Skip to main content
SpringerLink
Log in

MKM: Multiple Kernel Memory for Protecting Page Table Switching Mechanism Against Memory Corruption

  • Conference paper
  • First Online:
Advances in Information and Computer Security (IWSEC 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12231))

Included in the following conference series:

Abstract

Countermeasures against kernel vulnerability attacks on an operating system (OS) are highly important kernel features. Some kernels adopt several kernel protection methods such as mandatory access control, kernel address space layout randomization, control flow integrity, and kernel page table isolation; however, kernel vulnerabilities can still be exploited to execute attack codes and corrupt kernel memory. To accomplish this, adversaries subvert kernel protection methods and invoke these kernel codes to avoid administrator privileges restrictions and gain complete control of the target host. To prevent such subversion, we present Multiple Kernel Memory (MKM), which offers a novel security mechanism using an alternative design for kernel memory separation that was developed to reduce the kernel attack surface and mitigate the effects of illegal data manipulation in the kernel memory. The proposed MKM is capable of isolating kernel memory and dedicates the trampoline page table for a gateway of page table switching and the security page table for kernel protection methods. The MKM encloses the vulnerable kernel code in the kernel page table. The MKM mechanism achieves complete separation of the kernel code execution range of the virtual address space on each page table. It ensures that vulnerable kernel code does not interact with different page tables. Thus, the page table switching of the trampoline and the kernel protection methods of the security page tables are protected from vulnerable kernel code in other page tables. An evaluation of MKM indicates that it protects the kernel code and data on the trampoline and security page tables from an actual kernel vulnerabilities that lead to kernel memory corruption. In addition, the performance results show that the overhead is 0.020 \(\mu \)s to 0.5445 \(\mu \)s, in terms of the system call latency and the application overhead average is 196.27 \(\mu \)s to 6,685.73 \(\mu \)s , for each download access of 100,000 Hypertext Transfer Protocol sessions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Kemerlis, P, V., Portokalidis, G. and Keromytis, D, A.: kGuard: lightweight kernel protection against return-to-user attacks. In: Proceedings of the 21st USENIX Conference on Security Symposium, USENIX (2012). https://doi.org/10.5555/2362793.2362832

  2. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 340–353. ACM (2005). https://doi.org/10.1145/1609956.1609960

  3. Rapoport, M.: \(\times \)86: introduce system calls address space isolation. https://lwn.net/Articles/786894/. Accessed 22 May 2019

  4. Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, pp. 191–205, IEEE (2013). https://doi.org/10.1109/SP.2013.23

  5. Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., Mangard, S.: KASLR is dead : long live KASLR, In: Bodden, E., Payer, M., Athanasopoulos, E. (eds.) ESSoS 2017. LNCS, vol. 10379, pp. 161–176, Springer, Cham (2017). https://doi.org/10.1007/978-3-319-62105-0_11

  6. Mulnix D.: Intel® Xeon® Processor D Product Family Technical Overview, https://software.intel.com/en-us/articles/intel-xeon-processor-d-product-family-technical-overview. Accessed 10 Aug 2018

  7. Security-enhanced Linux. http://www.nsa.gov/research/selinux/. Accessed 22 May 2019

  8. Exploit Database, Nexus 5 Android 5.0 - Privilege Escalation. https://www.exploit-db.com/exploits/35711/. Accessed 21 May 2019

  9. grsecurity: super fun 2.6.30+/RHEL5 2.6.18 local kernel exploit. https://grsecurity.net/~spender/exploits/exploit2.txt. Accessed 21 May 2019

  10. Kuzuno, H., Yamauchi, T.: KMO: kernel memory observer to identify memory corruption by secret inspection mechanism. In: Heng, S,H., Lopez, J. (eds.) ISPEC 2019. LNCS, vol. 11879, pp. 75–94, Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34339-2_5

  11. Bovet, P.D., Cesati, M.: Understanding the Linux kernel, 3rd edition. O’Reilly Media (2005)

    Google Scholar 

  12. CVE-2017-16995. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16995. Accessed 10 June 2019

  13. Chen, H., Mao, Y., Wang, X., Zhow, D., Zeldovich, N., Kaashoek, F, M.: Linux kernel vulnerabilities - state-of-the-art defenses and open problems. In: Proceedings of the Second Asia-Pacific Workshop on Systems, pp. 1–5, ACM (2011). https://doi.org/10.1145/2103799.2103805

  14. Tetlow, G.: Response to Meltdown and Spectre. https://lists.freebsd.org/pipermail/freebsd-security/2018-January/009719.html. Accessed 21 May 2019

  15. Linden, A. T.: Operating system structures to support security and reliable software. ACM Computing Surveys, vol. 8, no. 4, pp. 409–445. ACM (1976). https://doi.org/10.1145/356678.356682

  16. Davi, L., Gens, D., Liebchen, C., Sadeghi, A.-R.: PT-Rand: practical mitigation of data-only attacks against page tables. In: Proceedings of the 23th Network and Distributed System Security Symposium, Internet Society (2016)

    Google Scholar 

  17. Pomonis, M., Petsios, T.: kR \(\hat{}\) X: comprehensive kernel protection against just-in-time code reuse. In: Protection of the Twelfth European Conference on Computer Systems, pp. 420–436, ACM (2017). https://doi.org/10.1145/3064176.3064216

