Isolate and Detect the Untrusted Driver with a Virtual Box
Authors: 
YongGang Li, ShunRong Jiang, Yu Bao, PengPeng Chen, Yong Zhou, Yeh-Ching ChungAuthors Info & Claims
YongGang Li, ShunRong Jiang, Yu Bao, PengPeng Chen, Yong Zhou, Yeh-Ching ChungAuthors Info & ClaimsPages 4584 - 4597
Abstract
In kernel, the driver code is much more than the core code, thus having a larger attack surface. Especially for the untrusted drivers without source code, they may come from the hot-plug hardware or the user without security knowledge. Traditional isolation methods require analyzing source code to set checkpoints in the driver for control flow protection, which are not available for closed-source drivers. Evenworse, the existing isolation methods can only prevent the hijacked control flows entering/existing drivers, while they cannot discover the illegal control flows inside drivers. Although the kernel address space location randomization (KASLR) can defend against control flow hijacking, it can be bypassed by code probes. In response to these issues, this paper proposes a novel method Dbox to isolate and detect the untrusted drivers whose source code is unavailable. Dbox creates a light hypervisor to monitor and analyze the untrusted driver's behavior without relying on source code. It isolates the untrusted driver in a private space and dynamically changes its virtual space through a sliding space mechanism. Under the protection of Dbox, all control flows jumping to/from untrusted drivers can be detected. Experiments and analysis show that Dbox has good protection against code probes, kernel rootkits and code reuse attacks, and the overhead introduced to the operating system is less than 3.6% in general scenarios.
References
[1]
Ahmed M Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar, Guruprasad Ganesh, Jia Ma, and Wenbo Shen. 2014. Hypervision across worlds: Real-time kernel protection from the arm trustzone secure world. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 90--102.
[2]
Davi L et al Biondo A, Conti M. 2018. The Guards Dilemma: Efficient Code-Reuse Attacks Against Intel SGX. In Proceedings of the 27th USENIX Security Symposium. 1213--1227.
[3]
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, and Dan Boneh. 2014. Hacking blind. In 2014 IEEE Symposium on Security and Privacy. IEEE, 227--242.
[4]
Bramwell Brizendine and Austin Babcock. 2021. Pre-built JOP Chains with the JOP ROCKET: Bypassing DEP without ROP. Black Hat Asia (2021).
[5]
Bigelow R et al Brown M D, Pruett M. 2021. Not so fast: understanding and mitigating negative impacts of compiler optimizations on code reuse gadget sets. In Proceedings of the ACM on Programming Languages. 1--30.
[6]
Haubenwallner M et al. Canella C, Schwarz M. 2020. KASLR: Break it, fix it, repeat. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security. 481--493.
[7]
Xinyang Ge, Nirupama Talele, Mathias Payer, and Trent Jaeger. 2016. Fine-grained control-flow integrity for kernel software. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 179--194.
[8]
Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida. 2017. ASLR on the Line: Practical Cache Attacks on the MMU. In NDSS, Vol. 17. 26.
[9]
Jinyu Gu, Xinyue Wu, Wentai Li, Nian Liu, Zeyu Mi, Yubin Xia, and Haibo Chen. 2020. Harmonizing performance and isolation in microkernels with efficient intra-kernel isolation and communication. In 2020 USENIX Annual Technical Conference (USENIX ATC 20). 401--417.
[10]
Polychronakis M et al. Göktas E, Athanasopoulos E. 2014. Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard. In Proceedings of the 23rd USENIX Security Symposium. 417--432.
[11]
C. Harini and C. Fancy. 2020. A study on the prevention mechanisms for kernel attacks. In Artificial Intelligence Techniques for Advanced Computing Applications: Proceedings of ICACT 2020. Springer, 11--17.
[12]
Williams D Holmes B, Waterman J. 2022. KASLR in the age of MicroVMs. In Proceedings of the Seventeenth European Conference on Computer Systems. 149--165.
[13]
Detweiler D et al Huang Y, Narayanan V. 2022. KSplit: Automating Device Driver Isolation. In Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22). 613--631.
[14]
Christopher Jelesnianski, Jinwoo Yom, Changwoo Min, and Yeongjin Jang. 2020. Mardu: Efficient and scalable code re-randomization. In Proceedings of the 13th ACM International Systems and Storage Conference. 49--60.
