RandCompile: Removing Forensic Gadgets from the Linux Kernel to Combat its Analysis

Fabian Franzen, Andreas Chris Wilhelmer, Jens Grossklags

Publikation: Beitrag in Buch/Bericht/KonferenzbandKonferenzbeitragBegutachtung

Abstract

Recently proposed tools such as LogicMem, Katana, and AutoProfile enable a fine-grained inspection of the operating system's memory. They provide insights that were previously only available for Linux machines specifically instrumented for cooperation with virtual machine introspection frameworks. An overly controlling cloud operator can now regularly deep-inspect VMs under their control. In this paper, we investigate how the concept of software diversity can be employed to remove structural information from the Linux kernel to harden it against automated analysis by the aforementioned tools. We employ a mixture of small targeted obfuscations to the memory layout and randomization of the ABI between functions in the Linux kernel as they provide predictable artifacts across different compilers, kernel configurations and the presence of Structure Layout Randomization. We provide an implementation of our ideas in RandCompile, which is composed of a small patch set for the 5.15 Linux LTS kernel and a compiler plugin. RandCompile seeks to remove structural information artifacts, which we call forensic gadgets, to eliminate all leverage points for further analysis of the tools mentioned above. Our approach does not require major modifications to the kernel code base and only has a negligible performance impact (less than 5% percent), which is less than other major security or debugging features enabled by default in the Linux kernel.

OriginalspracheEnglisch
TitelProceedings - 39th Annual Computer Security Applications Conference, ACSAC 2023
Herausgeber (Verlag)Association for Computing Machinery
Seiten677-690
Seitenumfang14
ISBN (elektronisch)9798400708862
DOIs
PublikationsstatusVeröffentlicht - 4 Dez. 2023
Veranstaltung39th Annual Computer Security Applications Conference, ACSAC 2023 - Austin, USA/Vereinigte Staaten
Dauer: 4 Dez. 20238 Dez. 2023

Publikationsreihe

NameACM International Conference Proceeding Series

Konferenz

Konferenz39th Annual Computer Security Applications Conference, ACSAC 2023
Land/GebietUSA/Vereinigte Staaten
OrtAustin
Zeitraum4/12/238/12/23

Fingerprint

Untersuchen Sie die Forschungsthemen von „RandCompile: Removing Forensic Gadgets from the Linux Kernel to Combat its Analysis“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren