Stop! Sandboxing Exploitable Functions and Modules Using In-Kernel Machine Learning

In this presentation, we will describe and demo a new technique for detecting and stopping the 0-day exploitation in the Linux kernel. This technique enables the dynamic sandboxing of exploitable functions and modules and thus can be deployed in scenarios where critical service interruption and system reboots are unacceptable. Moreover, it incurs minimal performance overhead and memory footprint. Technically, this on-the-fly sandboxing is achieved through two key innovations: (1) an eBPF-based runtime checking mechanism that ensures code integrity, data integrity, and argument authentication of the rest of the kernel, and (2) embedding machine learning models into the kernel that detects malicious exploitation behaviors originating from the sandboxed functions and modules. In this presentation, we will demo this technique using CVE-2022-0995 as a case study and will share detailed results from our measurements. In a bigger picture, this new technique is envisioned to be applied when (1) loading device drivers from untrusted vendors, (2) detecting in-the-wild exploits of 0-day and n-day vulnerabilities, and (3) preventatively sandboxing kernel code that is of low-quality and has been frequently reported vulnerable over a certain period.

Slide is available at here.