Oftentimes there can be a large window between a kernel vulnerability disclosure and its remediation, leaving the system open for exploitation.
hotBPF is designed to protect the Linux kernel from kernel heap exploitation during this time window.
At a high level, hotBPF uses eBPF mechanism to isolate memory corruption at run time,
preventing memory corruption from overwriting/overeading sensitive data (e.g., function pointer).
Technically, it first statically analyzes bug report generated by Syzkaller (and other compatible bug discovery tools) to identify vulnerable structures (i.e., where corruption happens). Then it uses the eBPF mechanism to isolate vulnerable structures.
The advantages of hotBPF are as follow:
- automatically deploy protection immediately after the vulnerability disclosure
- can be enabled on-the-fly, no need to disrupt critical services to recompile and reboot the system (that's why it is called hot)
- compared with existing memory exploitation mitigations in the Linux kernel, this protection can offer stronger security protection by preventing cross-cache exploitation
- independent of hardware features and hypervisor virtualization, can be widely deployed in a variety of scenarios (e.g., embedded systems, desktops, and cloud servers)
- lightweight - negligible overhead
Since we are seeking to commercialize hotBPF, in this public repository of hotBPF, we are only able to open source (1) kernel code needed to support hotBPF, (2) sampled BPF programs to enforce isolation, and (3) sampled testcases, on the basis of v5.15, as per GPL license requires.
mkdir linux-5.15-harden
cd linux-5.15-harden
wget https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.15.tar.gz
tar xvf linux-5.15.tar.gz
cd linux-5.15-hardenCopy and paste all patch files in 5.15-patch/
make -j4 deb-pkg
cd ..
sudo dpkg -i linux-*.debReboot the whole system to run hardened kernel
cd src/bpf/bug-kobject_add_internal
make
sudo ./hotbpf-bug-kobject_add_internal