The abundance of memory corruption and disclosure vulnerabilities in kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As stricter memory isolation mechanisms between the kernel and user space become commonplace, attackers increasingly rely on code reuse techniques to exploit kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, as in web browsers, in kernel exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of code snippets in order to construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a “read XOR execute” (R ∧ X) memory safety policy is an effective defense against the exploitation of userland software, but so far this approach has not been applied for the protection of the kernel itself. In this article, we fill this gap by presenting kR ∧ X: a kernel-hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR ∧ X is readily applicable to x86 Linux kernels (both 32b and 64b) and can benefit from hardware support (segmentation on x86, MPX on x86-64) to optimize performance. In full protection mode, kR ∧ X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available, and 1.32% when memory segmentation is in use.

中文翻译：

---

防止即时代码重用的内核保护

内核代码中大量的内存损坏和泄露漏洞需要部署强化技术来防止特权升级攻击。随着内核和用户空间之间更严格的内存隔离机制变得司空见惯，攻击者越来越依赖代码重用技术来利用内核漏洞。与限制性更强的设置中的类似攻击相反，例如在 Web 浏览器中，在内核利用中，非特权本地攻击者在滥用内存泄露漏洞以动态发现或推断代码片段的位置以构建代码重用方面具有很大的灵活性有效载荷。最近的研究表明，代码多样化与“读异或执行”（R∧X) 内存安全策略是针对用户级软件的有效防御，但到目前为止，这种方法还没有应用于内核本身的保护。在本文中，我们通过介绍 kR 来填补这一空白∧X：基于只执行内存和代码多样化的内核强化方案。我们研究了设计空间中以前未探索的点，其中不需要管理程序或超级特权组件。主要作为一组 GCC 插件实现，kR∧X 很容易适用于 x86 Linux 内核（32b 和 64b），并且可以受益于硬件支持（x86 上的分段，x86-64 上的 MPX）来优化性能。在完全保护模式下，kR∧X 产生 4.04% 的低运行时开销，当 MPX 可用时下降到 2.32%，而在使用内存分段时下降到 1.32%。