@inproceedings{2a4220b9491840ae9ec3e98ed27547e4,
title = "KCoFI: Complete control-flow integrity for commodity operating system kernels",
abstract = "We present a new system, KCoFI, that is the first we know of to provide complete Control-Flow Integrity protection for commodity operating systems without using heavyweight complete memory safety. Unlike previous systems, KCoFI protects commodity operating systems from classical control-flow hijack attacks, return-to-user attacks, and code segment modification attacks. We formally verify a subset of KCoFI's design by modeling several features in small-step semantics and providing a partial proof that the semantics maintain control-flow integrity. The model and proof account for operations such as page table management, trap handlers, context switching, and signal delivery. Our evaluation shows that KCoFI prevents all the gadgets found by an open-source Return Oriented Programming (ROP) gadget-finding tool in the FreeBSD kernel from being used, it also reduces the number of indirect control-flow targets by 98.18%. Our evaluation also shows that the performance impact of KCoFI on web server bandwidth is negligible while file transfer bandwidth using OpenSSH is reduced by an average of 13%, and at worst 27%, across a wide range of file sizes. Postmark, an extremely file-system intensive benchmark, shows 2x overhead. Where comparable numbers are available, the overheads of KCoFI are far lower than heavyweight memory-safety techniques.",
keywords = "Free BSD, compiler, control-flow integrity, formal verification, operating systems",
author = "John Criswell and Nathan Dautenhahn and Vikram Adve",
note = "Publisher Copyright: {\textcopyright} 2014 IEEE.; 35th IEEE Symposium on Security and Privacy, SP 2014 ; Conference date: 18-05-2014 Through 21-05-2014",
year = "2014",
month = nov,
day = "13",
doi = "10.1109/SP.2014.26",
language = "English (US)",
series = "Proceedings - IEEE Symposium on Security and Privacy",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "292--307",
booktitle = "Proceedings - IEEE Symposium on Security and Privacy",
address = "United States",
}