Advertisement

KMO: Kernel Memory Observer to Identify Memory Corruption by Secret Inspection Mechanism

  • Hiroki KuzunoEmail author
  • Toshihiro Yamauchi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11879)

Abstract

Kernel vulnerability attacks may allow attackers to execute arbitrary program code and achieve privilege escalation through credential overwriting, thereby avoiding security features. Major Linux protection methods include Kernel Address Space Layout Randomization, Control Flow Integrity, and Kernel Page Table Isolation. All of these mitigate kernel vulnerability affects and actual attacks. In addition, the No eXecute bit, Supervisor Mode Access Prevention, and Supervisor Mode Execution Prevention are CPU features for managing access permission and data execution in virtual memory. Although combinations of these methods can reduce the attack availability of kernel vulnerability based on the interaction between the user and kernel modes, kernel virtual memory corruption is still possible (e.g., the eBPF vulnerability executes the attack code only in the kernel mode).

To monitor kernel virtual memory, we present the Kernel Memory Observer (KMO), which has a secret inspection mechanism and offers an alternative design for virtual memory. It allows the detection of illegal data manipulation/writing in the kernel virtual memory. KMO identifies the kernel virtual memory corruption, monitors system call arguments, and enables unmapping from the direct mapping area. An evaluation of our method indicates that it can detect the actual kernel vulnerabilities leading to kernel virtual memory corruption. In addition, the results show that the overhead is 0.038 \(\upmu \)s to 2.505 \(\upmu \)s in terms of system call latency, and the application benchmark is 371.0 \(\upmu \)s to 1,990.0 \(\upmu \)s for 100,000 HTTP accesses.

Notes

Acknowledgement

This work was partially supported by JSPS KAKENHI Grant Number JP19H04109.

