接:中国科学院软件研究所中国计算机学会中国科学院国家自然科学基金委员会CCF数字图书馆Int'l J of Softw Info计算机系统应用
您是第20060275位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号