Explore Control Flow Integrity (CFI) in the Linux kernel through this conference talk from linux.conf.au 2020. Dive into how Android utilizes Clang's CFI implementation for recent phones, the process of upstreaming this technology, and how to implement CFI yourself. Examine the code, data, and symbols Clang inserts to protect indirect calls, kernel modifications required for support, and remaining challenges. Gain insights into attack methods targeting function pointers, understand the differences between forward-edge and backward-edge protection, and witness a demonstration of CFI thwarting a kernel attack. Learn about jump tables, type mangling, implementation ideas, and potential gotchas in CFI adoption. Discover the current upstreaming status, how to identify CFI failures, and engage in thoughtful discussion about the future of kernel security.
Overview
Syllabus
Intro
Control Flow Integrity (CFI) in the Linux kernel
Attack method: write to kernel code!
What is writable and executable?
Attack method: call into kernel code!
direct function calls
indirect calls: "forward-edge"
function returns: "backward-edge"
What contains writable func ptrs?
What can attacker call? Any executable bytel
CFI: forward-edge protection
Forward-edge protection in Clang
Stock: without Clang CFL
Protected: with Clang CFI
Jump tables and type mangling
Better implementation ideas?
CFI: backward-edge protection
Backward-edge protection in Clang
Gotchas
Upstreaming status
Do it yourself!
What do failures look like?
Thoughts?
Taught by
linux.conf.au
