Skip to main content
SpringerLink
Log in

Enforcing kernel constraints by hardware-assisted virtualization

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

This article deals with kernel security protection. We propose a characterization of malicious kernel-targeted actions, based on how the way they act to corrupt the kernel. Then, we discuss security measures able to counter such attacks. We finally expose our approach based on hardware-virtualization that is partially implemented into our demonstrator Hytux, which is inspired from bluepill (Rutkowska in subverting vista kernel for fun and profit. In: Black Hat in Las Vegas, 2006), a malware that installs itself as a lightweight hypervisor—on a hardware-virtualization compliant CPU—and puts a running Microsoft Windows Operating System into a virtual machine. However, in contrast with bluepill, Hytux is a lightweight hypervisor that implements protection mechanisms in a more privileged mode than the Linux kernel.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Rutkowska, J.: Subverting vista kernel for fun and profit. In: Black Hat in Las Vegas (2006)

  2. Lacombe, É., Raynal, F., Nicomette, V.: Rootkit modeling and experiments under Linux. J. Comput. Virol. 4(21), 137–157 (2008) http://www.ingentaconnect.com/content/klu/11416/2008/00000004/00000002/00000069

    Google Scholar 

  3. Intel: Intel trusted execution technology—measured launched environment developer’s guide (2008)

  4. Intel: Intel 64 and IA-32 Architectures software developer’s manual, vol. 3A: System programming guide, Part 1 (2008)

  5. Intel: Intel 64 and IA-32 Architectures software developer’s manual, vol. 3B: System programming guide, Part 2 (2008)

  6. Duflot, L.: CPU Bugs, CPU backdoors and consequences on security. In: ESORICS 2008 (2008)

  7. Truff: Infecting loadable kernel modules. Phrack 61 (2003)

  8. sd, devik: Linux on-the-fly kernel patching without LKM. Phrack 58 (2001)

  9. c0de: Reverse symbol lookup in Linux kernel. Phrack 61 (2003)

  10. BSDaemon, coideloko, D0nAnd0n: System management mode Hacks. Phrack 65 (2008)

  11. Duflot, L., Etiemble, D., Grumelard, O.: Using CPU system management mode to circumvent operating system security functions. In: CanSecWest/core06 (2006)

  12. sqrkkyu, twzi: Attacking the core: kernel exploiting notes. Phrack 64 (2007)

  13. Lacombe, É.: Le fonctionnement de PaX : Protection against eXecution. GNU/Linux Magazine France 79 (2006) http://www.unixgarden.com/index.php/securite/le-fonctionnement-de-pax-protection-against-execution

  14. Piegdon, D.R.: Hacking in physically addressable memory: a proof of concept. In: Easterhegg (2008)

  15. Dornseif, M., et al.: FireWire: all your memory are belong to us. In: CanSecWest/core05 (2005)

  16. Boileau, A.: Hit by a Bus: physical access attacks with firewire. In: Ruxcon (2006)

  17. Rutkowska, J.: Beyond the CPU: defeating hardware based RAM acquisition tools (Part I: AMD case). In: Black Hat DC (2007)

  18. Intel: IA-32 Intel architecture software developer’s manual, vol. 2b: Instruction Set Reference, n-z (2008)

  19. PCI-SIG: PCI Local Bus Specification. Technical Report revision 2.2, PCI Special Interest Group (1998)

  20. pragmatic, THC: (nearly) Complete linux loadable kernel modules. The definitive guide for hackers, virus coders and system administrators (1999)

  21. Cesare, S.: Kernel function hijacking (1999) http://vx.netlux.org/lib/vsc08.html

  22. Hoglund G., McGraw G.: Exploiting software: how to break code. Pearson education. Addison-Wesley, Reading (2004)

    Google Scholar 

  23. Corbet, J.: vmsplice(): the making of a local root exploit (2008) http://lwn.net/Articles/268783/

  24. Corbet, J.: The rest of the vmsplice() exploit story (2008) http://lwn.net/Articles/271688/

  25. Nergal: The advanced return-into-lib(c) exploits: PaX case study. Phrack 58 (2001)

  26. Designer, S.: Getting around non-executable stack (1997) http://seclists.org/bugtraq/1997/Aug/0063.html

  27. Pol, J.: [PINE-CERT-20040201] reference count overflow in shmat() (2004) http://seclists.org/bugtraq/2004/Feb/0140.html

  28. kad: Handling interrupt descriptor table for fun and profit. Phrack 59 (2002)

  29. Duflot, L., Levillain, O., Morin, B., Grumelard, O.: Getting into the SMRAM: SMM reloaded. In: CanSecWest/core09 (2009)

  30. Duflot, L., Etiemble, D., Grumelard, O.: Utiliser les fonctionnalités des cartes mères ou des processeurs pour contourner les mécanismes de sécurité des systèmes d’exploitation. In: SSTIC (2006)

  31. Embleton, S., Sparks, S., Zou, C.: SMM Rootkits: a new breed of independent malware. In: SecureComm (2008)

  32. Filiol É.: Computer viruses: from theory to applications. IRIS international series. Springer, France (2005)

    Google Scholar 

  33. Spengler, B., et al.: Grsecurity features (2009) http://www.grsecurity.net/features.php

  34. Corporation, M.: Digital signatures for kernel modules on systems running Windows Vista. Technical report, Microsoft Corporation (2006)

  35. Spengler, B., et al.: PaX documentation (2003) http://pax.grsecurity.net/docs

  36. Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: CCS ’04: Proceedings of the 11th ACM conference on computer and communications security, pp. 298–307. ACM, New York (2004)

  37. Cowan, C., Beattie, S., Johansen, J., Wagle, P.: PointGuard: protecting pointers from buffer overflow vulnerabilities. In: 12th USENIX Security Symposium (2003)

  38. Spengler, B.: PaX’s UDEREF: technical description and benchmarks (2007) http://www.grsecurity.net/~spender/uderef.txt

  39. Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX security symposium (1998)

  40. Bulba, Kil3r: Bypassing stackguard and stackshield. Phrack 56 (2000)

  41. anonymous: Once upon a free()... Phrack 57 (2001)

  42. Intel: Intel virtualization technology for directed I/O: architecture specification (2007)

  43. Duflot, L., Absil, L.: Programmed I/O accesses: a threat to virtual Machine Monitors? In: PacSec 2007 (2007)

  44. Kivity, A., et al.: KVM: the linux virtual machine monitor. In: Linux Symposium (2007)

Download references

Author information

Authors and Affiliations

  1. CNRS, LAAS, 7 Avenue du Colonel Roche, 31077, Toulouse, France

    Éric Lacombe, Vincent Nicomette & Yves Deswarte

  2. UPS, INSA, INP, ISAE, LAAS, University of Toulouse, 31077, Toulouse, France

    Éric Lacombe, Vincent Nicomette & Yves Deswarte

Authors
  1. Éric Lacombe
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vincent Nicomette
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yves Deswarte
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Éric Lacombe.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Lacombe, É., Nicomette, V. & Deswarte, Y. Enforcing kernel constraints by hardware-assisted virtualization. J Comput Virol 7, 1–21 (2011). https://doi.org/10.1007/s11416-009-0129-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-009-0129-1

Keywords

Search

Navigation