KALD: Detecting Direct Pointer Disclosure Vulnerabilities

Modern operating system kernels deploy Kernel Address Space Layout Randomization (KASLR) to mitigate control-flow hijacking attacks. KASLR randomizes the base addresses of the kernel's code and data segments. However, it randomizes both with a single offset and does not randomize the internal layout of either of these segments, so relative addresses remain known to adversaries. If the kernel discloses a single code or global data pointer, an adversary can therefore infer the entire layout of the kernel's code segment and bypass KASLR. In this paper, we present Kernel Address Leak Detector (KALD), a tool that finds direct disclosure vulnerabilities by statically analyzing the kernel source code. KALD can analyze the source code of modern operating system kernels and find previously unreported leaks. KALD compiles a list of functions that can leak information to user-space accessible locations, and it uses the results of a points-to analysis to determine whether individual invocations of such functions can disclose kernel pointers. We show that KALD successfully detects several direct disclosure vulnerabilities in the Linux kernel and that it is flexible enough to be useful in practice.