kMVX: Detecting Kernel Information Leaks with Multi-variant Execution

Sebastian Österlund, Koen Koning, Pierre Olivier, Antonio Barbalace, Herbert Bos, Cristiano Giuffrida

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

Kernel information leak vulnerabilities are a major security threat to production systems. Attackers can exploit them to leak confidential information such as cryptographic keys or kernel pointers. Despite efforts by kernel developers and researchers, existing defenses for kernels such as Linux are limited in scope or incur a prohibitive performance overhead. In this paper, we present kMVX, a comprehensive defense against information leak vulnerabilities in the kernel by running multiple diversified kernel variants simultaneously on the same machine. By constructing these variants in a careful manner, we can ensure they only show divergences when an attacker tries to exploit bugs present in the kernel. By detecting these divergences we can prevent kernel information leaks. Our kMVX design is inspired by multi-variant execution (MVX). Traditional MVX designs cannot be applied to kernels because of their assumptions on the run-time environment. kMVX, on the other hand, can be applied even to commodity kernels. We show our Linux-based prototype provides powerful protection against information leaks at acceptable performance overhead (20-50% in the worst case for popular server applications).

Original languageEnglish
Title of host publicationASPLOS 2019 - 24th International Conference on Architectural Support for Programming Languages and Operating Systems
PublisherAssociation for Computing Machinery
Pages559-572
Number of pages14
ISBN (Electronic)9781450362405
DOIs
Publication statusPublished - 4 Apr 2019
Event24th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2019 - Providence, United States
Duration: 13 Apr 201917 Apr 2019

Conference

Conference24th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2019
CountryUnited States
CityProvidence
Period13/04/1917/04/19

Fingerprint

Servers
Linux

Keywords

  • information leaks
  • multi-variant exection
  • operating systems
  • security

Cite this

Österlund, S., Koning, K., Olivier, P., Barbalace, A., Bos, H., & Giuffrida, C. (2019). kMVX: Detecting Kernel Information Leaks with Multi-variant Execution. In ASPLOS 2019 - 24th International Conference on Architectural Support for Programming Languages and Operating Systems (pp. 559-572). Association for Computing Machinery. https://doi.org/10.1145/3297858.3304054
Österlund, Sebastian ; Koning, Koen ; Olivier, Pierre ; Barbalace, Antonio ; Bos, Herbert ; Giuffrida, Cristiano. / kMVX : Detecting Kernel Information Leaks with Multi-variant Execution. ASPLOS 2019 - 24th International Conference on Architectural Support for Programming Languages and Operating Systems. Association for Computing Machinery, 2019. pp. 559-572
@inproceedings{32b542f714734b6f8c8811b65fe27962,
title = "kMVX: Detecting Kernel Information Leaks with Multi-variant Execution",
abstract = "Kernel information leak vulnerabilities are a major security threat to production systems. Attackers can exploit them to leak confidential information such as cryptographic keys or kernel pointers. Despite efforts by kernel developers and researchers, existing defenses for kernels such as Linux are limited in scope or incur a prohibitive performance overhead. In this paper, we present kMVX, a comprehensive defense against information leak vulnerabilities in the kernel by running multiple diversified kernel variants simultaneously on the same machine. By constructing these variants in a careful manner, we can ensure they only show divergences when an attacker tries to exploit bugs present in the kernel. By detecting these divergences we can prevent kernel information leaks. Our kMVX design is inspired by multi-variant execution (MVX). Traditional MVX designs cannot be applied to kernels because of their assumptions on the run-time environment. kMVX, on the other hand, can be applied even to commodity kernels. We show our Linux-based prototype provides powerful protection against information leaks at acceptable performance overhead (20-50{\%} in the worst case for popular server applications).",
keywords = "information leaks, multi-variant exection, operating systems, security",
author = "Sebastian {\"O}sterlund and Koen Koning and Pierre Olivier and Antonio Barbalace and Herbert Bos and Cristiano Giuffrida",
year = "2019",
month = "4",
day = "4",
doi = "10.1145/3297858.3304054",
language = "English",
pages = "559--572",
booktitle = "ASPLOS 2019 - 24th International Conference on Architectural Support for Programming Languages and Operating Systems",
publisher = "Association for Computing Machinery",

