protection should be coupled with panic_on_oops, or it can be
fully bypassed (§7.3). To completely mitigate this data spillage, we
suggest preserving user space registers elsewhere instead of on the
kernel stack. For example, the registers can be saved in the asso-
ciated task’s task_struct data structure. This way, even if CFHP
is obtained by attackers, user space registers will not be directly
accessible on kernel stacks to facilitate further exploitation.
Uninitialized Memory.
For Uninitialized Memory data spillage,
all STACKLEAK, STRUCTLEAK, INITSTACK, and RANDKSTACK
can provide different levels of protection. STACKLEAK clears the
kernel stack after each system call, which ensures zero usable Unini-
tialized Memory data spillage when CFHP is obtained. However,
STACKLEAK has an average overhead of more than 40% [44]. INIT-
STACK and STRUCTLEAK use compilers’ pattern initialization
feature to initialize stack variables, which also ensures no Unini-
tialized Memory data spillage while having only a performance
overhead of 2.7%-4.5% [72]. As mentioned above, RANDKSTACK
has near-zero performance overhead but only provides probabilistic
protection. Considering protection and performance, we suggest
enabling INITSTACK or STRUCTLEAK to avoid Uninitialized Mem-
ory data spillage on kernel stack.
Calling Convention and Valid Data.
The latest version of
the Linux kernel has deployed a protection that clears user space
registers that are not part of the ABI in the system call entry stub.
As shown in Table 4, new kernel builds have significantly less data
spillage caused by Calling Convention compared with old kernel
builds because of this protection. However, data spillage caused by
Calling Convention is still not eliminated.
Data spillage caused by Valid Data and Calling Convention is
Chia sẻ với bạn bè của bạn: