Davids Homepage

PT-Rand (Page Table Randomization)

Kernel-level run-time attacks pose a severe threat to operating system security. This is frequently demonstrated through real-world exploits.

Even if employing architectural defenses like SM{E,A}P or software defenses like CFI, bugs in the kernel code still allow for data-only attacks on critical data structures, such as the page tables.

Page tables define memory protection of a virtual address space and are created and managed by the kernel per process. PT-Rand mitigates data-only attacks on the page tables by hiding them in a randomized region and keeping the randomization secret in a protected register. This also allows for the secure and efficient implementation of kernel monitors (e.g., CFI), without the requirement for additional hardware trust-anchors like hypervisors, or trusted execution environments. For more details check our paper.

UPDATE: Good news! A variant of this has been integrated into the Linux kernel by Thomas Garnier (Google).

In our patch (gzipped tarball, 53K), we combined GRSecurity's RAP (a kernel-CFI implementation), with PT-Rand to harden the Linux kernel (version 4.6.3) against these kinds of attacks. To build, do:

tar xzf PTRandPaXRAP.tar.gz wget https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/test/grsecurity-3.1-4.6.4-201607112205.patch git clone git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git cd linux-stable git checkout -b my4.6.3 v4.6.3 patch -p1 < ../grsecurity-3.1-4.6.4-201607112205.patch git apply ../PTRandPaXRAP/ptrand-pax.patch cp ../PTRandPaXRAP/.qemu_config .config make vmlinux bzImage

To run it on QEMU for a quick test, do:

qemu-system-x86_64 -m 1024 -hda disk.img -kernel arch/x86_64/boot/bzImage --nographic -append "root=/dev/sda1 rw init=/bin/bash console=ttyS0"

For installing it on real hardware you can, e.g., make a .deb package (you also need an appropriate .config for your machine):

fakeroot make-kpkg --initrd --revision=0.1.PTRAND --append-to-version="ptrand" kernel_image kernel_headers

Note, that this is a proof-of-concept and some parts of the patch are really hacky. For instance, I duplicated and hard-coded several header definitions to work around circular include dependencies rather than fixing the include structure in the kernel. While this is of course non-optimal, it demonstrates feasibility of our idea to hide the page tables by randomizing them in the kernel.

File	Checksum (SHA-512)
grsecurity-3.1-4.6.4-201607112205.patch	`3c96c9e01e0b61e934c5112429fc57685d90bfea6d30148a6dfe9dcca5dd6a89055cd3951969e37cca835c65ddeb7872d31f555298cb8fab69b1a6d8bf8d64b8`
PTRandPaXRAP.tar.gz	`ea531fec3a0202314997451ae00222a9de3577ebcdc0541d0eb0717f29c39b2c4a64aae8131e97d8bf0c3c43f2baab9d0bdfebc390bff76e718f71c70133116f`