DOPE: DOmain Protection Enforcement with PKS
The number of Linux kernel vulnerabilities discovered has increased drastically over the past years. In the kernel, even simple memory safety vulnerabilities can have devastating consequences, e.g., compromising the entire system. Efforts to mitigate memory safety vulnerabilities have so far focused mainly on control-flow hijacking attacks in the kernel. Data-oriented attacks are still largely unmitigated in practice as existing mitigations are limited in providing robust security guarantees at reasonable performance overhead for multiple sensitive data objects.
In this paper, we present DOmain Protection Enforcement (DOPE), a novel kernel mitigation to protect against data-oriented attacks employing Intel’s new hardware feature PKS. DOPE enforces domain protection by restricting memory access to sensitive data during kernel space execution based on the principle of least privilege. Hence, in case of an exploitable kernel bug, an attacker is prevented from using sensitive data for privilege escalation. We demonstrate DOPE’s effectiveness and usefulness by implementing a proof-of-concept protecting eight selected sensitive data objects. The proof-of-concept is realized as compiler-assisted and hardware-enforced kernel mitigation. It consists of less than 5000 lines of code on the recent Linux kernel 5.19 and LLVM clang 15.0.1. We evaluate our proof-of-concept implementation on real hardware and observe a reasonable runtime overhead of 2.3 % for real-world user applications. Lastly, we systematically analyze 11 state-of-the-art kernel mitigations against data-oriented attacks and illustrate that DOPE is a significant improvement in terms of security with respect to performance.