PT-Rand (Page Table Randomization)

Kernel-level run-time attacks pose a severe threat to operating system security. This is frequently demonstrated through real-world exploits.

Even if employing architectural defenses like SM{E,A}P or software defenses like CFI, bugs in the kernel code still allow for data-only attacks on critical data structures, such as the page tables.

Page tables define memory protection of a virtual address space and are created and managed by the kernel per process. PT-Rand mitigates data-only attacks on the page tables by hiding them in a randomized region and keeping the randomization secret in a protected register. This also allows for the secure and efficient implementation of kernel monitors (e.g., CFI), without the requirement for additional hardware trust-anchors like hypervisors, or trusted execution environments. For more details check our paper (for yet more details read my thesis).

UPDATE: Good news! A variant of this has been integrated into the Linux kernel by Thomas Garnier (Google).

In our patch (gzipped tarball, 53K), we combined GRSecurity's RAP (a kernel-CFI implementation), with PT-Rand to harden the Linux kernel (version 4.6.3) against these kinds of attacks. To build, do: To run it on QEMU for a quick test, do: For installing it on real hardware you can, e.g., make a .deb package (you also need an appropriate .config for your machine): Note, that this is a proof-of-concept and some parts of the patch are really hacky. For instance, I duplicated and hard-coded several header definitions to work around circular include dependencies rather than fixing the include structure in the kernel. While this is of course non-optimal, it demonstrates feasibility of our idea to hide the page tables by randomizing them in the kernel.

FileChecksum (SHA-512)
grsecurity-3.1-4.6.4-201607112205.patch3c96c9e01e0b61e934c5112429fc57685d90bfea6d30148a6dfe9dcca5dd6a89055cd3951969e37cca835c65ddeb7872d31f555298cb8fab69b1a6d8bf8d64b8
PTRandPaXRAP.tar.gzea531fec3a0202314997451ae00222a9de3577ebcdc0541d0eb0717f29c39b2c4a64aae8131e97d8bf0c3c43f2baab9d0bdfebc390bff76e718f71c70133116f