The Linux kernel's attack surface

The Linux kernel ships with many features which can be, and are, exploited by attackers. In this talk, we explore two different approaches to reduce the kernel attack surface. One at compile-time, whereby execution traces of the kernel are taken into account to automatically generate a tailored kernel configuration. Another at run-time, whereby traces are directly used at run-time to detect the use of unnecessary functions by a subset of applications. Prior to that, we will give a precise definition of the attack surface and propose ways of measuring it, to be able to objectively evaluate the benefits of such approaches. Evaluation results show that attack surface reduction is an effective approach, whether we quantify attack surface in terms of vulnerabilities that would have been prevented, or reduction of the amount of reachable code under reasonable threat models.