Abstract. Hardening OS kernels against memory errors is generally addressed by protecting security-critical data against corruption and disclosure. However, establishing a sound model for identifying sensitive memory objects in need of protection is hard, leading to emergent attack vectors that can be abused by attackers. In this paper, we propose rethinking how OS kernels are hardened by introducing IUBIK for compartmentalizing kernel memory. IUBIK prevents kernel exploitation by segregating attacker-controlled data—frequently used to manipulate security-critical data—in shadow memory, preventing it from interacting with sensitive kernel objects. To achieve this, IUBIK uses MTE: a recent hardware feature, available in ARM CPUs, which allows mitigating exploits based on both spatial and temporal memory-errors, efficiently. We ensure that segregated objects do not contain sensitive fields, such as pointers, by rewriting their struct definitions. Moreover, we develop a profiling framework that explores the kernel codebase in-depth and records code sites where attacker-controlled objects are allocated, allowing IUBIK to isolate them; our profiler recorded 292 privileged and 212 non-privileged allocation sites for a diverse set of workloads. Finally, we evaluate an implementation of IUBIK for the Linux kernel, across a suite of micro- and macro-benchmarks, demonstrating that our prototype incurs no runtime overhead in most tests and negligible additional memory consumption.
Further information about the design and implementation of IUBIK can be found in our paper presented at S&P 2025.
@inproceedings{momeu2025iubik,
title={IUBIK: Isolating User Bytes in Commodity Operating System Kernels via Memory Tagging Extensions},
author={Momeu, Marius and Gaidis, Alexander J and vd Heidt, Jasper and Kemerlis, Vasileios P},
booktitle={2025 IEEE Symposium on Security and Privacy (SP)},
pages={867--885},
year={2025},
organization={IEEE}
}
Intall repo.
Clone Linux kernel v5.15 repo for Pixel 8 (Android 14):
repo init -u https://android.googlesource.com/kernel/manifest -b android-gs-shusky-5.15-android14-qpr3
repo sync -c --no-tagsApply IUBIK patches:
cd <linux-kernel-android>
cd aosp
git apply iubik-kernel.patch
cd -
cd private/google-modules/wlan/bcm4383
git apply iubik-bcm4383.patch
cd -
cd private/google-modules/wlan/bcm4398
git apply iubik-bcm4398.patchBuild kernel (if you encounter errors see next item):
cd <linux-kernel-android>
BUILD_AOSP_KERNEL=1 ./build_shusky.sh
If you encounter the following error:
ERROR: The following kernel modules are built but not copied. Add these lines to the module_outs attribute of @//aosp:kernel_aarch64:
"net/ax25/ax25.ko",
"drivers/net/hamradio/6pack.ko",add the suggested lines in aosp/modules.bzl under:
_COMMON_GKI_MODULES_LIST = [
...
]Flash images on the Pixel 8 and reboot:
adb reboot bootloader
fastboot flash boot out/shusky/dist/boot.img
fastboot flash vendor_kernel_boot out/shusky/dist/vendor_kernel_boot.img
fastboot flash dtbo out/shusky/dist/dtbo.img
fastboot reboot fastboot
fastboot flash system_dlkm out/shusky/dist/system_dlkm.img
fastboot flash vendor_dlkm out/shusky/dist/vendor_dlkm.img
fastboot reboot