Skip to main content
SpringerLink
Log in

KMO: Kernel Memory Observer to Identify Memory Corruption by Secret Inspection Mechanism

  • Conference paper
  • First Online:
Information Security Practice and Experience (ISPEC 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11879))

Abstract

Kernel vulnerability attacks may allow attackers to execute arbitrary program code and achieve privilege escalation through credential overwriting, thereby avoiding security features. Major Linux protection methods include Kernel Address Space Layout Randomization, Control Flow Integrity, and Kernel Page Table Isolation. All of these mitigate kernel vulnerability affects and actual attacks. In addition, the No eXecute bit, Supervisor Mode Access Prevention, and Supervisor Mode Execution Prevention are CPU features for managing access permission and data execution in virtual memory. Although combinations of these methods can reduce the attack availability of kernel vulnerability based on the interaction between the user and kernel modes, kernel virtual memory corruption is still possible (e.g., the eBPF vulnerability executes the attack code only in the kernel mode).

To monitor kernel virtual memory, we present the Kernel Memory Observer (KMO), which has a secret inspection mechanism and offers an alternative design for virtual memory. It allows the detection of illegal data manipulation/writing in the kernel virtual memory. KMO identifies the kernel virtual memory corruption, monitors system call arguments, and enables unmapping from the direct mapping area. An evaluation of our method indicates that it can detect the actual kernel vulnerabilities leading to kernel virtual memory corruption. In addition, the results show that the overhead is 0.038 \(\upmu \)s to 2.505 \(\upmu \)s in terms of system call latency, and the application benchmark is 371.0 \(\upmu \)s to 1,990.0 \(\upmu \)s for 100,000 HTTP accesses.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Chen, H., et al.: Linux kernel vulnerabilities - state-of-the-art defenses and open problems. In: 2nd Asia-Pacific Workshop on Systems (APSys) (2011)

    Google Scholar 

  2. Kemerlis, P.V., et al.: Ret2dir - rethinking kernel isolation. In: 23rd USENIX Conference on Security Symposium, pp. 957–972 (2014)

    Google Scholar 

  3. Security-enhanced Linux. http://www.nsa.gov/research/selinux/. Accessed 10 Aug 2018

  4. Linden, A.T.: Operating system structures to support security and reliable software. ACM Comput. Surv. (CSUR) 8(4), 409–445 (1976)

    Article  Google Scholar 

  5. Kemerlis, P.V., et al.: kGuard - lightweight kernel protection against return-to-user attacks. In: 21st USENIX Conference on Security Symposium (2012)

    Google Scholar 

  6. Shacham, H., et al.: On the effectiveness of address-space randomization. In: 11th ACM Conference on Computer and Communications Security (CCS), pp. 298–307 (2004)

    Google Scholar 

  7. Abadi, M., et al.: Control-flow integrity principles, implementations. In: 12th ACM Conference on Computer and Communications Security (CCS), pp. 340–353 (2005)

    Google Scholar 

  8. Mulnix, D.: Intel® Xeon® Processor D Product Family Technical Overview (2015). https://software.intel.com/en-us/articles/intel-xeon-processor-d-product-family-technical-overview. Accessed 10 Aug 2018

  9. Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., Mangard, S.: KASLR is dead: long live KASLR. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds.) ESSoS 2017. LNCS, vol. 10379, pp. 161–176. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-62105-0_11

    Chapter  Google Scholar 

  10. CVE-2016-8655. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655

  11. CVE-2017-6074. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074

  12. CVE-2017-7308. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308

  13. CVE-2017-16995. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16995

  14. Exploit Database, Nexus 5 Android 5.0 - Privilege Escalation. https://www.exploit-db.com/exploits/35711/

  15. Grsecurity: super fun 2.6.30+/RHEL5 2.6.18 local kernel exploit. https://grsecurity.net/~spender/exploits/exploit2.txt

  16. Lipp, M., et al.: Meltdown - reading kernel memory from user space. In: 27th USENIX Conference on Security Symposium (2018)

    Google Scholar 

  17. Linux Kernel Defence Map. https://github.com/a13xp0p0v/linux-kernel-defence-map

  18. CVE-2016-5195. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195

  19. Hund, R., et al.: Practical timing side channel attacks against kernel space ASLR. In: 2013 IEEE Symposium on Security and Privacy, pp. 191–205 (2013)

