Skip to content

Latest commit

 

History

History
51 lines (34 loc) · 1.6 KB

File metadata and controls

51 lines (34 loc) · 1.6 KB

ERA-eBPF-assisted-Randomize-Allocator

cite:

@Article{1,
title = {基于eBPF的内核堆漏洞动态缓解机制},
author = {王子成,郭迎港,钟炳南,陈越琦,曾庆凯},
 journal = {软件学报},
 volume = {},
 number = {},
 pages = {1},
 numpages = {},
 year = {},
 month = {},
 doi = {10.13328/j.cnki.jos.006923},
 publisher = {科学出版社}
}

Kernel heap vulnerability is one of the main threats to operating system security today.

User-space attackers can leak or modify sensitive kernel information, disrupt kernel control flow, and even gain root privilege by triggering a vulnerability.

However, due to the rapid increase in the number and complexity of vulnerabilities, it often takes a long time from when a vulnerability is first reported to when the developer issues a patch, whereas kernel mitigations are steadily bypassed

so we propose a eBPF assisted Randomize Allocator, inspired by HOTBPF, but adopt a randomization mechanism, put a vulnerable or potential victim object in the randomize slot in a randomize slab cache.

The average probability of a successful exploitation is about 1/600,000

allocator

so that a vulnerable object cannot overlap a victim/payload object. e.g. CVE-2022-34918

attack1

the performance and memory overhead are acceptable, only about 1%.

performance

lmbench

memory

the memory and slab relative overhead.

  • blue: ERA disabled
  • red: ERA enabled

memory

slab