}

Österlund, S, Koning, K, Olivier, P, Barbalace, A, Bos, H & Giuffrida, C 2019, kMVX: Detecting Kernel Information Leaks with Multi-variant Execution. in ASPLOS 2019 - 24th International Conference on Architectural Support for Programming Languages and Operating Systems. Association for Computing Machinery, pp. 559-572, 24th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2019, Providence, United States, 13/04/19. https://doi.org/10.1145/3297858.3304054

kMVX : Detecting Kernel Information Leaks with Multi-variant Execution. / Österlund, Sebastian; Koning, Koen; Olivier, Pierre; Barbalace, Antonio; Bos, Herbert; Giuffrida, Cristiano.

ASPLOS 2019 - 24th International Conference on Architectural Support for Programming Languages and Operating Systems. Association for Computing Machinery, 2019. p. 559-572.

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - kMVX

T2 - Detecting Kernel Information Leaks with Multi-variant Execution

AU - Österlund, Sebastian

AU - Koning, Koen

AU - Olivier, Pierre

AU - Barbalace, Antonio

AU - Bos, Herbert

AU - Giuffrida, Cristiano

PY - 2019/4/4

Y1 - 2019/4/4

N2 - Kernel information leak vulnerabilities are a major security threat to production systems. Attackers can exploit them to leak confidential information such as cryptographic keys or kernel pointers. Despite efforts by kernel developers and researchers, existing defenses for kernels such as Linux are limited in scope or incur a prohibitive performance overhead. In this paper, we present kMVX, a comprehensive defense against information leak vulnerabilities in the kernel by running multiple diversified kernel variants simultaneously on the same machine. By constructing these variants in a careful manner, we can ensure they only show divergences when an attacker tries to exploit bugs present in the kernel. By detecting these divergences we can prevent kernel information leaks. Our kMVX design is inspired by multi-variant execution (MVX). Traditional MVX designs cannot be applied to kernels because of their assumptions on the run-time environment. kMVX, on the other hand, can be applied even to commodity kernels. We show our Linux-based prototype provides powerful protection against information leaks at acceptable performance overhead (20-50% in the worst case for popular server applications).

AB - Kernel information leak vulnerabilities are a major security threat to production systems. Attackers can exploit them to leak confidential information such as cryptographic keys or kernel pointers. Despite efforts by kernel developers and researchers, existing defenses for kernels such as Linux are limited in scope or incur a prohibitive performance overhead. In this paper, we present kMVX, a comprehensive defense against information leak vulnerabilities in the kernel by running multiple diversified kernel variants simultaneously on the same machine. By constructing these variants in a careful manner, we can ensure they only show divergences when an attacker tries to exploit bugs present in the kernel. By detecting these divergences we can prevent kernel information leaks. Our kMVX design is inspired by multi-variant execution (MVX). Traditional MVX designs cannot be applied to kernels because of their assumptions on the run-time environment. kMVX, on the other hand, can be applied even to commodity kernels. We show our Linux-based prototype provides powerful protection against information leaks at acceptable performance overhead (20-50% in the worst case for popular server applications).

KW - information leaks

KW - multi-variant exection

KW - operating systems

KW - security

UR - http://www.scopus.com/inward/record.url?scp=85064668893&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85064668893&partnerID=8YFLogxK

U2 - 10.1145/3297858.3304054

DO - 10.1145/3297858.3304054

M3 - Conference contribution

SP - 559

EP - 572

BT - ASPLOS 2019 - 24th International Conference on Architectural Support for Programming Languages and Operating Systems

PB - Association for Computing Machinery

ER -

Österlund S, Koning K, Olivier P, Barbalace A, Bos H, Giuffrida C. kMVX: Detecting Kernel Information Leaks with Multi-variant Execution. In ASPLOS 2019 - 24th International Conference on Architectural Support for Programming Languages and Operating Systems. Association for Computing Machinery. 2019. p. 559-572 https://doi.org/10.1145/3297858.3304054