    Google Scholar 

  20. Shu, R., et al.: A study of security isolation techniques. ACM Comput. Surv. (CSUR) 49(3), 1–37 (2016)

    Article  Google Scholar 

  21. Zhang, F., Zhang, H.: SoK a study of using hardware-assisted isolated execution environments for security. In: Hardware and Architectural Support for Security and Privacy 2016, pp. 1–8 (2016)

    Google Scholar 

  22. Spencer, R., et al.: The flask security architecture: system support for diverse security policies. In: 8th USENIX Conference on Security Symposium (1999)

    Google Scholar 

  23. Volodymyr, K., et al.: Code-pointer integrity. In: 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2014)

    Google Scholar 

  24. Ingo Molnar, [announce] [patch] NX (No eXecute) support for x86, 2.6.7-rc2-bk2 (2004). http://lkml.iu.edu/hypermail/linux/kernel/0406.0/0497.html. Accessed 10 Aug 2018

  25. Jang, Y., et al.: Breaking kernel address space layout randomization with intel TSX. In: 2016 ACM Conference on Computer and Communications Security (CCS), pp. 380–392 (2016)

    Google Scholar 

  26. Hua, Z., et al.: EPTI - efficient defence against meltdown attack for unpatched VMs. In: 2018 USENIX Annual Technical Conference (ATC) (2018)

    Google Scholar 

  27. Carlini, N., et al.: Control-flow bending: on the effectiveness of control-flow integrity. In: 24th USENIX Conference on Security Symposium, pp. 161–176 (2015)

    Google Scholar 

  28. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: 14th ACM Conference on Computer and Communications Security (CCS), pp. 552–561 (2007)

    Google Scholar 

  29. Song, D., et al.: PeriScope: an effective probing and fuzzing framework for the hardware-OS boundary. In: 26th Annual Network and Distributed System Security Conference (NDSS) (2019)

    Google Scholar 

  30. Seshadri, A., et al.: SecVisor - a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: 21st ACM Symposium on Operating systems principles (SOSP), pp. 335–350 (2007)

    Google Scholar 

  31. Azab, A., et al.: SKEE: a lightweight secure kernel-level execution environment for ARM. In: 2011 Network and Distributed System Security Symposium (NDSS) (2016)

    Google Scholar 

  32. Cho, Y., et al.: Dynamic virtual address range adjustment for intra-level privilege separation on ARM. In: 2017 Network and Distributed System Security Symposium (NDSS) (2017)

    Google Scholar 

  33. McCune, M.J., et al.: TrustVisor - efficient TCB reduction and attestation. In: 2010 IEEE Symposium on Security and Privacy (2010)

    Google Scholar 

  34. Koromilas, L., et al.: GRIM - leveraging gpus for kernel integrity monitoring. In: 19th International Symposium on Research in Attacks, Intrusions and Defenses, pp. 3–23 (2016)

    Google Scholar 

  35. Trusted computing group. tpm main specification (2003). http://www.trustedcomputinggroup.org/resources/tpm_main_specification. Accessed 10 Aug 2018

  36. Witchel, E., et al.: Mondrix: memory isolation for linux using mondriaan memory protection. In: 20th ACM Symposium on Operating systems principles (SOSP), pp. 31–44 (2005)

    Google Scholar 

  37. Castro, M., et al.: Fast byte-granularity software fault isolation. In: 22nd ACM Symposium on Operating systems principles (SOSP), pp. 45–58 (2009)

    Google Scholar 

  38. Hsu, C.T., et al.: Enforcing least privilege memory views for multithreaded applications. In: 2016 ACM Conference on Computer and Communications Security (CCS), pp. 393–405 (2016)

    Google Scholar 

  39. Litton, J., et al.: Light-weight contexts - an OS abstraction for safety and performance. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2016)

    Google Scholar 

  40. Koning, K., et al.: No need to hide: protecting safe regions on commodity hardware. In: Twelfth European System Conference (EuroSys), pp. 437–452 (2017)

