Abstract
Kernel vulnerability attacks may allow attackers to execute arbitrary program code and achieve privilege escalation through credential overwriting, thereby avoiding security features. Major Linux protection methods include Kernel Address Space Layout Randomization, Control Flow Integrity, and Kernel Page Table Isolation. All of these mitigate kernel vulnerability affects and actual attacks. In addition, the No eXecute bit, Supervisor Mode Access Prevention, and Supervisor Mode Execution Prevention are CPU features for managing access permission and data execution in virtual memory. Although combinations of these methods can reduce the attack availability of kernel vulnerability based on the interaction between the user and kernel modes, kernel virtual memory corruption is still possible (e.g., the eBPF vulnerability executes the attack code only in the kernel mode).
To monitor kernel virtual memory, we present the Kernel Memory Observer (KMO), which has a secret inspection mechanism and offers an alternative design for virtual memory. It allows the detection of illegal data manipulation/writing in the kernel virtual memory. KMO identifies the kernel virtual memory corruption, monitors system call arguments, and enables unmapping from the direct mapping area. An evaluation of our method indicates that it can detect the actual kernel vulnerabilities leading to kernel virtual memory corruption. In addition, the results show that the overhead is 0.038 \(\upmu \)s to 2.505 \(\upmu \)s in terms of system call latency, and the application benchmark is 371.0 \(\upmu \)s to 1,990.0 \(\upmu \)s for 100,000 HTTP accesses.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Chen, H., et al.: Linux kernel vulnerabilities - state-of-the-art defenses and open problems. In: 2nd Asia-Pacific Workshop on Systems (APSys) (2011)
Kemerlis, P.V., et al.: Ret2dir - rethinking kernel isolation. In: 23rd USENIX Conference on Security Symposium, pp. 957–972 (2014)
Security-enhanced Linux. http://www.nsa.gov/research/selinux/. Accessed 10 Aug 2018
Linden, A.T.: Operating system structures to support security and reliable software. ACM Comput. Surv. (CSUR) 8(4), 409–445 (1976)
Kemerlis, P.V., et al.: kGuard - lightweight kernel protection against return-to-user attacks. In: 21st USENIX Conference on Security Symposium (2012)
Shacham, H., et al.: On the effectiveness of address-space randomization. In: 11th ACM Conference on Computer and Communications Security (CCS), pp. 298–307 (2004)
Abadi, M., et al.: Control-flow integrity principles, implementations. In: 12th ACM Conference on Computer and Communications Security (CCS), pp. 340–353 (2005)
Mulnix, D.: Intel® Xeon® Processor D Product Family Technical Overview (2015). https://software.intel.com/en-us/articles/intel-xeon-processor-d-product-family-technical-overview. Accessed 10 Aug 2018
Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., Mangard, S.: KASLR is dead: long live KASLR. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds.) ESSoS 2017. LNCS, vol. 10379, pp. 161–176. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-62105-0_11
CVE-2016-8655. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655
CVE-2017-6074. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074
CVE-2017-7308. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308
CVE-2017-16995. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16995
Exploit Database, Nexus 5 Android 5.0 - Privilege Escalation. https://www.exploit-db.com/exploits/35711/
Grsecurity: super fun 2.6.30+/RHEL5 2.6.18 local kernel exploit. https://grsecurity.net/~spender/exploits/exploit2.txt
Lipp, M., et al.: Meltdown - reading kernel memory from user space. In: 27th USENIX Conference on Security Symposium (2018)
Linux Kernel Defence Map. https://github.com/a13xp0p0v/linux-kernel-defence-map
CVE-2016-5195. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195
Hund, R., et al.: Practical timing side channel attacks against kernel space ASLR. In: 2013 IEEE Symposium on Security and Privacy, pp. 191–205 (2013)
Shu, R., et al.: A study of security isolation techniques. ACM Comput. Surv. (CSUR) 49(3), 1–37 (2016)
Zhang, F., Zhang, H.: SoK a study of using hardware-assisted isolated execution environments for security. In: Hardware and Architectural Support for Security and Privacy 2016, pp. 1–8 (2016)
Spencer, R., et al.: The flask security architecture: system support for diverse security policies. In: 8th USENIX Conference on Security Symposium (1999)
Volodymyr, K., et al.: Code-pointer integrity. In: 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2014)
Ingo Molnar, [announce] [patch] NX (No eXecute) support for x86, 2.6.7-rc2-bk2 (2004). http://lkml.iu.edu/hypermail/linux/kernel/0406.0/0497.html. Accessed 10 Aug 2018
Jang, Y., et al.: Breaking kernel address space layout randomization with intel TSX. In: 2016 ACM Conference on Computer and Communications Security (CCS), pp. 380–392 (2016)
Hua, Z., et al.: EPTI - efficient defence against meltdown attack for unpatched VMs. In: 2018 USENIX Annual Technical Conference (ATC) (2018)
Carlini, N., et al.: Control-flow bending: on the effectiveness of control-flow integrity. In: 24th USENIX Conference on Security Symposium, pp. 161–176 (2015)