[15]
Groß S et al. Lekies S, Kotowicz K. 2017. Code-reuse attacks for the web: Breaking cross-site scripting mitigations via script gadgets. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 1709--1723.
[16]
Jinku Li, Xiaomeng Tong, Fengwei Zhang, and Jianfeng Ma. 2018. Fine-cfi: fine-grained control-flow integrity for operating system kernels. IEEE Transactions on Information Forensics and Security 13, 6 (2018), 1535--1550.
[17]
YongGang Li, Yeh-Ching Chung, Jinbiao Xing, Yu Bao, and Guoyuan Lin. 2022. MProbe: Make the code probing meaningless. In Proceedings of the 38th Annual Computer Security Applications Conference. 214--226.
[18]
YongGang Li, GuoYuan Lin, Yeh-Ching Chung, YaoWen Ma, Yi Lu, and Yu Bao. 2023. MagBox: Keep the risk functions running safely in a magic box. Future Generation Computer Systems 140 (2023), 282--298.
[19]
Yong-Gang Li, Yeh-Ching Chung, Kai Hwang, and Yue-Jin Li. 2020. Virtual wall: Filtering rootkit attacks to protect linux kernel functions. IEEE Trans. Comput. 70, 10 (2020), 1640--1653.
[20]
Yutao Liu, Tianyu Zhou, Kexin Chen, Haibo Chen, and Yubin Xia. 2015. Thwarting memory disclosure with efficient hypervisor-enforced intra-domain isolation. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 1607--1619.
[21]
Kangjie Lu, Wenke Lee, Stefan Nürnberger, and Michael Backes. 2016. How to Make ASLR Win the Clone Wars: Runtime Re-Randomization. In NDSS.
[22]
Yandong Mao, Haogang Chen, Dong Zhou, Xi Wang, Nickolai Zeldovich, and M Frans Kaashoek. 2011. Software fault isolation with API integrity and multi-principal modules. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles. 115--128.
[23]
Alyssa Milburn, Erik Van Der Kouwe, and Cristiano Giuffrida. 2022. Mitigating information leakage vulnerabilities with type-based data isolation. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 1049--1065.
[24]
Wei-Loon Mow, Shih-Kun Huang, and Hsu-Chun Hsiao. 2022. LAEG: Leak-based AEG using Dynamic Binary Analysis to Defeat ASLR. In 2022 IEEE Conference on Dependable and Secure Computing (DSC). IEEE, 1--8.
[25]
Jacobsen C et al Narayanan V, Balasubramanian A. 2019. LXDs: Towards isolation of kernel subsystems. In Proceedings of the 2019 USENIX Annual Technical Conference (USENIX ATC 19). 269--284.
[26]
Tan G et al Narayanan V, Huang Y. 2020. Lightweight kernel isolation with virtualization and VM functions. In Proceedings of the 16th ACM SIGPLAN/SIGOPS international conference on virtual execution environments. 157--171.
[27]
Matthias Neugschwandtner, Alessandro Sorniotti, and Anil Kurmus. 2019. Memory categorization: Separating attacker-controlled data. In Detection of Intrusions and Malware, and Vulnerability Assessment: 16th International Conference, DIMVA 2019, Gothenburg, Sweden, June 19--20, 2019, Proceedings 16. Springer, 263--287.
[28]
Ruslan Nikolaev, Hassan Nadeem, Cathlyn Stone, and Binoy Ravindran. 2022. Adelie: continuous address space layout re-randomization for Linux drivers. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. 483--498.
[29]
Angelos Oikonomopoulos, Elias Athanasopoulos, Herbert Bos, and Cristiano Giuffrida. 2016. Poking holes in information hiding. In 25th USENIX Security Symposium (USENIX Security 16). 121--138.
[30]
et al Pomonis, Marios. 2017. kR ?X: Comprehensive kernel protection against just-in-time code reuse. In Proceedings of the Twelfth European Conference on Computer Systems. 420--436.
[31]
Xinhui Shao, Lan Luo, Zhen Ling, Huaiyu Yan, Yumeng Wei, and Xinwen Fu. 2022. fASLR: Function-based ASLR for resource-constrained IoT systems. In European Symposium on Research in Computer Security. Springer, 531--548.
