Skip to main content
SpringerLink
Log in

Quantifiable Run-Time Kernel Attack Surface Reduction

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8550))

Abstract

The sheer size of commodity operating system kernels makes them a prime target for local attackers aiming to escalate privileges. At the same time, as much as 90% of kernel functions are not required for processing system calls originating from a typical network daemon. This results in an unnecessarily high exposure. In this paper, we introduce kRazor, an approach to reduce the kernel’s attack surface by limiting the amount of kernel code accessible to an application. kRazor first traces individual kernel functions used by an application. kRazor can then detect and prevent uses of unnecessary kernel functions by a process. This step is implemented as a kernel module that instruments select kernel functions. A heuristic on the kernel function selection allows kRazor to have negligible performance overhead. We evaluate results under real-world workloads for four typical server applications. Results show that the performance overhead and false positives remain low, while the attack surface reduction can be as high as 80%.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Accetta, M., Baron, R., Golub, D., Rashid, R., Tevanian, A., Young, M.: MACH: A New Kernel Foundation for UNIX Development. In: Proceedings of the USENIX Summer Conference (1986)

    Google Scholar 

  2. Acharya, A., Raje, M.: MAPbox: using parameterized behavior classes to confine untrusted applications. In: Proceedings of the 9th conference on USENIX Security Symposium-Volume, vol. 9 (2000)

    Google Scholar 

  3. Boyd-Wickizer, S., Zeldovich, N.: Tolerating malicious device drivers in linux. In: Proceedings of the 2010 USENIX Conference on USENIX Annual Technical Conference, Berkeley, CA, USA (2010)

    Google Scholar 

  4. Canali, D., Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: A quantitative study of accuracy in system call-based malware detection. In: Proceedings of the 2012 International Symposium on Software Testing and Analysis, New York, NY, USA (2012)

    Google Scholar 

  5. Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, New York, NY, USA (2009)

    Google Scholar 

  6. Castro, M., Costa, M., Martin, J.P., Peinado, M., Akritidis, P., Donnelly, A., Barham, P., Black, R.: Fast byte-granularity software fault isolation. In: [40]

    Google Scholar 

  7. Chanet, D., Sutter, B.D., Bus, B.D., Put, L.V., Bosschere, K.D.: System-wide compaction and specialization of the linux kernel. In: Proceedings of the 2005 ACM SIGPLAN/SIGBED Conference on Languages, Compilers and Tools for Embedded Systems (LCTES 2005), New York, NY, USA (2005)

    Google Scholar 

  8. Criswell, J., Lenharth, A., Dhurjati, D., Adve, V.: Secure virtual architecture: A safe execution environment for commodity operating systems. In: Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP 2007), New York, NY, USA (2007)

    Google Scholar 

  9. Dan, A., Mohindra, A., Ramaswami, R., Sitaram, D.: Chakravyuha: A sandbox operating system for the controlled execution of alien code. Tech. rep., IBM TJ Watson research center (1997)

    Google Scholar 

  10. Donenfeld, J.A.: Linux local privilege escalation via suid /proc/pid/mem write (2012), http://blog.zx2c4.com/749

  11. Esser, S.: iOS Kernel Exploitation (2011), http://media.blackhat.com/bh-us-11/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf

  12. Evans, C.: Pwnium 3 and Pwn2Own Results (2012), http://blog.chromium.org/2013/03/pwnium-3-and-pwn2own-results.html

  13. Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy, Washington, DC, USA (2003)

    Google Scholar 

  14. Forrest, S., Hofmeyr, S., Somayaji, A.: The evolution of system-call monitoring. In: Proceedings of the 2008 Annual Computer Security Applications Conference, Washington, DC, USA (2008)

    Google Scholar 

  15. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, Washington, DC, USA (1996)

    Google Scholar 

  16. Gao, D., Reiter, M.K., Song, D.: Gray-box extraction of execution graphs for anomaly detection. In: Proceedings of the 11th ACM Conference on Computer and Communicastions Security, New York, NY, USA (2004)

    Google Scholar 

  17. Garfinkel, T.: Traps and pitfalls: Practical problems in system call interposition based security tools. In: NDSS (2003)

    Google Scholar 

  18. Goldberg, I., Wagner, D., Thomas, R., Brewer, E.A.: A secure environment for untrusted helper applications confining the wily hacker. In: Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, vol. 6 (1996)

