Additional kernel observer: privilege escalation attack prevention mechanism focusing on system call privilege changes

Yamauchi, Toshihiro; Akao, Yohei; Yoshitani, Ryota; Nakamura, Yūichi; Hashimoto, Masaki

doi:10.1007/s10207-020-00514-7

Cited by 7 publications

(1 citation statement)

References 13 publications

(19 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Kernel control flow integrity (KCoFI) inspects the order of code execution [7] to restrict the kernel code from being illegally invoked [8]. Kernel address space layout randomization (KASLR) randomizes the virtual addresses of the kernel code and kernel data in the kernel memory space to foil attacks [9], whereas the additional kernel observer (AKO) detects unintentional rewriting in response to the changes in the privileged information of user processes against a privilege escalation attack [10].…”

Section: Introductionmentioning

confidence: 99%

Protection Mechanism of Kernel Data Using Memory Protection Key

KUZUNO,

YAMAUCHI

2023

IEICE Trans. Inf. & Syst.

Self Cite

View full text Add to dashboard Cite

Memory corruption can modify the kernel data of an operating system kernel through exploiting kernel vulnerabilities that allow privilege escalation and defeats security mechanisms. To prevent memory corruption, the several security mechanisms are proposed. Kernel address space layout randomization randomizes the virtual address layout of the kernel. The kernel control flow integrity verifies the order of invoking kernel codes. The additional kernel observer focuses on the unintended privilege modifications. However, illegal writing of kernel data is not prevented by these existing security mechanisms. Therefore, an adversary can achieve the privilege escalation and the defeat of security mechanisms. This study proposes a kernel data protection mechanism (KDPM), which is a novel security design that restricts the writing of specific kernel data. The KDPM adopts a memory protection key (MPK) to control the write restriction of kernel data. The KDPM with the MPK ensures that the writing of privileged information for user processes and the writing of kernel data related to the mandatory access control. These are dynamically restricted during the invocation of specific system calls and the execution of specific kernel codes. Further, the KDPM is implemented on the latest Linux with an MPK emulator. The evaluation results indicate the possibility of preventing the illegal writing of kernel data. The KDPM showed an acceptable performance cost, measured by the overhead, which was from 2.96% to 9.01% of system call invocations, whereas the performance load on the MPK operations was 22.1 ns to 1347.9 ns. Additionally, the KDPM requires 137 to 176 instructions for its implementations.

show abstract