SFIP: Coarse-Grained Syscall-Flow-Integrity Protection in Modern Systems

TL;DR

This paper introduces SFIP, a syscall-flow-integrity protection mechanism that enhances security by ensuring valid user-kernel transitions, with minimal performance overhead, and significantly reduces attack surfaces in modern systems.

Contribution

It presents a novel automated approach for extracting syscall transition models and enforcing syscall-flow integrity in Linux kernels, complementing existing control-flow defenses.

Findings

SFIP reduces syscall transition possibilities by up to 90.9%.

Overhead is minimal: 13.1% in microbenchmark, 1.8% in macrobenchmark.

Effective in preventing control-flow hijacking attacks.

Abstract

Growing code bases of modern applications have led to a steady increase in the number of vulnerabilities. Control-Flow Integrity (CFI) is one promising mitigation that is more and more widely deployed and prevents numerous exploits. CFI focuses purely on one security domain. That is, transitions between user space and kernel space are not protected by CFI. Furthermore, if user space CFI is bypassed, the system and kernel interfaces remain unprotected, and an attacker can run arbitrary transitions. In this paper, we introduce the concept of syscall-flow-integrity protection (SFIP) that complements the concept of CFI with integrity for user-kernel transitions. Our proof-of-concept implementation relies on static analysis during compilation to automatically extract possible syscall transitions. An application can opt-in to SFIP by providing the extracted information to the kernel for runtime enforcement. The concept is built on three fully-automated pillars: First, a syscall state machine, representing possible transitions according to a syscall digraph model. Second, a syscall-origin mapping, which maps syscalls to the locations at which they can occur. Third, an efficient enforcement of syscall-flow integrity in a modified Linux kernel. In our evaluation, we show that SFIP can be applied to large scale applications with minimal slowdowns. In a micro- and a macrobenchmark, it only introduces an overhead of 13.1% and 1.8%, respectively. In terms of security, we discuss and demonstrate its effectiveness in preventing control-flow-hijacking attacks in real-world applications. Finally, to highlight the reduction in attack surface, we perform an analysis of the state machines and syscall-origin mappings of several real-world applications. On average, SFIP decreases the number of possible transitions by 38.6% compared to seccomp and 90.9% when no protection is applied.