References

  1. 1.
    Chen, H., et al.: Linux kernel vulnerabilities - state-of-the-art defenses and open problems. In: 2nd Asia-Pacific Workshop on Systems (APSys) (2011)Google Scholar
  2. 2.
    Kemerlis, P.V., et al.: Ret2dir - rethinking kernel isolation. In: 23rd USENIX Conference on Security Symposium, pp. 957–972 (2014)Google Scholar
  3. 3.
    Security-enhanced Linux. http://www.nsa.gov/research/selinux/. Accessed 10 Aug 2018
  4. 4.
    Linden, A.T.: Operating system structures to support security and reliable software. ACM Comput. Surv. (CSUR) 8(4), 409–445 (1976)CrossRefGoogle Scholar
  5. 5.
    Kemerlis, P.V., et al.: kGuard - lightweight kernel protection against return-to-user attacks. In: 21st USENIX Conference on Security Symposium (2012)Google Scholar
  6. 6.
    Shacham, H., et al.: On the effectiveness of address-space randomization. In: 11th ACM Conference on Computer and Communications Security (CCS), pp. 298–307 (2004)Google Scholar
  7. 7.
    Abadi, M., et al.: Control-flow integrity principles, implementations. In: 12th ACM Conference on Computer and Communications Security (CCS), pp. 340–353 (2005)Google Scholar
  8. 8.
    Mulnix, D.: Intel® Xeon® Processor D Product Family Technical Overview (2015). https://software.intel.com/en-us/articles/intel-xeon-processor-d-product-family-technical-overview. Accessed 10 Aug 2018
  9. 9.
    Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., Mangard, S.: KASLR is dead: long live KASLR. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds.) ESSoS 2017. LNCS, vol. 10379, pp. 161–176. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-62105-0_11CrossRefGoogle Scholar
  10. 10.
  11. 11.
  12. 12.
  13. 13.
  14. 14.
    Exploit Database, Nexus 5 Android 5.0 - Privilege Escalation. https://www.exploit-db.com/exploits/35711/
  15. 15.
    Grsecurity: super fun 2.6.30+/RHEL5 2.6.18 local kernel exploit. https://grsecurity.net/~spender/exploits/exploit2.txt
  16. 16.
    Lipp, M., et al.: Meltdown - reading kernel memory from user space. In: 27th USENIX Conference on Security Symposium (2018)Google Scholar
  17. 17.
  18. 18.
  19. 19.
    Hund, R., et al.: Practical timing side channel attacks against kernel space ASLR. In: 2013 IEEE Symposium on Security and Privacy, pp. 191–205 (2013)Google Scholar
  20. 20.
    Shu, R., et al.: A study of security isolation techniques. ACM Comput. Surv. (CSUR) 49(3), 1–37 (2016)CrossRefGoogle Scholar
  21. 21.
    Zhang, F., Zhang, H.: SoK a study of using hardware-assisted isolated execution environments for security. In: Hardware and Architectural Support for Security and Privacy 2016, pp. 1–8 (2016)Google Scholar
  22. 22.
    Spencer, R., et al.: The flask security architecture: system support for diverse security policies. In: 8th USENIX Conference on Security Symposium (1999)Google Scholar
  23. 23.
    Volodymyr, K., et al.: Code-pointer integrity. In: 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2014)Google Scholar
  24. 24.
    Ingo Molnar, [announce] [patch] NX (No eXecute) support for x86, 2.6.7-rc2-bk2 (2004). http://lkml.iu.edu/hypermail/linux/kernel/0406.0/0497.html. Accessed 10 Aug 2018
  25. 25.
    Jang, Y., et al.: Breaking kernel address space layout randomization with intel TSX. In: 2016 ACM Conference on Computer and Communications Security (CCS), pp. 380–392 (2016)Google Scholar
  26. 26.
    Hua, Z., et al.: EPTI - efficient defence against meltdown attack for unpatched VMs. In: 2018 USENIX Annual Technical Conference (ATC) (2018)Google Scholar
  27. 27.
    Carlini, N., et al.: Control-flow bending: on the effectiveness of control-flow integrity. In: 24th USENIX Conference on Security Symposium, pp. 161–176 (2015)Google Scholar
  28. 28.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: 14th ACM Conference on Computer and Communications Security (CCS), pp. 552–561 (2007)Google Scholar
  29. 29.
    Song, D., et al.: PeriScope: an effective probing and fuzzing framework for the hardware-OS boundary. In: 26th Annual Network and Distributed System Security Conference (NDSS) (2019)Google Scholar
  30. 30.
    Seshadri, A., et al.: SecVisor - a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: 21st ACM Symposium on Operating systems principles (SOSP), pp. 335–350 (2007)Google Scholar
  31. 31.
    Azab, A., et al.: SKEE: a lightweight secure kernel-level execution environment for ARM. In: 2011 Network and Distributed System Security Symposium (NDSS) (2016)Google Scholar
  32. 32.
    Cho, Y., et al.: Dynamic virtual address range adjustment for intra-level privilege separation on ARM. In: 2017 Network and Distributed System Security Symposium (NDSS) (2017)Google Scholar
