SeaK: Rethinking the Design of a Secure Allocator for OS Kernel
Zicheng Wang, Yicheng Guang, Yueqi Chen, Zhenpeng Lin, Michael Le, Dang K Le, Dan Williams, Xinyu Xing, Zhongshu Gu, Hani Jamjoom
33rd USENIX Security Symposium · Day 1 · USENIX Security '24
The talk "SeaK: Rethinking the Design of a Secure Allocator for OS Kernel" introduces a novel approach to mitigating kernel heap exploits by focusing on the selective protection of "exploit-critical objects." Presented by Zicheng Wang and a team of researchers from Nankai University, SE Border, Northwestern University, IBM, and Virginia Tech, SeaK addresses a fundamental dilemma in operating system security: the persistent tradeoff between the performance overhead and the effectiveness of kernel heap hardening mechanisms. The team's work earned all three badges from the USENIX AE committee, highlighting its practical significance and robust implementation.
AI review
This research introduces SeaK, a novel eBPF-driven on-demand secure allocator for the Linux kernel. By intelligently isolating "exploit-critical objects" with guard pages and random offsets, SeaK effectively mitigates kernel heap exploits like dirty_cred with negligible performance overhead, offering a pragmatic and scalable solution to a persistent security dilemma.