| Abstrakt: |
The Linux kernel is an important part of the Trusted Computing Base (TCB) of a mobile device using the Android OS, making it attractive to attackers. While all vulnerabilities in the kernel are important, those that are directly reachable by untrusted programs pose a grave threat. This paper introduces Sifter, a solution for protecting security-critical kernel modules, i.e., those modules that are directly exposed to untrusted programs. Sifter's key approach is the use of fine-grained, highly-selective filters to reduce the attack surface of these kernel modules and make their vulnerabilities unreachable for untrusted programs. The key observation in Sifter is that there are rich patterns in how legitimate programs issue syscalls to these kernel modules; thus, one can generate filters that only allow such syscall patterns, and as a result mitigate vulnerabilities (including zero-day ones) that could only be exploited by the use of unorthodox syscall patterns. We report a prototype of Sifter and use it to generate filters for two security-critical kernel modules used in many mobile devices: Qualcomm KGSL GPU device driver and Binder IPC. Our detailed study and evaluation of 41 recent CVEs in these two modules show that Sifter is capable of mitigating about half of all syscall-triggered vulnerabilities without a priori knowledge of these vulnerabilities. Moreover, our evaluation shows that when using an adequately large number of legitimate programs to generate the filter policies for a given module, the filter's false positive rate goes to 0%. Finally, our experiments with these filters show that, despite numerous finegrained checks on syscalls, Sifter adds a very small or negligible performance overhead to real programs and incurs a very small amount of energy consumption. [ABSTRACT FROM AUTHOR] |
