Portal de Periódicos da CAPES

KMO: Kernel Memory Observer to Identify Memory Corruption by Secret Inspection Mechanism

2019; Springer Science+Business Media; Linguagem: Inglês

10.1007/978-3-030-34339-2_5

1611-3349

Hiroki Kuzuno, Toshihiro Yamauchi,

Diamond and Carbon-based Materials Research

Kernel vulnerability attacks may allow attackers to execute arbitrary program code and achieve privilege escalation through credential overwriting, thereby avoiding security features. Major Linux protection methods include Kernel Address Space Layout Randomization, Control Flow Integrity, and Kernel Page Table Isolation. All of these mitigate kernel vulnerability affects and actual attacks. In addition, the No eXecute bit, Supervisor Mode Access Prevention, and Supervisor Mode Execution Prevention are CPU features for managing access permission and data execution in virtual memory. Although combinations of these methods can reduce the attack availability of kernel vulnerability based on the interaction between the user and kernel modes, kernel virtual memory corruption is still possible (e.g., the eBPF vulnerability executes the attack code only in the kernel mode). To monitor kernel virtual memory, we present the Kernel Memory Observer (KMO), which has a secret inspection mechanism and offers an alternative design for virtual memory. It allows the detection of illegal data manipulation/writing in the kernel virtual memory. KMO identifies the kernel virtual memory corruption, monitors system call arguments, and enables unmapping from the direct mapping area. An evaluation of our method indicates that it can detect the actual kernel vulnerabilities leading to kernel virtual memory corruption. In addition, the results show that the overhead is 0.038 $$\upmu $$ s to 2.505 $$\upmu $$ s in terms of system call latency, and the application benchmark is 371.0 $$\upmu $$ s to 1,990.0 $$\upmu $$ s for 100,000 HTTP accesses.