Syscall attacks on isolation systems based on PKU (Graz University of Technology)

This technical paper titled “Jenny: Securing Syscalls for PKU-based Memory Isolation Systems” was presented by researchers from Graz University of Technology (Austria) at the USENIX Security Symposium in Boston in August 2022.

Summary:
“Effective system call filtering is key to resisting the many exploits and privilege escalation attacks we face today. For example, modern browsers use sandboxing techniques with system call filtering to isolate critical code. Cloud computing makes heavy use of containers, which virtualize the syscall interface. Recently, cloud providers are moving to in-process containers for performance reasons, calling for better isolation primitives. A new isolation primitive that has the potential to fill this gap is called Protection Keys for Userspace (PKU). Unfortunately, previous research has pointed to serious flaws in the way PKU-based systems handle system calls, calling into question their security and practicability.

In this work, we thoroughly investigate system call filtering for PKU-based memory isolation systems. First, we identify new system call-based attacks that can break a PKU sandbox. Second, we derive the system call filtering rules needed to protect PKU domains and show effective ways to enforce them. Third, we perform a comparative study on different system call interposition techniques with respect to their suitability for PKU, which enables us to design a secure system call interposition technique that is both fast and flexible.

We are designing and prototyping Jenny – a PKU-based memory isolation system that provides powerful system call filtering capabilities in user space. Jenny supports various interposition techniques (eg, seccomp and ptrace) and allows domain-specific system call filtering in a nested fashion. Moreover, it handles asynchronous signals safely. Our assessment shows a minor performance impact of 0-5% for nginx.

Find the technical document here (prepublication).

Authors:
David Schrammel, Samuel Weiser, Richard Sadek and Stefan Mangard, Graz University of Technology

Related
Smart Backdoors: Threat Assessment
Measures are being taken to minimize the problems, but their implementation will take years.
Security risks increase with commercial chips
Choosing components from a multi-vendor menu holds great promise for reducing costs and time to market, but it’s not as simple as it sounds.
Chip substitutions raise security concerns
Many unknowns will persist for decades across multiple market segments.
Standardization of chiplet interconnects
Why UCIe is so important for heterogeneous integration.
More Technical Security Articles

Comments are closed.