SigGuard: Hardening Vulnerable Signal Handling in Commodity Operating Systems

Signal is a useful mechanism provided by many commodity operating systems. However, current signal handling has serious security concerns due to vulnerable design in missing integrity protections for signal handling control flow. Security weaknesses caused by vulnerable design are exploited by adversaries to mount dangerous control-flow attacks. To tackle these issues, this paper investigates root causes of signal-related attacks and proposes SigGuard to harden vulnerable signal handling mechanism. To protect unsafe signal handler execution flow, we design a customized signal handler CFI framework which supports low-cost, reentrant, online CFI analysis and enforcement. To secure signal handler return control flow, we propose an efficient, software-based, intra-process memory isolation method to ensure signal frame data integrity. We evaluate SigGuard with both security and performance experiments. In security experiments, SigGuard successfully thwarts four signal-based attacks, including two proof-of-concept exploits and two realistic attacks conducted in Nginx and Apache server programs, respectively. We also evaluate SigGuard key techniques with a series of microbenchmarks and real-world applications. Experimental results suggest that key defense techniques used in SigGuard introduce reasonable performance costs.