  18. Trusted computing group. tpm main specification. http://www.trustedcomputinggroup.org/resources/tpm_main_specification. Accessed 10 Aug 2018

  19. Ge, X., Vijayakumar, H., Jaeger, T.: Sprobes: enforcing kernel code integrity on the trustzone architecture. In: Proceedings of the third Workshop on Mobile Security Technologies, ACM (2014)

    Google Scholar 

  20. Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of the 21st ACM SIGOPS Symposium on Operating Systems Principles, pp. 335–350, ACM (2007). https://doi.org/10.1145/1294261.1294294

  21. McCune, M.J., Li, Y., Qu, Z., Zhou, A., Datta, V., Gligor, D., Perrig A.: TrustVisor: efficient TCB reduction and attestation. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, pp. 143–158, IEEE (2010). https://doi.org/10.1109/SP.2010.17

  22. Sharif, I.M., Lee, W., Cui, W., Lanzi, A.: Secure in-VM monitoring using hardware virtualization. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 477–487. ACM (2009). https://doi.org/10.1145/1653662.1653720

  23. Deng, L., Liu, P., Xu, J., Chen, P., Zeng, Q.: Dancing with Wolves: towards practical event-driven VMM monitoring. In: Proceedings of the 13th ACM SIGPLAN / SIGOPS International Conference, pp. 83–96. ACM (2017). https://doi.org/10.1145/3050748.3050750

  24. Koromilas, L., Vasiliadis, G., Athanasopoulos, E., Ioannidis, S.: GRIM: leveraging GPUs for kernel integrity monitoring. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 3–23. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_1

    Chapter  Google Scholar 

  25. Klein, G., et al.: seL4: formal verification of an OS kernel. In: Proceedings of the 22nd ACM Symposium on Operating Systems Principles, pp. 207–220. ACM (2009). https://doi.org/10.1145/1629575.1629596

  26. Getting started with kmemcheck. https://www.kernel.org/doc/dev-tools/kmemcheck.html. Accessed 21 May 2019

  27. The Kernel Address Sanitizer (KASAN). https://www.kernel.org/doc/dev-tools/kasan.html Accessed 21 May 2019

  28. syzkaller is an unsupervised, coverage-guided kernel fuzzer. https://github.com/google/syzkaller/. Accessed 22 May 2019

  29. Hua. Z., Du, D., Xia, Y., Chen, H., Zang, B.: EPTI: efficient defence against meltdown attack for unpatched VMs. In: Proceedings of the 2018 USENIX Annual Technical Conference, pp. 255–266. USENIX (2018). https://doi.org/10.5555/3277355.3277380

  30. Kurmus, A., Dechand, S., Kapitza, R.: Quantifiable run-time kernel attack surface reduction. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 212–234. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08509-8_12

    Chapter  Google Scholar 

  31. Zhang, Z., Cheng, Y., Nepal, S., Liu, D., Shen, Q., Rabhi, F.: KASR: a reliable and practical approach to attack surface reduction of commodity OS kernels. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 691–710. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_32

    Chapter  Google Scholar 

  32. Dautenhahn, N., Kasampalis, T., Dietz, W., Criswell, J., Adve, V.: Nested Kernel: an operating system architecture for intra-kernel privilege separation. In: Proceedings of the 20th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 191–206. ACM (2015). https://doi.org/10.1145/2694344.2694386

  33. Kuo, H, C., Gunasekaran, A., Jang, Y., Mohan, S., Bobba, B, R., Lie, D., Walker, J.: MultiK: a framework for orchestrating multiple specialized kernels. https://arxiv.org/abs/1903.06889v1. Accessed 16 May 2019

  34. Österlund, S., Koning, K., Olivier, P., Barbalace, A., Bos, H., Giuffrida, C.: kMVX: detecting kernel information leaks with multi-variant execution. In: Proceedings of the 24th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 559–572. ACM (2019). https://doi.org/10.1145/3297858.3304054

Download references

Acknowledgment

This work was partially supported by JSPS KAKENHI Grant Number JP19H04109.

Author information

Authors and Affiliations

  1. Graduate School of Natural Science and Technology, Okayama University, Okayama, Japan

    Hiroki Kuzuno & Toshihiro Yamauchi

  2. Intelligent Systems Laboratory, SECOM CO., LTD., Mitaka, Japan

    Hiroki Kuzuno

Authors
  1. Hiroki Kuzuno
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Toshihiro Yamauchi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hiroki Kuzuno .

Editor information

Editors and Affiliations

  1. Bunkyo University, Chigasaki, Japan

    Kazumaro Aoki

  2. Toho University, Funabashi, Japan

    Akira Kanaoka

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kuzuno, H., Yamauchi, T. (2020). MKM: Multiple Kernel Memory for Protecting Page Table Switching Mechanism Against Memory Corruption. In: Aoki, K., Kanaoka, A. (eds) Advances in Information and Computer Security. IWSEC 2020. Lecture Notes in Computer Science(), vol 12231. Springer, Cham. https://doi.org/10.1007/978-3-030-58208-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-58208-1_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-58207-4

  • Online ISBN: 978-3-030-58208-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation