Abstract
The kernel data of an operating system kernel can be modified through memory corruption by exploiting kernel vulnerabilities. Memory corruption allows privilege escalation and defeats security mechanisms. The kernel control flow integrity verifies and guarantees the order of invoking kernel codes. The kernel address space layout randomization randomizes the virtual address layout of the kernel code and data. The additional kernel observer focuses on the unintended privilege modifications to restore the original privileges. However, these existing security mechanisms do not prevent writing to the kernel data. Therefore, kernel data can be overwritten by exploiting kernel vulnerabilities. Additionally, privilege escalation and the defeat of security mechanisms are possible.
We propose a kernel data protection mechanism (KDPM), which is a novel security design that restricts the writing of specific kernel data. This mechanism protects privileged information and the security mechanism to overcome the limitations of existing approaches. The KDPM adopts a memory protection key (MPK) to control the write restriction of kernel data. The KDPM with the MPK ensures that the writing of privileged information for user processes is dynamically restricted during the invocation of specific system calls. To prevent the security mechanisms from being defeated, the KDPM dynamically restricts the writing of kernel data related to the mandatory access control during the execution of specific kernel codes. Further, the KDPM is implemented on the latest Linux with an MPK emulator. We also evaluated the possibility of preventing the writing of privileged information. The KDPM showed an acceptable performance cost, measured by the overhead, which was from 2.96% to 9.01% of system call invocations, whereas the performance load on the MPK operations was 22.1 ns to 1347.9 ns.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Exploit Database: Nexus 5 Android 5.0 - Privilege Escalation. https://www.exploit-db.com/exploits/35711/. Accessed 21 May 2019
grsecurity: super fun 2.6.30+/RHEL5 2.6.18 local kernel exploit. https://grsecurity.net/~spender/exploits/exploit2.txt. Accessed 21 May 2019
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 340–353. ACM (2005). https://doi.org/10.1145/1609956.1609960
Criswell, J., Dautenhahn, N., Adve, V.: KCoFI: complete control-flow integrity for commodity operating system kernels. In: Proceedings of the IEEE Security and Privacy, pp. 292–307. IEEE (2014). https://doi.org/10.1109/SP.2014.26
Shacham, H., Page, M., Pfaff, B., Goh, E., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 298–307. ACM (2004). https://doi.org/10.1145/1030083.1030124
Yamauchi, T., Akao, Y., Yoshitani, R., Nakamura, Y., Hashimoto, M.: Additional kernel observer: privilege escalation attack prevention mechanism focusing on system call privilege changes. Int. J. Inf. Secur. 20(4), 461–473 (2020). https://doi.org/10.1007/s10207-020-00514-7
Bonzini, P.: [PATCH] target/i86: implement PKS. https://lore.kernel.org/qemu-devel/20210127093540.472624-1-pbonzini@redhat.com/. Accessed 18 Aug 2021
Intel Corporation: Intel(R) 64 and IA-32 Architectures Software Developer’s Manual. https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html. Accessed 18 Aug 2021
Chen, H., Mao, Y., Wang, X., Zhow, D., Zeldovich, N., Kaashoek, F.M.: Linux kernel vulnerabilities-state-of-the-art defenses and open problems. In: Proceedings of the Second Asia-Pacific Workshop on Systems, pp. 1–5. ACM (2011). https://doi.org/10.1145/2103799.2103805
CVE-2016-4997. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4997. Accessed 10 May 2019
CVE-2016-9793. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9793. Accessed 10 June 2019
CVE-2017-1000112. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000112. Accessed 10 June 2019
CVE-2017-16995. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16995. Accessed 10 June 2019
CVE-2017-6074 (2017). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074. Accessed 16 Sep 2021
Park, S., Lee, S., Xu, W., Moon, H., Kim, T.: libmpk: software abstraction for intel memory protection keys (Intel MPK). In: Proceedings of the 2019 USENIX Annual Technical Conference, pp. 241–254. USENIX (2019). https://dl.acm.org/doi/10.5555/3358807.3358829
Vahldiek-Oberwagner, A., Elnikety, E., Duarte, O.N., Sammier, M., Druschel, P., Garg, D.: ERIM: secure, efficient in-process isolation with protection keys (MPK). In: Proceedings of the 28th USENIX Conference on Security Symposium, pp. 1221–1238. USENIX (2019). https://dl.acm.org/doi/10.5555/3361338.3361423
Proskurin, S., Momeu, M., Ghavamnia, S., Kemerlis, P.V., Polychronakis, M.: xMP: selective memory protection for kernel and user space. In: Proceedings of the 2020 IEEE Symposium on Security and Privacy, pp. 563–577. IEEE (2020). https://doi.org/10.1109/SP40000.2020.00041
Sung, M., Olivier, P., Lankes, S., Ravindran, B.: Intra-unikernel isolation with intel memory protection keys. In: Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pp. 143–156. ACM (2020). https://doi.org/10.1145/3381052.3381326
Edge, J.: Control-flow integrity for the kernel. https://lwn.net/Articles/810077/. Accessed 8 Jan 2022
Linux Vulnerability Statistics. https://www.cvedetails.com/vendor/33/Linux.html. Accessed 5 July 2019
Acknowledgment
This work was partially supported by the Japan Society for the Promotion of Science (JSPS) KAKENHI Grant Number JP19H04109 and JP22H03592.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Kuzuno, H., Yamauchi, T. (2022). KDPM: Kernel Data Protection Mechanism Using a Memory Protection Key. In: Cheng, CM., Akiyama, M. (eds) Advances in Information and Computer Security. IWSEC 2022. Lecture Notes in Computer Science, vol 13504. Springer, Cham. https://doi.org/10.1007/978-3-031-15255-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-15255-9_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15254-2
Online ISBN: 978-3-031-15255-9
eBook Packages: Computer ScienceComputer Science (R0)