The kernels of operating systems such as Windows, Linux, and MacOS are
vulnerable to control-flow hijacking. Defenses exist, but many require
efficient intra-address-space isolation. Execute-only memory, for example,
requires read protection on code segments, and shadow stacks require protection
from buffer overwrites. Intel’s Protection Keys for Userspace (PKU) could, in
principle, provide the intra-kernel isolation needed by such defenses, but,
when used as designed, it applies only to user-mode application code. This
paper presents an unconventional approach to memory protection, allowing PKU to
be used within the operating system kernel on existing Intel hardware,
replacing the traditional user/supervisor isolation mechanism and,
simultaneously, enabling efficient intra-kernel isolation. We call the
resulting mechanism Protection Keys for Kernelspace (PKK). To demonstrate its
utility and efficiency, we present a system we call IskiOS: a Linux variant
featuring execute-only memory (XOM) and the first-ever race-free shadow stacks
for x86-64. Experiments with the LMBench kernel microbenchmarks display a
geometric mean overhead of about 11% for PKK and no additional overhead for
XOM. IskiOS’s shadow stacks bring the total to 22%. For full applications,
experiments with the system benchmarks of the Phoronix test suite display
negligible overhead for PKK and XOM, and less than 5% geometric mean overhead
for shadow stacks.

By admin