SPARTA Results

xMP: Selective Memory Protection for Kernel and User Space

Sergej Proskurin, Marius Momeu, Seyedhamed Ghavamnia, Vasileios P. Kemerlis, and Michalis Polychronakis

Attackers leverage memory corruption vulnerabil-ities to establish primitives forreadingfrom orwritingto theaddress space of a vulnerable process. These primitives formthe foundation for code-reuse and data-oriented attacks. Whilevarious defenses against the former class of attacks have proveneffective, mitigation of the latter remains an open problem.In this paper, we identify various shortcomings of the x86architecture regarding memory isolation, and leverage virtual-ization to build an effective defense against data-oriented attacks.Our approach, calledxMP, provides (in-guest)selective memoryprotectionprimitives that allow VMs to isolate sensitive data inuser or kernel space in disjoint xMP domains. We interface theXenaltp2msubsystem with the Linux memory managementsystem, lending VMs the flexibility to define custom policies.Contrary to conventional approaches, xMP takes advantage ofvirtualization extensions, but after initialization, it does notrequire any hypervisor intervention. To ensure the integrity ofin-kernel management information and pointers to sensitive datawithin isolated domains, xMP protects pointers with HMACsbound to an immutable context, so that integrity validationsucceeds only in the right context. We have applied xMP toprotect the page tables and process credentials of the Linuxkernel, as well as sensitive data in various user-space applications.Overall, our evaluation shows that xMP introduces minimaloverhead for real-world workloads and applications, and offerseffective protection against data-oriented attacks.

Full paper