    Google Scholar 

  19. Google: Seccomp sandbox for linux (2009)

    Google Scholar 

  20. Hartig, H., Hohmuth, M., Feske, N., Helmuth, C., Lackorzynski, A., Mehnert, F., Peter, M.: The nizza secure-system architecture. In: 2005 International Conference on Collaborative Computing: Networking, Applications and Worksharing (2005)

    Google Scholar 

  21. Heiser, G., Leslie, B.: The okl4 microvisor: convergence point of microkernels and hypervisors. In: Proceedings of the First ACM Asia-Pacific Workshop on Systems, New York, NY, USA (2010)

    Google Scholar 

  22. Herder, J.N., Bos, H., Gras, B., Homburg, P., Tanenbaum, A.S.: Construction of a highly dependable operating system. In: Proceedings of the Sixth European Dependable Computing Conference, Washington, DC, USA (2006a)

    Google Scholar 

  23. Herder, J.N., Bos, H., Gras, B., Homburg, P., Tanenbaum, A.S.: Minix 3: a highly reliable, self-repairing operating system. SIGOPS Oper. Syst. Rev. 40(3) (2006b)

    Google Scholar 

  24. Herder, J.N., Bos, H., Gras, B., Homburg, P., Tanenbaum, A.S.: Countering ipc threats in multiserver operating systems (a fundamental requirement for dependability). In: Proceedings of the 2008 14th IEEE Pacific Rim International Symposium on Dependable Computing, Washington, DC, USA (2008)

    Google Scholar 

  25. Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3) (1998)

    Google Scholar 

  26. Hohmuth, M., Peter, M., Härtig, H., Shapiro, J.S.: Reducing tcb size by using untrusted components: small kernels versus virtual-machine monitors. In: Proceedings of the 11th Workshop on ACM SIGOPS European Workshop, New York, NY, USA (2004)

    Google Scholar 

  27. Jaeger, T., Edwards, A., Zhang, X.: Consistency analysis of authorization hook placement in the linux security modules framework. ACM Trans. Inf. Syst. Secur. 7(2) (2004)

    Google Scholar 

  28. Kemerlis, V.P., Portokalidis, G., Keromytis, A.D.: kguard: lightweight kernel protection against return-to-user attacks. In: Proceedings of the 21st USENIX Conference on Security Symposium, Berkeley, CA, USA (2012)

    Google Scholar 

  29. Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: sel4: formal verification of an os kernel. In: [40]

    Google Scholar 

  30. Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Automating mimicry attacks using static binary analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium, Berkeley, CA, USA, vol. 14 (2005)

    Google Scholar 

  31. Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the detection of anomalous system call arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  32. Kurmus, A., Gupta, M., Pletka, R., Cachin, C., Haas, R.: A comparison of secure multi-tenancy architectures for filesystem storage clouds. In: Kon, F., Kermarrec, A.-M. (eds.) Middleware 2011. LNCS, vol. 7049, pp. 471–490. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  33. Kurmus, A., Sorniotti, A., Kapitza, R.: Attack Surface Reduction For Commodity OS Kernels. In: Proceedings of the Fourth European Workshop on System Security (2011b)

    Google Scholar 

  34. Kurmus, A., Tartler, R., Dorneanu, D., Heinloth, B., Rothberg, V., Ruprecht, A., Schröder-Preikschat, W., Lohmann, D., Kapitza, R.: Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring. In: Proceedings of the 20th Network and Distributed System Security Symposium (2013)

    Google Scholar 

  35. Lee, C., Lin, J., Hong, Z., Lee, W.: An application-oriented linux kernel customization for embedded systems. Journal of information science and engineering 20(6) (2004)

    Google Scholar 

  36. Lenharth, A., Adve, V.S., King, S.T.: Recovery domains: an organizing principle for recoverable operating systems. In: Proceedings of the 14th International Conference on Architectural Support for Programming Languages and Operating Systems, New York, NY, USA (2009)

    Google Scholar 

  37. Liedtke, J.: On μ-kernel construction. In: Proceedings of the 15th ACM Symposium on Operating Systems Principles, SOSP 1995 (1995)

    Google Scholar 

  38. Ma, W., Duan, P., Liu, S., Gu, G., Liu, J.C.: Shadow attacks: automatically evading system-call-behavior based malware detection. J. Comput. Virol. 8(1-2) (2012)

