Abstract
This article deals with kernel security protection. We propose a characterization of malicious kernel-targeted actions, based on how the way they act to corrupt the kernel. Then, we discuss security measures able to counter such attacks. We finally expose our approach based on hardware-virtualization that is partially implemented into our demonstrator Hytux, which is inspired from bluepill (Rutkowska in subverting vista kernel for fun and profit. In: Black Hat in Las Vegas, 2006), a malware that installs itself as a lightweight hypervisor—on a hardware-virtualization compliant CPU—and puts a running Microsoft Windows Operating System into a virtual machine. However, in contrast with bluepill, Hytux is a lightweight hypervisor that implements protection mechanisms in a more privileged mode than the Linux kernel.
Similar content being viewed by others
References
Rutkowska, J.: Subverting vista kernel for fun and profit. In: Black Hat in Las Vegas (2006)
Lacombe, É., Raynal, F., Nicomette, V.: Rootkit modeling and experiments under Linux. J. Comput. Virol. 4(21), 137–157 (2008) http://www.ingentaconnect.com/content/klu/11416/2008/00000004/00000002/00000069
Intel: Intel trusted execution technology—measured launched environment developer’s guide (2008)
Intel: Intel 64 and IA-32 Architectures software developer’s manual, vol. 3A: System programming guide, Part 1 (2008)
Intel: Intel 64 and IA-32 Architectures software developer’s manual, vol. 3B: System programming guide, Part 2 (2008)
Duflot, L.: CPU Bugs, CPU backdoors and consequences on security. In: ESORICS 2008 (2008)
Truff: Infecting loadable kernel modules. Phrack 61 (2003)
sd, devik: Linux on-the-fly kernel patching without LKM. Phrack 58 (2001)
c0de: Reverse symbol lookup in Linux kernel. Phrack 61 (2003)
BSDaemon, coideloko, D0nAnd0n: System management mode Hacks. Phrack 65 (2008)
Duflot, L., Etiemble, D., Grumelard, O.: Using CPU system management mode to circumvent operating system security functions. In: CanSecWest/core06 (2006)
sqrkkyu, twzi: Attacking the core: kernel exploiting notes. Phrack 64 (2007)
Lacombe, É.: Le fonctionnement de PaX : Protection against eXecution. GNU/Linux Magazine France 79 (2006) http://www.unixgarden.com/index.php/securite/le-fonctionnement-de-pax-protection-against-execution
Piegdon, D.R.: Hacking in physically addressable memory: a proof of concept. In: Easterhegg (2008)
Dornseif, M., et al.: FireWire: all your memory are belong to us. In: CanSecWest/core05 (2005)
Boileau, A.: Hit by a Bus: physical access attacks with firewire. In: Ruxcon (2006)
Rutkowska, J.: Beyond the CPU: defeating hardware based RAM acquisition tools (Part I: AMD case). In: Black Hat DC (2007)
Intel: IA-32 Intel architecture software developer’s manual, vol. 2b: Instruction Set Reference, n-z (2008)
PCI-SIG: PCI Local Bus Specification. Technical Report revision 2.2, PCI Special Interest Group (1998)
pragmatic, THC: (nearly) Complete linux loadable kernel modules. The definitive guide for hackers, virus coders and system administrators (1999)
Cesare, S.: Kernel function hijacking (1999) http://vx.netlux.org/lib/vsc08.html
Hoglund G., McGraw G.: Exploiting software: how to break code. Pearson education. Addison-Wesley, Reading (2004)
Corbet, J.: vmsplice(): the making of a local root exploit (2008) http://lwn.net/Articles/268783/
Corbet, J.: The rest of the vmsplice() exploit story (2008) http://lwn.net/Articles/271688/
Nergal: The advanced return-into-lib(c) exploits: PaX case study. Phrack 58 (2001)
Designer, S.: Getting around non-executable stack (1997) http://seclists.org/bugtraq/1997/Aug/0063.html
Pol, J.: [PINE-CERT-20040201] reference count overflow in shmat() (2004) http://seclists.org/bugtraq/2004/Feb/0140.html
kad: Handling interrupt descriptor table for fun and profit. Phrack 59 (2002)
Duflot, L., Levillain, O., Morin, B., Grumelard, O.: Getting into the SMRAM: SMM reloaded. In: CanSecWest/core09 (2009)
Duflot, L., Etiemble, D., Grumelard, O.: Utiliser les fonctionnalités des cartes mères ou des processeurs pour contourner les mécanismes de sécurité des systèmes d’exploitation. In: SSTIC (2006)
Embleton, S., Sparks, S., Zou, C.: SMM Rootkits: a new breed of independent malware. In: SecureComm (2008)
Filiol É.: Computer viruses: from theory to applications. IRIS international series. Springer, France (2005)
Spengler, B., et al.: Grsecurity features (2009) http://www.grsecurity.net/features.php
Corporation, M.: Digital signatures for kernel modules on systems running Windows Vista. Technical report, Microsoft Corporation (2006)
Spengler, B., et al.: PaX documentation (2003) http://pax.grsecurity.net/docs
Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: CCS ’04: Proceedings of the 11th ACM conference on computer and communications security, pp. 298–307. ACM, New York (2004)
Cowan, C., Beattie, S., Johansen, J., Wagle, P.: PointGuard: protecting pointers from buffer overflow vulnerabilities. In: 12th USENIX Security Symposium (2003)
Spengler, B.: PaX’s UDEREF: technical description and benchmarks (2007) http://www.grsecurity.net/~spender/uderef.txt
Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX security symposium (1998)
Bulba, Kil3r: Bypassing stackguard and stackshield. Phrack 56 (2000)
anonymous: Once upon a free()... Phrack 57 (2001)
Intel: Intel virtualization technology for directed I/O: architecture specification (2007)
Duflot, L., Absil, L.: Programmed I/O accesses: a threat to virtual Machine Monitors? In: PacSec 2007 (2007)
Kivity, A., et al.: KVM: the linux virtual machine monitor. In: Linux Symposium (2007)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Lacombe, É., Nicomette, V. & Deswarte, Y. Enforcing kernel constraints by hardware-assisted virtualization. J Comput Virol 7, 1–21 (2011). https://doi.org/10.1007/s11416-009-0129-1
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-009-0129-1