logo
securityArticlesConferencesPresentations

HotBPF - An On-demand and On-the-fly Memory Protection for the Linux Kernel

Conference:  Linux Security Summit Europe 2022

2022-09-15

Authors:   Yueqi Chen, Zhenpeng Li

Summary

The presentation discusses the use of hard BPF for dynamic memory separation to protect against memory corruption vulnerabilities.
  • Dynamic memory separation is necessary to protect against memory corruption vulnerabilities
  • Hard BPF is a tool that can be used for dynamic memory separation
  • The hard BPF design involves an agent in the user space and a BPF program in the kernel
  • The BPF program intercepts the allocation of vulnerable objects and diverts them to a v-metal region
  • One-time allocation is guaranteed to prevent use after free exploitation techniques
Without dynamic memory separation, the process of stopping vulnerable machines, adding separation code, recompiling the kernel, and restarting critical services can be time-consuming and costly. Hard BPF allows for dynamic enforcement of separation, protecting the kernel immediately after a vulnerability is reported and leaving no time window for attackers to compromise the system.

Abstract

Oftentimes there can be a large window between a kernel vulnerability disclosure and its remediation, leaving the system open for exploitation. In this talk, we will present the design of a mechanism that can protect the Linux kernel from memory exploitation during this time window. In addition to this, this protection has the following extra advantages: 1) enabled on-the-fly without recompiling/rebooting the system. 2) independent of hardware features and hypervisor - can be widely deployed in various scenarios (e.g., embedded systems and cloud servers). 3) lightweight - overall 2% - 3% performance overhead. In this talk, we will describe the design and evaluation of this protection. We will start from its static analysis part which identifies vulnerable structures (i.e., where corruption happens) that need separation. Then, we will describe how we extend the eBPF mechanism and virtual memory allocator to isolate vulnerable structures on-the-fly and thus avoid overwriting/overreading sensitive kernel data. Finally, we will systematically evaluate the protection's performance at different levels of granularity and measure its security improvement using a set of real-world attacks.
Materials:
Tags:
Kernel vulnerabilities
memory exploitation
linux kernel
eBPF
virtual memory allocator

Post a comment

Related work

Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces

Conference:  BlackHat EU 2018
Authors:
2018-12-05

Customer Centric Observability: How Intuit Reduced Time To Detect Customer Impact From 30+ Minutes To Under 3 Minutes.

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Vinit Samel, Nagaraja Tantry
2022-10-27

Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors

Conference:  BlackHat USA 2021
Authors:
2021-11-10

Process Injection Techniques - Gotta Catch Them All

Conference:  Defcon 27
Authors:
2019-08-01

Hands Off and Putting SLAB/SLUB Feng Shui in a Blackbox

Conference:  BlackHat EU 2019
Authors:
2019-12-04

You Can Run, but You Can't Hide - Finding the Footprints of Hidden Shellcode

Conference:  Black Hat Asia 2023
Authors: John Uhlmann
2023-05-12