extended-abstract

Practical and Flexible Kernel CFI Enforcement using eBPF

Authors:

Hani JamjoomAuthors Info & Claims

eBPF '23: Proceedings of the 1st Workshop on eBPF and Kernel Extensions

Pages 84 - 85

https://doi.org/10.1145/3609021.3609293

Published: 10 September 2023 Publication History

Get Access

Abstract

Enforcing control flow integrity (CFI) in the kernel (kCFI) can prevent control-flow hijack attacks. Unfortunately, current kCFI approaches have high overhead or are inflexible and cannot support complex context-sensitive policies. To overcome these limitations, we propose a kCFI approach that makes use of eBPF (eKCFI) as the enforcement mechanism. The focus of this work is to demonstrate through implementation optimizations how to overcome the enormous performance overhead of this approach, thereby enabling the potential benefits with only modest performance tradeoffs.

References

[1]

Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-Flow Integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security.

Google Scholar

[2]

John Criswell, Nathan Dautenhahn, and Vikram Adve. 2014. KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels. In 2014 IEEE Symposium on Security and Privacy.

Google Scholar

[3]

Ren Ding, Chenxiong Qian, Chengyu Song, Bill Harris, Taesoo Kim, and Wenke Lee. 2017. Efficient Protection of Path-Sensitive Control Security. In 26th USENIX Security Symposium (USENIX Security 17).

Google Scholar

[4]

Guillaume Fournier. 2022. Return to Sender - Detecting Kernel Exploits with eBPF. https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf. (2022). Accessed 2023.

Google Scholar

[5]

Xinyang Ge, Nirupama Talele, Mathias Payer, and Trent Jaeger. 2016. Fine-Grained Control-Flow Integrity for Kernel Software. In IEEE European Symposium on Security and Privacy.

Google Scholar

[6]

Hong Hu, Chenxiong Qian, Carter Yagemann, Simon Pak Ho Chung, William R. Harris, Taesoo Kim, and Wenke Lee. 2018. Enforcing Unique Code Target Property for Control-Flow Integrity. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.

Digital Library

Google Scholar

[7]

Jinku Li, Xiaomeng Tong, Fengwei Zhang, and Jianfeng Ma. 2018. Fine-CFI: Fine-Grained Control-Flow Integrity for Operating System Kernels. IEEE Transactions on Information Forensics and Security (2018).

Google Scholar

[8]

LLVM. 2023. Control Flow Integrity Design Documentation. https://clang.llvm.org/docs/ControlFlowIntegrityDesign.html. (2023). Accessed 2023.

Google Scholar

[9]

Ben Niu and Gang Tan. 2015. Per-Input Control-Flow Integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security.

Digital Library

Google Scholar

Cited By

View all

Jia JLe MAhmed SWilliams DJamjoom HXu TBagchi SZhang Y(2024)Fast (trapless) kernel probes everywhereProceedings of the 2024 USENIX Conference on Usenix Annual Technical Conference10.5555/3691992.3692015(379-386)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.5555/3691992.3692015
Zheng YYang YChen MQuinn A(2024)Kgent: Kernel Extensions Large Language Model AgentProceedings of the ACM SIGCOMM 2024 Workshop on eBPF and Kernel Extensions10.1145/3672197.3673434(30-36)Online publication date: 4-Aug-2024
https://dl.acm.org/doi/10.1145/3672197.3673434

Index Terms

Practical and Flexible Kernel CFI Enforcement using eBPF

Index terms have been assigned to the content through auto-classification.

Recommendations

Seeing the Invisible: Auditing eBPF Programs in Hypervisor with HyperBee
eBPF '23: Proceedings of the 1st Workshop on eBPF and Kernel Extensions

The flexibility of eBPF makes it widely used in performance, security, and monitoring. However, this flexibility is a double-edged sword, allowing attackers to use eBPF for malicious purposes. Security researchers have discovered multiple backdoors ...
Efficient Context-Sensitive CFI Enforcement Through a Hardware Monitor
Detection of Intrusions and Malware, and Vulnerability Assessment
Abstract
Recent works on Control-Flow Integrity (CFI) have mainly focused on Context-Sensitive CFI policies to provide higher security guarantees. They utilize a debugging hardware feature in modern Intel CPUs, Processor Trace (PT), to efficiently collect ...
Interp-flow Hijacking: Launching Non-control Data Attack via Hijacking eBPF Interpretation Flow
Computer Security – ESORICS 2024
Abstract
eBPF (extended Berkeley Packet Filter) is regarded as a secure alternative to kernel modules for enhancing kernel functionalities. As an emerging kernel subsystem, eBPF should not be exploited by kernel vulnerabilities to bypass established ...

Comments

Information & Contributors

Information

Published In

eBPF '23: Proceedings of the 1st Workshop on eBPF and Kernel Extensions

September 2023

96 pages

ISBN:9798400702938

DOI:10.1145/3609021

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the owner/author(s).

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 September 2023

Check for updates

Author Tags

Qualifiers

Extended-abstract

Conference

eBPF '23

Sponsor:

SIGCOMM

eBPF '23: 1st Workshop on eBPF and Kernel Extensions

September 10, 2023

NY, New York, USA

Acceptance Rates

eBPF '23 Paper Acceptance Rate 12 of 21 submissions, 57%;

Overall Acceptance Rate 12 of 21 submissions, 57%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
208
Total Downloads

Downloads (Last 12 months)105
Downloads (Last 6 weeks)5

Reflects downloads up to 29 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Jia JLe MAhmed SWilliams DJamjoom HXu TBagchi SZhang Y(2024)Fast (trapless) kernel probes everywhereProceedings of the 2024 USENIX Conference on Usenix Annual Technical Conference10.5555/3691992.3692015(379-386)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.5555/3691992.3692015
Zheng YYang YChen MQuinn A(2024)Kgent: Kernel Extensions Large Language Model AgentProceedings of the ACM SIGCOMM 2024 Workshop on eBPF and Kernel Extensions10.1145/3672197.3673434(30-36)Online publication date: 4-Aug-2024
https://dl.acm.org/doi/10.1145/3672197.3673434

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Seeing the Invisible: Auditing eBPF Programs in Hypervisor with HyperBee

Efficient Context-Sensitive CFI Enforcement Through a Hardware Monitor

Interp-flow Hijacking: Launching Non-control Data Attack via Hijacking eBPF Interpretation Flow

Comments

Information

Published In

Sponsors

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations