Linux Security Summit Europe 2022

Oftentimes there can be a large window between a kernel vulnerability disclosure and its remediation, leaving the system open for exploitation. In this talk, we will present the design of a mechanism that can protect the Linux kernel from memory exploitation during this time window. In addition to this, this protection has the following extra advantages: 1) enabled on-the-fly without recompiling/rebooting the system. 2) independent of hardware features and hypervisor - can be widely deployed in various scenarios (e.g., embedded systems and cloud servers). 3) lightweight - overall 2% - 3% performance overhead. In this talk, we will describe the design and evaluation of this protection. We will start from its static analysis part which identifies vulnerable structures (i.e., where corruption happens) that need separation. Then, we will describe how we extend the eBPF mechanism and virtual memory allocator to isolate vulnerable structures on-the-fly and thus avoid overwriting/overreading sensitive kernel data. Finally, we will systematically evaluate the protection's performance at different levels of granularity and measure its security improvement using a set of real-world attacks.