UniSan: Proactive kernel memory initialization to eliminate data leakages

Kangjie Lu, Chengyu Song, Taesoo Kim, Wenke Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

33 Scopus citations

Abstract

The operating system kernel is the de facto trusted computing base for most computer systems. To secure the OS kernel, many security mechanisms, e.g., kASLR and StackGuard, have been increasingly deployed to defend against attacks (e.g., code reuse attack). However, the effectiveness of these protections has been proven to be inadequate-there are many information leak vulnerabilities in the kernel to leak the randomized pointer or canary, thus bypassing kASLR and StackGuard. Other sensitive data in the kernel, such as cryptographic keys and fle caches, can also be leaked. According to our study, most kernel information leaks are caused by uninitialized data reads. Unfortunately, existing techniques like memory safety enforcements and dynamic access tracking tools are not adequate or effcient enough to mitigate this threat. In this paper, we propose UniSan, a novel, compiler-based approach to eliminate all information leaks caused by uninitialized read in the OS kernel. UniSan achieves this goal using byte-level, fow-sensitive, context-sensitive, and feld-sensitive initialization analysis and reachability analysis to check whether an allocation has been fully initialized when it leaves kernel space; if not, it automatically instruments the kernel to initialize this allocation. UniSan's analyses are conservative to avoid false negatives and are robust by preserving the semantics of the OS kernel. We have implemented UniSan as passes in LLVM and applied it to the latest Linux kernel (x86-64) and Android kernel (AArch64). Our evaluation showed that UniSan can successfully prevent 43 known and many new uninitialized data leak vulnerabilities. Further, 19 new vulnerabilities in the latest kernels have been confrmed by Linux and Google. Our extensive performance evaluation with LMBench, ApacheBench, Android benchmarks, and the SPEC benchmarks also showed that UniSan imposes a negligible performance overhead.

Original languageEnglish (US)
Title of host publicationCCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages920-932
Number of pages13
ISBN (Electronic)9781450341394
DOIs
StatePublished - Oct 24 2016
Event23rd ACM Conference on Computer and Communications Security, CCS 2016 - Vienna, Austria
Duration: Oct 24 2016Oct 28 2016

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
Volume24-28-October-2016
ISSN (Print)1543-7221

Other

Other23rd ACM Conference on Computer and Communications Security, CCS 2016
CountryAustria
CityVienna
Period10/24/1610/28/16

Keywords

  • Initialization analysis
  • Kernel information leak
  • Memory initialization
  • Reachability analysis
  • Uninitialized read

Fingerprint Dive into the research topics of 'UniSan: Proactive kernel memory initialization to eliminate data leakages'. Together they form a unique fingerprint.

Cite this