Quantifiable Run-time Kernel Attack Surface Reduction

The sheer size of commodity operating system kernels makes them a prime target for local attackers aiming to escalate privileges. At the same time, as much as 90% of kernel functions are not required for processing system calls originating from a typical network daemon, which results in unnecessarily high exposure. In this paper, we introduce KRAZOR, an approach to reduce the kernel’s attack surface by directly limiting the amount of kernel code accessible to an application. This is achieved by tracing individual kernel functions used by an application, and, after using the kernel call graph to infer a greater set of permissible functions, KRAZOR can detect and prevent uses of unnecessary kernel functions by a process. We show that, unlike previous work, this results in quantifiable, nonbypassable, per-application kernel attack surface reduction. We implement this approach as a kernel module, and evaluate results under real-world workloads for four typical server applications. Our results show that the performance overhead and false positives remain low, while the attack surface reduction can be as high as 80%.
Keywords: Rudiger

If you would like to receive a copy of this report, please contact Anil Kurmus: kur@zurich.ibm.com

By: Anil Kurmus, Sergej Dechand, Rüdiger Kapitza

Published in: RZ3855 in 2013

This Research Report is not available electronically. Please request a copy from the contact listed below. IBM employees should contact ITIRC for a copy.

Questions about this service can be mailed to reports@us.ibm.com .