利用ARM指標認證與棧回溯技術以保護系統呼叫及控制流

Abstract

現代系統為應用程式提供各種服務，這些服務主要通過系統調用訪問。系統調用經常被利用於嚴重攻擊中，例如控制流劫持攻擊。因此，與安全相關的系統調用（如 mprotect、mmap 和 execve）在整個攻擊鏈中起著關鍵作用。另一方面，ARM 處理器現在越來越多地部署在桌面和數據中心。雖然先前的研究已經構建了保護 x64 架構上系統調用使用的防禦機制，但我們提出了一種新穎的框架，以確保內存不安全編程語言（C/C++）在 ARM 架構上的系統調用使用的安全性。 我們確保合法的系統調用使用具有以下屬性：系統調用調用的控制流完整性。首先，我們在 Linux 內核中引入了一個基於堆棧回溯的監控器。其次，我們利用 ARMv8.3 處理器中可用的指針驗證（PA）功能來保護控制流敏感的指針，如函數指針和 C++ 虛表指針。通過這些防禦機制，我們可以有效地破壞攻擊鏈，防止攻擊者達成他/她的目標。 我們的框架由兩個主要組件組成：1）可加載內核模塊（LKM）和 2）定制的 LLVM 編譯器。我們的安全案例研究表明，我們可以有效地擊敗所有攻擊，包括真實世界的漏洞利用。我們使用三個常見的系統調用密集型程序（Lighttpd、NGINX 和 SQLite）以及 SPEC CPU2017 基準套件來評估性能。結果顯示，Lighttpd 的性能開銷為 0.68%，NGINX 為 0.45%，而 SPEC CPU2017 基準套件的平均開銷為 2.95%。我們在 Section 6.2.3 中解釋了 SQLite 開銷較高的原因。

Modern systems provide various services to applications, primarily accessed through system calls. System calls are frequently utilized in serious attacks, such as control-flow hijacking attack. Therefore, security-related system calls, such as mprotect, mmap and execve play a pivotal role in the entire attack chain. On the other hand, ARM processors are increasingly deployed on desktops and in data centers nowadays. While previous works have built defense mechanisms to protect system call usages on x64 architecture, we propose a novel secure properties for system call usages for memory-unsafe programming languages (C/C++) on ARM architecture. We ensure a property for legitimate system call usage: the control flow integrity of system call invocations. Firstly, we introduce a stack unwinding-based monitor in the Linux kernel. Secondly, we utilize the Pointer Authentication (PA) feature available in ARMv8.3 processors to protect control-flow-sensitive pointers, such as function pointers and C++ Vtable pointers. With these defense mechanisms, we can effectively corrupts the attack chain, preventing the attacker from achieving her goals. Our framework consists of two main components 1) a loadable kernel module (LKM) and 2) a customized LLVM compiler. Our security case study demonstrates that we can effectively defeat all attacks, including real-world exploits. We evaluate the performance using three popular system call-intensive programs: Lighttpd, NGINX, and SQLite, as well as the SPEC CPU2017 benchmark suite. Our results indicate an overhead of 0.68% for Lighttpd, 0.45% for NGINX, and an average of 2.95% for the SPEC CPU2017 benchmark suite. We explain the reasons for the higher overhead on SQLite in the Section 6.2.3.