  33. 33.
    McCune, M.J., et al.: TrustVisor - efficient TCB reduction and attestation. In: 2010 IEEE Symposium on Security and Privacy (2010)Google Scholar
  34. 34.
    Koromilas, L., et al.: GRIM - leveraging gpus for kernel integrity monitoring. In: 19th International Symposium on Research in Attacks, Intrusions and Defenses, pp. 3–23 (2016)Google Scholar
  35. 35.
    Trusted computing group. tpm main specification (2003). http://www.trustedcomputinggroup.org/resources/tpm_main_specification. Accessed 10 Aug 2018
  36. 36.
    Witchel, E., et al.: Mondrix: memory isolation for linux using mondriaan memory protection. In: 20th ACM Symposium on Operating systems principles (SOSP), pp. 31–44 (2005)Google Scholar
  37. 37.
    Castro, M., et al.: Fast byte-granularity software fault isolation. In: 22nd ACM Symposium on Operating systems principles (SOSP), pp. 45–58 (2009)Google Scholar
  38. 38.
    Hsu, C.T., et al.: Enforcing least privilege memory views for multithreaded applications. In: 2016 ACM Conference on Computer and Communications Security (CCS), pp. 393–405 (2016)Google Scholar
  39. 39.
    Litton, J., et al.: Light-weight contexts - an OS abstraction for safety and performance. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2016)Google Scholar
  40. 40.
    Koning, K., et al.: No need to hide: protecting safe regions on commodity hardware. In: Twelfth European System Conference (EuroSys), pp. 437–452 (2017)Google Scholar
  41. 41.
    Vahldiek-Oberwagner, A., et al.: ERIM: secure and efficient in-process isolation with memory protection keys, CoRR abs/1801.06822 (2018)Google Scholar
  42. 42.
    Mogosanu, L., Rane, A., Dautenhahn, N.: MicroStache: a lightweight execution context for in-process safe region isolation. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 359–379. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-00470-5_17CrossRefGoogle Scholar
  43. 43.
    Frassetto, T., et al.: IMIX - in-process memory isolation extension. In: 28th USENIX Conference on Security Symposium (2018)Google Scholar
  44. 44.
    Kim, H.C., et al.: Securing real-time microcontroller systems through customized memory view switching. In: 25th Network and Distributed System Security Symposium (NDSS) (2018)Google Scholar
  45. 45.
    Sharif, I.M., et al.: Secure in-VM monitoring using hardware virtualization. In: 16th ACM Conference on Computer and Communications Security (CCS) (2009)Google Scholar
  46. 46.
    Deng, L., et al.: Dancing with wolves: towards practical event-driven VMM monitoring. In: 13th ACM SIGPLAN/SIGOPS International Conference (2017)Google Scholar
  47. 47.
    Zhang, Z., et al.: KASR: a reliable and practical approach to attack surface reduction of commodity OS kernels. In: 21st International Symposium on Research in Attacks, Intrusions and Defenses (RAID) (2018)Google Scholar
  48. 48.
    Srivastava, A., et al.: Efficient monitoring of untrusted kernel-mode execution. In: 18th Annual Network and Distributed System Security Conference (NDSS) (2011)Google Scholar
  49. 49.
    Song, C., et al.: Enforcing kernel security invariants with data flow integrity. In: 2016 Annual Network and Distributed System Security Symposium (NDSS) (2016)Google Scholar
  50. 50.
    Ge, X., et al.: GRIFFIN: guarding control flows using intel processor trace. In: 22nd ACM International Conference on Architectural Support for Programming Languages and Operating Systems (APLOS), pp. 585–598 (2017)Google Scholar
  51. 51.
    Huang, W., et al.: LMP: light-weighted memory protection with hardware assistance. In: 32nd Annual Conference on Computer Security Applications (ACSAC), pp. 460–470 (2016)Google Scholar
  52. 52.
    Davi, L., et al.: PT-rand: practical mitigation of data-only attacks against page tables. In: 23th Network and Distributed System Security Symposium (NDSS) (2016)Google Scholar
  53. 53.
    Pomonis, M., et al.: kR\(^{\wedge }\)X: comprehensive kernel protection against just-in-time code reuse. In: Twelfth European Conference on Computer Systems (EuroSys), pp. 420–436 (2017)Google Scholar
  54. 54.
    Boyd-Wickizer, S., et al.: Tolerating malicious device drivers in linux. In: USENIX Annual Technical Conference (ATC) (2010)Google Scholar
  55. 55.
    Tian, J.D., et al.: LBM: a security framework for peripherals within the linux kernel. In: 2019 IEEE Symposium on Security and Privacy (2019)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Graduate School of Natural Science and TechnologyOkayama UniversityOkayamaJapan
  2. 2.Intelligent Systems LaboratorySECOM CO., LTD.TokyoJapan

Personalised recommendations