Presented by

  • Kees Cook

    Kees Cook
    @kees_cook
    https://outflux.net/blog/

    Kees Cook has been working with Free Software since 1994, has been a Debian Developer since 2007, and has been a member of the Linux Kernel Technical Advisory Board since 2019. He is currently employed as a Linux kernel security engineer by Google, focusing on upstream kernel security defenses. From 2006 through 2011 he worked for Canonical as the Ubuntu Security Team's Tech Lead, and remains on the Ubuntu Technical Board. Before that, he worked as the lead sysadmin at OSDL, before it was the Linux Foundation. He has written various utilities including GOPchop and Sendpage, and contributes randomly to other projects including fun chunks of code in OpenSSH, Inkscape, Wine, MPlayer, and Wireshark.

Abstract

Like all C/C++ programs, the Linux Kernel regularly suffers from memory corruption flaws. A common way for attackers to gain execution control is to target function pointers that were saved to memory. Control Flow Integrity (CFI) seeks to sanity-check these pointers and eliminate a huge portion of attack surface. It's possible to do this today with the Linux kernel (or any program) with Clang/LLVM's CFI implementation. This presentation will discuss how Android is using Clang's CFI in the Linux kernel for recent phones, how it is being upstreamed, and what you can do to use CFI yourself. We will explore what Clang actually inserts for code, data, and symbols to protect indirect calls, what needed fixing in the kernel to support it, and what's still missing. We'll wrap up with a short demo of CFI foiling a kernel attack.