Compiler-based kernel heap hardening

AUTOSLAB is a fully-automated isolation-based approach to preventing kernel heap exploitation, the most common category of modern Linux kernel exploits. This novel, compiler-based defense available only in grsecurity® provides the added benefit of greatly improved kernel diagnostics by assocating any kernel heap address with specific allocation sites, down to the filename and exact line number. This production-grade defense requires no expensive run-time debugging features to be enabled.

Blog on AUTOSLAB's impact on kernel heap exploitation

Automatic discovery and prevention of Spectre vulnerabilities

Existing approaches to identification and remediation of Spectre vulnerabilities are lacking in coverage, rudimentary, and often performed manually. The backport of a single security fix has the potential to introduce a new expoitable Spectre gadget, meaning that this identification and remediation process needs to be performed constantly, including after any modifications made by the end user. This approach simply does not scale. The Respectre® plugin solves this problem with advanced static analysis to find vastly more Spectre vulnerabilities than existing approaches. It then makes use of the result of that analysis to automatically instrument the code with fixes that introduce negligible performance impact.

Announcement Post

Randomized kernel structure layouts

The RANDSTRUCT plugin forces some exploits into requiring additional information leaks to achieve reliability. It does this by randomizing the layout of sensitive selected kernel structures as well as automatically randomizing the layout of all structures comprised purely of function pointers -- a common target for exploits.

Configure Help Entry

Prevents integer overflows in size arguments

Integer overflows are a common bug class in the kernel. This feature was first realized as a clever macro to deal with overflows occuring in size expressions of kernel memory allocators, but was replaced and greatly expanded in scope by Emese Revfy with what is now our largest GCC plugin. This powerful plugin can detect and prevent exploitation of a wide range of integer overflow and integer truncation bugs that are likely to result in exploitable conditions.

SIZE_OVERFLOW plugin preventing exploitation of $40,000 Pwnium 3 vulnerability Blog post on the SIZE_OVERFLOW plugin CVE-2013-0914 discovered by plugin CVE-2013-2141 discovered by plugin Configure Help Entry

Adds entropy at early boot and runtime

Grsecurity provides a feature to help address the problem of entropy starvation at early boot on IoT devices. The demonstrable effects of entropy starvation at early boot are weak private keys, predictable stack canaries, and more. PaX's latent entropy plugin modifies the instruction streams of functions called only during boot as well as some specific functions at runtime that perform some unpredictable computations from the perspective of an attacker. These functions are modified to produce a nondeterministic value based on the flow of execution. At several points in the boot process and at runtime, this pseudorandom value is mixed in to the entropy pool.

Initial plugin description Research on widespread weak keys in network devices Research showing predictable stack canaries on Android due to low entropy Configure Help Entry

Makes read-only sensitive kernel structures

For some years, grsecurity had maintained a large patch that systematically constified a few dozen structure types used frequently in the kernel -- collections of function pointers, or so-called "ops structures". This patch, weighing in at over 1MB, became time-consuming to maintain and upstream kernel developers did not accept the patch wholesale (responsive maintainers adopted patches specific to their domain, but many unresponsive maintainers did not). Creation of the CONSTIFY plugin allowed us to generalize the approach and apply it to hundreds of additional structure types, currently causing up to 75% of function pointers in the kernel image to be made read-only.

Configure Help Entry

Ensures all kernel function pointers point into the kernel

This plugin supplements the protection provided by PaX's KERNEXEC feature on the X64 architecture. While on i386 KERNEXEC is able to prevent execution of userland code using segmentation, that is not possible on X64. This plugin forces the upper bit on in all function pointers and return addresses dereferenced by the kernel. This doesn't impact legitimate kernel code, but causes attempts to return to userland code to result in a non-canonical address that will cause a GPF upon access. Modulo attacks on kernel paging structures, this feature is not needed if PaX's UDEREF is enabled.

Plugin discussion Configure Help Entry

Prevents leaking of stack data from previous syscalls

Information leaks of kernel stack data are the most common type of leaks in the kernel and potentially the most dangerous. The reason for this is that the data arising from an uninitialized structure field can possibly come from data on the kernel stack from a previous system call invocation. By carefully choosing a system call to leave stale data on the stack, an attacker can leak the addresses to a wide number of sensitive kernel structures. The STACKLEAK plugin addresses this issue by clearing the portion of the kernel stack that was used during a system call before returning to userland. This ensures that if any leak of an uninitialized field is possible, it must come from a previously-called function in the current system call. This plugin also prevents dynamic stack-based allocation in the kernel from overflowing the kernel stack, which would normally permit an attacker to corrupt an adjacent memory object in order to exploit the system.

PaX presentation on GCC plugins Configure Help Entry