    Google Scholar 

  39. Mao, Y., Chen, H., Zhou, D., Wang, X., Zeldovich, N., Kaashoek, M.F.: Software fault isolation with api integrity and multi-principal modules. In: Proceedings of the 23rd ACM Symposium on Operating Systems Principles (SOSP 2011), New York, NY, USA (2011)

    Google Scholar 

  40. Matthews, J.N., Anderson, T.E. (eds.): Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP 2009), New York, NY, USA (2009)

    Google Scholar 

  41. McCabe, T.: A complexity measure. IEEE Transactions on Software Engineering SE-2(4) (1976)

    Google Scholar 

  42. McCanne, S., Jacobson, V.: The bsd packet filter: a new architecture for user-level packet capture. In: Proceedings of the USENIX Winter 1993 Conference Proceedings on USENIX Winter 1993 Conference Proceedings, Berkeley, CA, USA (1993)

    Google Scholar 

  43. McCune, J.M., Parno, B.J., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: an execution infrastructure for tcb minimization. SIGOPS Oper. Syst. Rev. 42(4) (2008)

    Google Scholar 

  44. Murray, D.G., Milos, G., Hand, S.: Improving xen security through disaggregation. In: Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, New York, NY, USA (2008)

    Google Scholar 

  45. Mutz, D., Valeur, F., Vigna, G., Kruegel, C.: Anomalous system call detection. ACM Trans. Inf. Syst. Secur. 9(1) (2006)

    Google Scholar 

  46. Provos, N.: Improving host security with system call policies. In: Proceedings of the 12th Conference on USENIX Security Symposium, vol. 12 (2003)

    Google Scholar 

  47. Sculley, D.: Web-scale k-means clustering. In: Proceedings of the 19th International Conference on World Wide Web, New York, NY, USA (2010)

    Google Scholar 

  48. Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, New York, NY, USA (2007)

    Google Scholar 

  49. Shin, Y., Williams, L.: Is complexity really the enemy of software security? In: Proceedings of the 4th ACM Workshop on Quality of Protection, New York, NY, USA (2008)

    Google Scholar 

  50. Smalley, S., Vance, C., Salamon, W.: Implementing SELinux as a Linux security module. Tech. rep., NAI Labs Report (2001)

    Google Scholar 

  51. Spengler, B.: PaX team: grsecurity kernel patches (2003), http://www.grsecurity.net

  52. Swift, M.M., Martin, S., Levy, H.M., Eggers, S.J.: Nooks: an architecture for reliable device drivers. In: Proceedings of the 9th ACM SIGOPS European Workshop “Beyond the PC: New Challenges for the Operating System”, New York, NY, USA (2002)

    Google Scholar 

  53. Tan, K.M.C., McHugh, J., Killourhy, K.S.: Hiding intrusions: From the abnormal to the normal and beyond. In: Revised Papers from the 5th International Workshop on Information Hiding, London, UK, UK (2003)

    Google Scholar 

  54. Wagner, D., Dean, D.: Intrusion detection via static analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, Washington, DC, USA (2001)

    Google Scholar 

  55. Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, New York, NY, USA (2002)

    Google Scholar 

  56. Watson, R.N.M.: Exploiting concurrency vulnerabilities in system call wrappers. In: Proceedings of the First USENIX Workshop on Offensive Technologies, Berkeley, CA, USA (2007)

    Google Scholar 

  57. Watson, R.N.M.: A decade of os access-control extensibility. Commun. ACM 56(2) (2013)

    Google Scholar 

  58. Wright, C., Cowan, C., Morris, J., Smalley, S., Kroah-Hartman, G.: Linux security module framework. In: Ottawa Linux Symposium, vol. 8032 (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IBM Research – Zurich, Switzerland

    Anil Kurmus

  2. Universität Bonn, Germany

    Sergej Dechand

  3. TU Braunschweig, Germany

    Rüdiger Kapitza

Authors
  1. Anil Kurmus
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sergej Dechand
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rüdiger Kapitza
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Castle Point on Hudson, Stevens Institute of Technology, 07030, Hoboken, NJ, USA

    Sven Dietrich

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Kurmus, A., Dechand, S., Kapitza, R. (2014). Quantifiable Run-Time Kernel Attack Surface Reduction. In: Dietrich, S. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2014. Lecture Notes in Computer Science, vol 8550. Springer, Cham. https://doi.org/10.1007/978-3-319-08509-8_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-08509-8_12

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-08508-1

  • Online ISBN: 978-3-319-08509-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation