The sheer size of commodity operating system kernels makes them a prime target for local attackers aiming to escalate privileges. At the same time, as much as 90% of kernel functions are not required for processing system calls originating from a typical network daemon, which results in unnecessarily high exposure. In this paper, we introduce KRAZOR, an approach to reduce the kernel’s attack surface by directly limiting the amount of kernel code accessible to an application. This is achieved by tracing individual kernel functions used by an application, and, after using the kernel call graph to infer a greater set of permissible functions, KRAZOR can detect and prevent uses of unnecessary kernel functions by a process. We show that, unlike previous work, this results in quantifiable, nonbypassable, per-application kernel attack surface reduction. We implement this approach as a kernel module, and evaluate results under real-world workloads for four typical server applications. Our results show that the performance overhead and false positives remain low, while the attack surface reduction can be as high as 80%.
Keywords: Rudiger
If you would like to receive a copy of this report, please contact Anil Kurmus: kur@zurich.ibm.com
By: Anil Kurmus, Sergej Dechand, Rüdiger Kapitza
Published in: RZ3855 in 2013
This Research Report is not available electronically. Please request a copy from the contact listed below. IBM employees should contact ITIRC for a copy.
Questions about this service can be mailed to reports@us.ibm.com .