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: 14th ACM Conference on Computer and Communications Security (CCS), pp. 552–561 (2007)
Song, D., et al.: PeriScope: an effective probing and fuzzing framework for the hardware-OS boundary. In: 26th Annual Network and Distributed System Security Conference (NDSS) (2019)
Seshadri, A., et al.: SecVisor - a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: 21st ACM Symposium on Operating systems principles (SOSP), pp. 335–350 (2007)
Azab, A., et al.: SKEE: a lightweight secure kernel-level execution environment for ARM. In: 2011 Network and Distributed System Security Symposium (NDSS) (2016)
Cho, Y., et al.: Dynamic virtual address range adjustment for intra-level privilege separation on ARM. In: 2017 Network and Distributed System Security Symposium (NDSS) (2017)
McCune, M.J., et al.: TrustVisor - efficient TCB reduction and attestation. In: 2010 IEEE Symposium on Security and Privacy (2010)
Koromilas, L., et al.: GRIM - leveraging gpus for kernel integrity monitoring. In: 19th International Symposium on Research in Attacks, Intrusions and Defenses, pp. 3–23 (2016)
Trusted computing group. tpm main specification (2003). http://www.trustedcomputinggroup.org/resources/tpm_main_specification. Accessed 10 Aug 2018
Witchel, E., et al.: Mondrix: memory isolation for linux using mondriaan memory protection. In: 20th ACM Symposium on Operating systems principles (SOSP), pp. 31–44 (2005)
Castro, M., et al.: Fast byte-granularity software fault isolation. In: 22nd ACM Symposium on Operating systems principles (SOSP), pp. 45–58 (2009)
Hsu, C.T., et al.: Enforcing least privilege memory views for multithreaded applications. In: 2016 ACM Conference on Computer and Communications Security (CCS), pp. 393–405 (2016)
Litton, J., et al.: Light-weight contexts - an OS abstraction for safety and performance. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2016)
Koning, K., et al.: No need to hide: protecting safe regions on commodity hardware. In: Twelfth European System Conference (EuroSys), pp. 437–452 (2017)
Vahldiek-Oberwagner, A., et al.: ERIM: secure and efficient in-process isolation with memory protection keys, CoRR abs/1801.06822 (2018)
Mogosanu, L., Rane, A., Dautenhahn, N.: MicroStache: a lightweight execution context for in-process safe region isolation. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 359–379. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_17
Frassetto, T., et al.: IMIX - in-process memory isolation extension. In: 28th USENIX Conference on Security Symposium (2018)
Kim, H.C., et al.: Securing real-time microcontroller systems through customized memory view switching. In: 25th Network and Distributed System Security Symposium (NDSS) (2018)
Sharif, I.M., et al.: Secure in-VM monitoring using hardware virtualization. In: 16th ACM Conference on Computer and Communications Security (CCS) (2009)
Deng, L., et al.: Dancing with wolves: towards practical event-driven VMM monitoring. In: 13th ACM SIGPLAN/SIGOPS International Conference (2017)
Zhang, Z., et al.: KASR: a reliable and practical approach to attack surface reduction of commodity OS kernels. In: 21st International Symposium on Research in Attacks, Intrusions and Defenses (RAID) (2018)
Srivastava, A., et al.: Efficient monitoring of untrusted kernel-mode execution. In: 18th Annual Network and Distributed System Security Conference (NDSS) (2011)
Song, C., et al.: Enforcing kernel security invariants with data flow integrity. In: 2016 Annual Network and Distributed System Security Symposium (NDSS) (2016)
Ge, X., et al.: GRIFFIN: guarding control flows using intel processor trace. In: 22nd ACM International Conference on Architectural Support for Programming Languages and Operating Systems (APLOS), pp. 585–598 (2017)
Huang, W., et al.: LMP: light-weighted memory protection with hardware assistance. In: 32nd Annual Conference on Computer Security Applications (ACSAC), pp. 460–470 (2016)
Davi, L., et al.: PT-rand: practical mitigation of data-only attacks against page tables. In: 23th Network and Distributed System Security Symposium (NDSS) (2016)
Pomonis, M., et al.: kR\(^{\wedge }\)X: comprehensive kernel protection against just-in-time code reuse. In: Twelfth European Conference on Computer Systems (EuroSys), pp. 420–436 (2017)
Boyd-Wickizer, S., et al.: Tolerating malicious device drivers in linux. In: USENIX Annual Technical Conference (ATC) (2010)
Tian, J.D., et al.: LBM: a security framework for peripherals within the linux kernel. In: 2019 IEEE Symposium on Security and Privacy (2019)
Acknowledgement
This work was partially supported by JSPS KAKENHI Grant Number JP19H04109.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Kuzuno, H., Yamauchi, T. (2019). KMO: Kernel Memory Observer to Identify Memory Corruption by Secret Inspection Mechanism. In: Heng, SH., Lopez, J. (eds) Information Security Practice and Experience. ISPEC 2019. Lecture Notes in Computer Science(), vol 11879. Springer, Cham. https://doi.org/10.1007/978-3-030-34339-2_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-34339-2_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34338-5
Online ISBN: 978-3-030-34339-2
eBook Packages: Computer ScienceComputer Science (R0)