PeTAL: Ensuring Access Control Integrity against Data-only Attacks on Linux

Data-only attacks are emerging as a new threat to the security of modern operating systems. As a typical data-only attack, memory corruption attacks can compromise the integrity of kernel data, which effectively breaks the premises of access control systems. Unfortunately, the prevalence of memory corruption vulnerabilities allows attackers to exploit them and bypass access control mechanisms. Given the arbitrary memory access capability, attackers can overwrite access control policies or illegally access the kernel resources protected by the access control systems. This paper presents PeTAL, a practical access control integrity solution against data-only attacks on the ARM-based Linux kernel. PeTAL is designed to ensure access control integrity by providing policy integrity and complete enforcement of access control systems. PeTAL first identifies kernel data used as access control policies and kernel data protected by access control policies, based on the user interfaces of the Linux kernel. Then, PeTAL leverages the ARM Pointer Authentication Code (PAC) and Memory Tagging Extension (MTE) to comprehensively protect the integrity of the identified kernel data and pointers. We implemented the prototype of PeTAL and evaluated the performance and the security impact of PeTAL on real AArch64 hardware with PAC and MTE support. Our evaluation results show that PeTAL can effectively thwart memorycorruption-based attacks on access control systems with reasonable performance overheads at most 4% on average in user applications, demonstrating its efficient prospects for kernel security.