IskiOS: Lightweight Defense Against Kernel-Level Code-Reuse Attacks

Commodity operating systems such as Windows, Linux, and MacOS X form the Trusted Computing Base (TCB) of today's computing systems. However, since they are written in C and C++, they have memory safety errors and are vulnerable to kernel-level code reuse attacks. This paper presents IskiOS: a system that helps to thwart such attacks by providing both execute-only memory and an efficient shadow stack for operating system kernels on the x86 processor. Execute-only memory hides the code segment from buffer overread attacks, strengthening code randomization techniques. Shadow stacks protect return addresses from corruption. IskiOS leverages Intel's Memory Protection Keys (MPK, a.k.a. PKU) and Kernel Page Table Isolation (KPTI) to protect kernel memory from buffer overwrite and overread attacks and to prevent corruption of the shadow stack. Unlike previous work, IskiOS places no restrictions on virtual address space layout, allowing the operating system to achieve higher diversification entropy by placing kernel stacks and kernel code in arbitrary locations within the virtual address space. IskiOS incurs virtually no performance overhead for execute-only memory. Its shadow stacks incur a geometric mean slowdown of 12.3% in our experiments.