[32]
et al Shrivastava, Rajesh Kumar. 2022. Securing Internet of Things devices against code tampering attacks using Return Oriented Programming. Computer Communications 193 (2022), 38--46.
[33]
Kevin Z Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2013. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In 2013 IEEE symposium on security and privacy. IEEE, 574--588.
[34]
Abhinav Srivastava and Jonathon T Giffin. 2011. Efficient Monitoring of Untrusted Kernel-Mode Execution. In NDSS. Citeseer.
[35]
Göktas E. et al Van Der Veen, V. 2016. A tough call: Mitigating advanced code-reuse attacks at the binary level. In Proceedings of the IEEE Symposium on Security and Privacy (SP). 934--953.
[36]
Fernando Vano-Garcia and Hector Marco-Gisbert. 2020. KASLR-MT: Kernel address space layout randomization for multi-tenant cloud systems. J. Parallel and Distrib. Comput. 137 (2020), 77--90.
[37]
Wenhao Wang, Guangyu Hu, Xiaolin Xu, and Jiliang Zhang. 2021. CRAlert: Hardware-assisted code reuse attack detection. IEEE Transactions on Circuits and Systems II: Express Briefs 69, 3 (2021), 1607--1611.
[38]
Zhe Wang, Chenggang Wu, Jianjun Li, Yuanming Lai, Xiangyu Zhang, Wei-Chung Hsu, and Yueqiang Cheng. 2017. Reranz: A light-weight virtual machine to mitigate memory disclosure attacks. In Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments. 143--156.
[39]
Cui W et al Wang Z, Jiang X. 2009. Countering kernel rootkits with lightweight hook protection. In Proceedings of the 16th ACM conference on Computer and communications security. 545--554.
[40]
Mengfei Xie, Yan Lin, Chenke Luo, Guojun Peng, and Jianming Fu. 2022. PointerScope: Understanding Pointer Patching for Code Randomization. IEEE Transactions on Dependable and Secure Computing (2022).
[41]
Yutian Yang, Songbo Zhu, Wenbo Shen, Yajin Zhou, Jiadong Sun, and Kui Ren. 2019. ARM pointer authentication based forward-edge and backward-edge control flow integrity for kernels. arXiv preprint arXiv:1912.10666 (2019).
[42]
Sungbae Yoo, Jinbum Park, Seolheui Kim, Yeji Kim, and Taesoo Kim. 2022. In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication. In 31st USENIX Security Symposium (USENIX Security 22). 89--106.
[43]
Changwei Zou, Xudong Wang, Yaoqing Gao, and Jingling Xue. 2022. Buddy stacks: Protecting return addresses with efficient thread-local storage and runtime re-randomization. ACM Transactions on Software Engineering and Methodology (TOSEM) 31, 2 (2022), 1--37.
Index Terms
- Isolate and Detect the Untrusted Driver with a Virtual Box
Recommendations
Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction
An alarming trend in recent malware incidents is that they are armed with stealthy techniques to detect, evade, and subvert malware detection facilities of the victim. On the defensive side, a fundamental limitation of traditional host-based antimalware ...
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityAn alarming trend in malware attacks is that they are armed with stealthy techniques to detect, evade, and subvert malware detection facilities of the victim. On the defensive side, a fundamental limitation of traditional host-based anti-malware systems ...
Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications
SP '15: Proceedings of the 2015 IEEE Symposium on Security and PrivacyCode reuse attacks such as return-oriented programming (ROP) have become prevalent techniques to exploit memory corruption vulnerabilities in software programs. A variety of corresponding defenses has been proposed, of which some have already been ...
Comments
Information & Contributors
Information
Published In
December 2024
5188 pages
ISBN:9798400706363
DOI:10.1145/3658644
- General Chairs:
- Bo Luo,
- Xiaojing Liao,
- Jun Xu,
- Program Chairs:
- Engin Kirda,
- David Lie
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 December 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- the Fundamental Research Funds for the Central Universities
Conference
CCS '24
Sponsor:
CCS '24: ACM SIGSAC Conference on Computer and Communications Security
October 14 - 18, 2024
UT, Salt Lake City, USA
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 204Total Downloads
- Downloads (Last 12 months)204
- Downloads (Last 6 weeks)71
Reflects downloads up to 01 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in