- Complete title: Midas: Systematic Kernel TOCTTOU Protection
- PDF: 310cd6ee26f6804946ef4c22b95c422a075d062f_sec22-bhattacharyya.pdf
Yet another cool paper from the HexHive people (Mathias Payer ♥)
with Uroš Tešić from Nvidia.
The main idea is to mitigate TOCTTOU
on Linux happening in kernel-land when accessing userland by making accessed
userspace objects invariable through syscalls lifetime, by instrumenting
functions like copy_from_user/copy_to_user/mm_populate/… and making use of
page tables faults to detect writes.
- Snapshot page on first read.
- Read from snapshot on future reads.
- Duplicate page on concurrent writes.
- Discard snapshot when syscall finishes.
- Commit the last written to page.
The paper details some special edge-cases that have to be taken care of,
like confused-deputy problems, weird drivers, double-mappings,
execve, futex, rt_sigaction, …
The measured performance impact is around 3.4% on the Phoronix Test Suite, 3.7% on the NAS Parallel Benchmarks, albeit more worrying numbers like 13-14% impact on nginx have been observed in some particular configurations.
It's overall a simple'n'cool idea, albeit it'll wreak havoc in production by breaking vulnerable-but-working code, so it might be wise to run it on syzkaller for a while, before considering using it.
The code has of course been published, and the paper was part of the 31st USENIX Security Symposium.