    Google Scholar 

  41. Vahldiek-Oberwagner, A., et al.: ERIM: secure and efficient in-process isolation with memory protection keys, CoRR abs/1801.06822 (2018)

    Google Scholar 

  42. Mogosanu, L., Rane, A., Dautenhahn, N.: MicroStache: a lightweight execution context for in-process safe region isolation. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 359–379. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_17

    Chapter  Google Scholar 

  43. Frassetto, T., et al.: IMIX - in-process memory isolation extension. In: 28th USENIX Conference on Security Symposium (2018)

    Google Scholar 

  44. Kim, H.C., et al.: Securing real-time microcontroller systems through customized memory view switching. In: 25th Network and Distributed System Security Symposium (NDSS) (2018)

    Google Scholar 

  45. Sharif, I.M., et al.: Secure in-VM monitoring using hardware virtualization. In: 16th ACM Conference on Computer and Communications Security (CCS) (2009)

    Google Scholar 

  46. Deng, L., et al.: Dancing with wolves: towards practical event-driven VMM monitoring. In: 13th ACM SIGPLAN/SIGOPS International Conference (2017)

    Google Scholar 

  47. Zhang, Z., et al.: KASR: a reliable and practical approach to attack surface reduction of commodity OS kernels. In: 21st International Symposium on Research in Attacks, Intrusions and Defenses (RAID) (2018)

    Google Scholar 

  48. Srivastava, A., et al.: Efficient monitoring of untrusted kernel-mode execution. In: 18th Annual Network and Distributed System Security Conference (NDSS) (2011)

    Google Scholar 

  49. Song, C., et al.: Enforcing kernel security invariants with data flow integrity. In: 2016 Annual Network and Distributed System Security Symposium (NDSS) (2016)

    Google Scholar 

  50. Ge, X., et al.: GRIFFIN: guarding control flows using intel processor trace. In: 22nd ACM International Conference on Architectural Support for Programming Languages and Operating Systems (APLOS), pp. 585–598 (2017)

    Google Scholar 

  51. Huang, W., et al.: LMP: light-weighted memory protection with hardware assistance. In: 32nd Annual Conference on Computer Security Applications (ACSAC), pp. 460–470 (2016)

    Google Scholar 

  52. Davi, L., et al.: PT-rand: practical mitigation of data-only attacks against page tables. In: 23th Network and Distributed System Security Symposium (NDSS) (2016)

    Google Scholar 

  53. Pomonis, M., et al.: kR\(^{\wedge }\)X: comprehensive kernel protection against just-in-time code reuse. In: Twelfth European Conference on Computer Systems (EuroSys), pp. 420–436 (2017)

    Google Scholar 

  54. Boyd-Wickizer, S., et al.: Tolerating malicious device drivers in linux. In: USENIX Annual Technical Conference (ATC) (2010)

    Google Scholar 

  55. Tian, J.D., et al.: LBM: a security framework for peripherals within the linux kernel. In: 2019 IEEE Symposium on Security and Privacy (2019)

    Google Scholar 

Download references

Acknowledgement

This work was partially supported by JSPS KAKENHI Grant Number JP19H04109.

Author information

Authors and Affiliations

  1. Graduate School of Natural Science and Technology, Okayama University, Okayama, Japan

    Hiroki Kuzuno & Toshihiro Yamauchi

  2. Intelligent Systems Laboratory, SECOM CO., LTD., Tokyo, Japan

    Hiroki Kuzuno

Authors
  1. Hiroki Kuzuno
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Toshihiro Yamauchi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hiroki Kuzuno .

Editor information

Editors and Affiliations

  1. Multimedia University, Malacca, Malaysia

    Swee-Huay Heng

  2. University of Malaga, Malaga, Spain

    Javier Lopez

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kuzuno, H., Yamauchi, T. (2019). KMO: Kernel Memory Observer to Identify Memory Corruption by Secret Inspection Mechanism. In: Heng, SH., Lopez, J. (eds) Information Security Practice and Experience. ISPEC 2019. Lecture Notes in Computer Science(), vol 11879. Springer, Cham. https://doi.org/10.1007/978-3-030-34339-2_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-34339-2_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-34338-5

  • Online ISBN: 978-3-030-34339-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation