Abstract
An operating system (OS) comprises a mechanism for sharing the kernel address space with each user process. An adversary’s user process compromises the OS kernel through memory corruption, exploiting the kernel vulnerability. It overwrites the kernel code related to security features or the kernel data containing privilege information.
Process-local memory and system call isolation divide one kernel address space into multiple kernel address spaces. While user processes create their own kernel address space, these methods leave the kernel code vulnerable. Further, an adversary’s user process can involve malicious code that elevates from user mode to kernel mode.
Herein, we propose the kernel page restriction mechanism (KPRM), which is a novel security design that prohibits vulnerable kernel code execution and prevents writing to the kernel data from an adversary’s user process. The KPRM dynamically unmaps the kernel page of vulnerable kernel code and attack target kernel data from the kernel address space. This removes the reference of the unmapped kernel page from the kernel page table at the system call invocation. The KPRM achieves that an adversary’s user process can not employ the reference of unmapped kernel page to exploit the kernel through vulnerable kernel code on the running kernel. We implemented KPRM on the latest Linux kernel and showed that it successfully thwarts actual proof-of-concept kernel vulnerability attacks that may cause kernel memory corruption. In addition, the KPRM performance results indicated limited kernel processing overhead in software benchmarks and a low impact on user applications.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 340–353. ACM (2005). https://doi.org/10.1145/1609956.1609960
Shacham, H., Page, M., Pfaff, B., Goh, E., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 298–307. ACM (2004). https://doi.org/10.1145/1030083.1030124
Intel: 8th and 9th Generation Intel®Core™Processor Families and Intel® Xeon®E Processor Families Datasheet. Volume 1 of 2. Revision 006 (2020). https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/8th-gen-core-family-datasheet-vol-1.pdf. Accessed 8 Dec 2020
Hillenbrand, M.: Process-local memory allocations for hiding KVM secrets (2019). https://lwn.net/Articles/791069/. Accessed 8 Aug 2019
Rapoport, M.: x86: introduce system calls address space isolation (2019). https://lwn.net/Articles/786894/. Accessed 8 Aug 2019
Exploit Database, Nexus 5 Android 5.0 - Privilege Escalation. https://www.exploit-db.com/exploits/35711/. Accessed 21 May 2019
grsecurity: super fun 2.6.30+/RHEL5 2.6.18 local kernel exploit. https://grsecurity.net/~spender/exploits/exploit2.txt. Accessed 21 May 2019
Chen, H., Mao, Y., Wang, X., Zhow, D., Zeldovich, N., Kaashoek, F.M.: Linux kernel vulnerabilities - state-of-the-art defenses and open problems. In: Proceedings of the Second Asia-Pacific Workshop on Systems, pp. 1–5. ACM (2011). https://doi.org/10.1145/2103799.2103805
Linux Vulnerability Statistics. https://www.cvedetails.com/vendor/33/Linux.html. Accessed 8 Dec 2020
CVE-2017-16995. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16995. Accessed 10 June 2019
The FreeBSD documentation project.: FreeBSD architecture handbook (2006). https://www.freebsd.org/doc/en_US.ISO8859-1/books/arch-handbook/. Accessed 8 Aug 2019
Ge, X., Vijayakumar, H., Jaeger, T.: Sprobes: enforcing kernel code integrity on the trustzone architecture. In: Proceedings of the Third Workshop on Mobile Security Technologies. ACM (2014)
Lee, D., Kohlbrenner, D., Shinde, S., Asanović, K., Song, D.: Keystone: an open framework for architecting trusted execution environments. In: Proceedings of the Fifteenth European Conference on Computer Systems, pp. 1–16. ACM (2020). https://doi.org/10.1145/3342195.3387532
Marcela, S.M., Michael, J.F., Mic, B.: EnclaveDom: privilege separation for large-TCB applications in trusted execution environments. https://arxiv.org/abs/1907.13245. Accessed 8 Dec 2020
Gravani, S., Mohammad, H., Criswell, J., Scott, L.M.: IskiOS: lightweight defense against kernel-level code-reuse attacks. https://arxiv.org/abs/1903.04654. Accessed 8 Dec 2020
Hua, Z., Du, D., Xia, Y., Chen, H., Zang, B.: EPTI: efficient defence against meltdown attack for unpatched VMs. In: Proceedings of the 2018 USENIX Annual Technical Conference, pp. 255–266. USENIX (2018). https://dl.acm.org/doi/10.5555/3277355.3277380
Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., Mangard, S.: KASLR is dead: long live KASLR. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds.) ESSoS 2017. LNCS, vol. 10379, pp. 161–176. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-62105-0_11
Kemerlis, P.V., Polychronakis, M., Kemerlis, D.A.: ret2dir: rethinking kernel isolation. In: Proceedings of the 23rd USENIX Conference on Security Symposium, pp. 957–972. USENIX (2014). https://dl.acm.org/doi/10.5555/2671225.2671286
Davi, L., Gens, D., Liebchen, C., Sadeghi, A.-R.: PT-Rand: practical mitigation of data-only attacks against page tables. In: Proceedings of the 23rd Network and Distributed System Security Symposium. Internet Society (2016)
Pomonis, M., Petsios, T.: kR\({\hat{\,}}\)X: comprehensive kernel protection against just-in-time code reuse. In: Proceedings of the Twelfth European Conference on Computer Systems, pp. 420–436. ACM (2017). https://doi.org/10.1145/3064176.3064216
Gionta, J., Enck, W., Larsen, P.: Preventing kernel code-reuse attacks through disclosure resistant code diversification. In: Proceedings of the 2016 IEEE Conference on Communications and Network Security, pp. 189–197. IEEE (2016). https://doi.org/10.1109/CNS.2016.7860485
Sergej, P., Marius, M., Seyedhamed, G., Vasileios, P.K., Michalis, P.: xMP: selective memory protection for kernel and user space. In: Proceedings of the 41st IEEE Symposium on Security and Privacy, pp. 563–577. IEEE (2020). https://doi.ieeecomputersociety.org/10.1109/SP40000.2020.00041
Dautenhahn, N., Kasampalis, T., Dietz, W., Criswell, J., Adve, V.: Nested kernel: an operating system architecture for intra-kernel privilege separation. In: Proceedings of the 20th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 191–206. ACM (2015). https://doi.org/10.1145/2694344.2694386
Kurmus, A., Dechand, S., Kapitza, R.: Quantifiable run-time kernel attack surface reduction. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 212–234. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08509-8_12
Zhang, Z., Cheng, Y., Nepal, S., Liu, D., Shen, Q., Rabhi, F.: KASR: a reliable and practical approach to attack surface reduction of commodity OS kernels. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 691–710. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_32
Kuo, H.C., et al.: MultiK: a framework for orchestrating multiple specialized kernels. https://arxiv.org/abs/1903.06889v1. Accessed 16 May 2019
Acknowledgment
This work was partially supported by Japan Society for the Promotion of Science (JSPS) KAKENHI Grant Number JP19H04109.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Kuzuno, H., Yamauchi, T. (2021). KPRM: Kernel Page Restriction Mechanism to Prevent Kernel Memory Corruption. In: Nakanishi, T., Nojima, R. (eds) Advances in Information and Computer Security. IWSEC 2021. Lecture Notes in Computer Science(), vol 12835. Springer, Cham. https://doi.org/10.1007/978-3-030-85987-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-85987-9_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-85986-2
Online ISBN: 978-3-030-85987-9
eBook Packages: Computer ScienceComputer Science (R0)