Thomas Barabosch

👥 1 conference
🎤 1 talk
📅 Years active: 2019 to 2019

No biography available.

Conferences

1 known conferences

👥 FOSDEM 2019 📅 02 Feb 2019

🎤 KLEAK
02 Feb 2019 show details

Kernel memory disclosures - also known as kernel information leaks - denote the inadvertent copying of uninitialized bytes from kernel space to user space. Such disclosed memory may contain cryptographic keys, information about the kernel memory layout, or other forms of secret data. In this presentation, we introduce KLEAK, our method to dynamically detect kernel memory disclosures. It utilizes a simple form of taint tracking, enhanced with compiler instrumentation as well as rotation of the taint values to decrease false positives. KLEAK detected more than 20 kernel information leaks in NetBSD-current and FreeBSD 11.2.

We introduce KLEAK, a simple approach to dynamically detect kernel information leaks. Simply said, KLEAK utilizes a rudimentary form of taint tracking: it taints kernel memory with marker values, lets the data travel through the kernel and scans the buffers exchanged between the kernel and the user space for these marker values. By using compiler instrumentation and rotating the markers at regular intervals, KLEAK significantly reduces the number of false positives, and is able to yield relevant results with little effort.

Our approach is practically feasible as we prove with an implementation for the NetBSD kernel. A small performance penalty is introduced, but the system remains usable. In addition to implementing KLEAK in the NetBSD kernel, we applied our approach to FreeBSD 11.2. In total, we detected 21 previously unknown kernel memory disclosures in NetBSD-current and FreeBSD 11.2, which were fixed subsequently. As a follow-up, the projects’ developers manually audited related kernel areas and identified dozens of other kernel memory disclosures.