RandCompile: Removing Forensic Gadgets from the Linux Kernel to Combat its Analysis
Recently published research such as LogicMem, Katana, and AutoProfile enable a fine-grained inspection of the operating system's memory and provide insights which were previously only available for Linux machines specifically instrumented for cooperation with virtual machine introspection tools. An overly controlling cloud operator can now regularly deep-inspect VMs under their control.
In this paper, we investigate how the concept of software diversity can be employed to remove structural information from the Linux kernel to harden it against automated analysis by the aforementioned tools. We employ a mixture of small targeted obfuscations to the memory layout and randomization of the ABI between functions in the Linux kernel as they provide predictable artifacts across different compilers, kernel configurations and the presence of Structure Layout Randomization.
We provide an implementation of our ideas in RandCompile, which is composed of a small patch set for the 5.15 Linux LTS kernel and a compiler plugin. RandCompile seeks to remove structural information artifacts, which we call forensic gadgets, to eliminate all leverage points for further analysis of the aforementioned tools. Our approach does not require major modifications to the kernel code base and only has a non-significant performance impact (less than 5% percent), which is less than other major security or debugging features enabled by default in the Linux kernel.