PT-Rand (Page Table Randomization)

Kernel-level run-time attacks pose a severe threat to operating system security. This is frequently demonstrated through real-world exploits.

Even if employing architectural defenses like SM{E,A}P or software defenses like CFI, bugs in the kernel code still allow for data-only attacks on critical data structures, such as the page tables.

Page tables define memory protection of a virtual address space and are created and managed by the kernel per process. PT-Rand mitigates data-only attacks on the page tables by hiding them in a randomized region and keeping the randomization secret in a protected register. This also allows for the secure and efficient implementation of kernel monitors (e.g., CFI), without the requirement for additional hardware trust-anchors like hypervisors, or trusted execution environments. For more details check our paper.

UPDATE: Good news! A variant of this has been integrated into the Linux kernel by Thomas Garnier (Google).

In our patch (gzipped tarball, 53K), we combined GRSecurity's RAP (a kernel-CFI implementation), with PT-Rand to harden the Linux kernel (version 4.6.3) against these kinds of attacks. To build, do: To run it on QEMU for a quick test, do: For installing it on real hardware you can, e.g., make a .deb package (you also need an appropriate .config for your machine): Note, that this is a proof-of-concept and some parts of the patch are really hacky. For instance, I duplicated and hard-coded several header definitions to work around circular include dependencies rather than fixing the include structure in the kernel. While this is of course non-optimal, it demonstrates feasibility of our idea to hide the page tables by randomizing them in the kernel.

FileChecksum (SHA-512)