Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Comprehensive Kernel Safety in the Spectre Era: Mitigations and Performance Evaluation (Extended Version)

Davide Davoli, Martin Avanzini, Tamara Rezk

TL;DR

This work formalizes kernel safety under memory-separated execution and shows that KASLR offers probabilistic protection in classic attacker models. It then demonstrates that in the Spectre era, layout randomization alone is insufficient due to side-channel leakage and speculative execution, introducing side-channel layout non-interference as a sufficient condition (though often impractical). To address this, the authors prove that transforming a classically kernel-safe kernel into a speculative-safe one using program transformations preserves semantics and enforces speculative kernel safety, and they implement three LLVM-based transformations. An extensive experimental evaluation on Linux shows that optimized fencing achieves modest overheads on compute-heavy tasks and acceptable costs on many workloads, indicating practical viability with future hardware support. Overall, the paper advances a formal framework and practical tools for enforcing kernel safety in the presence of speculative and side-channel vulnerabilities beyond traditional layout-randomization-based protection.

Abstract

The efficacy of address space layout randomization has been formally demonstrated in a shared-memory model by Abadi et al., contingent on specific assumptions about victim programs. However, modern operating systems, implementing layout randomization in the kernel, diverge from these assumptions and operate on a separate memory model with communication through system calls. In this work, we relax Abadi et al.'s language assumptions while demonstrating that layout randomization offers a comparable safety guarantee in a system with memory separation. However, in practice, speculative execution and side-channels are recognized threats to layout randomization. We show that kernel safety cannot be restored for attackers capable of using side-channels and speculative execution, and introduce enforcement mechanisms that can guarantee speculative kernel safety for safe system calls in the Spectre era. We implement three suitable mechanisms and we evaluate their performance overhead on the Linux kernel.

Comprehensive Kernel Safety in the Spectre Era: Mitigations and Performance Evaluation (Extended Version)

TL;DR

This work formalizes kernel safety under memory-separated execution and shows that KASLR offers probabilistic protection in classic attacker models. It then demonstrates that in the Spectre era, layout randomization alone is insufficient due to side-channel leakage and speculative execution, introducing side-channel layout non-interference as a sufficient condition (though often impractical). To address this, the authors prove that transforming a classically kernel-safe kernel into a speculative-safe one using program transformations preserves semantics and enforces speculative kernel safety, and they implement three LLVM-based transformations. An extensive experimental evaluation on Linux shows that optimized fencing achieves modest overheads on compute-heavy tasks and acceptable costs on many workloads, indicating practical viability with future hardware support. Overall, the paper advances a formal framework and practical tools for enforcing kernel safety in the presence of speculative and side-channel vulnerabilities beyond traditional layout-randomization-based protection.

Abstract

The efficacy of address space layout randomization has been formally demonstrated in a shared-memory model by Abadi et al., contingent on specific assumptions about victim programs. However, modern operating systems, implementing layout randomization in the kernel, diverge from these assumptions and operate on a separate memory model with communication through system calls. In this work, we relax Abadi et al.'s language assumptions while demonstrating that layout randomization offers a comparable safety guarantee in a system with memory separation. However, in practice, speculative execution and side-channels are recognized threats to layout randomization. We show that kernel safety cannot be restored for attackers capable of using side-channels and speculative execution, and introduce enforcement mechanisms that can guarantee speculative kernel safety for safe system calls in the Spectre era. We implement three suitable mechanisms and we evaluate their performance overhead on the Linux kernel.

Paper Structure

This paper contains 66 sections, 38 theorems, 230 equations, 23 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Overview
  3. Language
  4. Syntax
  5. Semantics
  6. Layouts
  7. Randomization scheme
  8. Small step operational semantics
  9. Threat Model
  10. Kernel Safety in the Classic Threat Model
  11. Relation of kernel safety with security
  12. Final remarks
  13. Kernel Safety in the Speculative Threat Model
  14. The Speculative Execution Model
  15. Victim Language and Semantics
  16. ...and 51 more sections

Key Result

Lemma 1

Let ${\color{codefn}{\mathtt{s}}}$ be a system call of a layout non-interfering system $\sigma=(\tau_{}, \gamma, \xi)$, and let $\mathsf{refs}_\sigma(\gamma({\color{codefn}{\mathtt{s}}}))\setminus \mathsf{Sys}=\{{\color{codefn}{\mathtt{id}}}_1, \dots, {\color{codefn}{\mathtt{id}}}_h\}$ be identifier

Figures (23)

  • Figure 1: System Calls vulnerable to memory corruption
  • Figure 2: Syntax of the language. Here, $v$ is a value, $x$ a register, ${\color{codefn}{\mathtt{a}}}$ an array identifier, ${\color{codefn}{\mathtt{f}}}$ a procedure identifier, and ${\color{codefn}{\mathtt{op}}}$ is an operator.
  • Figure 3: Semantics w.r.t. system $\sigma=(\tau_{},\gamma,\xi)$, first part.
  • Figure 4: Semantics w.r.t. system $\sigma=(\tau_{},\gamma,\xi)$, second part.
  • Figure 5: Speculative semantics, excerpt.
  • ...and 18 more figures

Theorems & Definitions (126)

  • Definition 1: Kernel safety
  • Definition 2: Layout non-interference
  • Lemma 1
  • proof : Proof sketch of \ref{['lemma:onsyscall']}
  • Lemma 2
  • proof : Proof Sketch of \ref{['lemma:onsyscallterm']}
  • Theorem 1
  • proof
  • Definition 3: Speculative kernel safety
  • Definition 4: Side-channel layout non-interference
  • ...and 116 more