October 24, 2013: Attack surface measurements for state-of-the-art kernel hardening mechanisms

  • Speaker: Sergej Dechand
  • Title: Attack surface measurements for state-of-the-art kernel hardening mechanisms
  • Abstract: In the light of numerous vulnerabilities in commodity operating systems such as Linux and Windows, many kernel hardening solutions have been proposed in academia and industry. Such security enhancements often come with drawbacks – either in terms of performance, stability, or both. More importantly, their security improvements are rarely quantified. This results in the reluctance of many decision-makers that could be adopting those features, as these hardening approaches are seen as an assured loss of performance or stability, with no quantifiable security improvements. This thesis tackles the difficult problem of quantifying security improvements brought by various kernel hardening approaches, to enable objective comparisons between them. We propose a call graph based analysis framework for precise attack surface evaluations of different kernel hardening mechanisms: Linux Security Modules (LSM) based frameworks, kRazor, kernel tailoring, sandboxing, and kernel extension isolation approaches. An objective comparison is enabled by developing an attack surface quantification that covers the underlying kernel configurations, unprivileged attacker security model, required system workloads, and the deployed hardening mechanism. We present a novel call graph generation and attack surface quantification approach: Context-insensitive call graphs are obtained during compile-time followed by a reachability analysis based on context information from call-stacks during run-time.