In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication
This work addresses kernel security for commodity OSes like Linux and FreeBSD, offering an incremental improvement over existing PA-based CFI solutions.
The paper tackles the problem of securing commodity operating system kernels against control-flow hijacking by introducing PAL, an in-kernel, hardware-based control-flow integrity protection using ARM Pointer Authentication, which achieves negligible performance overhead (e.g., <1% for Apache benchmark) and reveals new attack vectors on iOS.
This paper presents an in-kernel, hardware-based control-flow integrity (CFI) protection, called PAL, that utilizes ARM's Pointer Authentication (PA). It provides three important benefits over commercial, state-of-the-art PA-based CFIs like iOS's: 1) enhancing CFI precision via automated refinement techniques, 2) addressing hindsight problems of PA for in kernel uses such as preemptive hijacking and brute-forcing attacks, and 3) assuring the algorithmic or implementation correctness via post validation. PAL achieves these goals in an OS-agnostic manner, so could be applied to commodity OSes like Linux and FreeBSD. The precision of the CFI protection can be adjusted for better performance or improved for better security with minimal engineering efforts if a user opts in to. Our evaluation shows that PAL incurs negligible performance overhead: e.g., <1% overhead for Apache benchmark and 3~5% overhead for Linux perf benchmark on the latest Mac mini (M1). Our post-validation approach helps us ensure the security invariant required for the safe uses of PA inside the kernel, which also reveals new attack vectors on the iOS kernel. PAL as well as the CFI-protected kernels will be open sourced.