Transparent Protection of Commodity OS Kernels Using Hardware Virtualization

Grace, Mike; Wang, Zhi; Srinivasan, Deepa; Li, Jinku; Jiang, Xuxian; Liang, Zhenkai; Liakh, Siarhei

doi:10.1007/978-3-642-16161-2_10

Cited by 9 publications

(4 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The kernel code can be transparently executed in a virtual machine in runtime. Similar techniques are also used by Hook-Safe [67] and hvmHarvard [31]. Other techniques such as [42] rely on special compiler support to protect kernel control data.…”

Section: Related Workmentioning

confidence: 99%

Adelie: continuous address space layout re-randomization for Linux drivers

Nikolaev

Nadeem

Stone

et al. 2022

Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

View full text Add to dashboard Cite

While address space layout randomization (ASLR) has been extensively studied for user-space programs, the corresponding OS kernel's KASLR support remains very limited, making the kernel vulnerable to just-in-time (JIT) return-oriented programming (ROP) attacks. Furthermore, commodity OSs such as Linux restrict their KASLR range to 32 bits due to architectural constraints (e.g., x86-64 only supports 32-bit immediate operands for most instructions), which makes them vulnerable to even unsophisticated brute-force ROP attacks due to low entropy. Most in-kernel pointers remain static, exacerbating the problem when pointers are leaked.Adelie, our kernel defense mechanism, overcomes KASLR limitations, increases KASLR entropy, and makes successful ROP attacks on the Linux kernel much harder to achieve. First, Adelie enables the position-independent code (PIC) model so that the kernel and its modules can be placed anywhere in the 64-bit virtual address space, at any distance apart from each other. Second, Adelie implements stack re-randomization and address encryption on modules. Finally, Adelie enables efficient continuous KASLR for modules by using the PIC model to make it (almost) impossible to inject ROP gadgets through these modules regardless of gadget's origin.Since device drivers (typically compiled as modules) are often developed by third parties and are typically less tested than core OS parts, they are also often more vulnerable. By fully re-randomizing device drivers, the last two contributions together prevent most JIT ROP attacks since vulnerable modules are very likely to be a starting point of an attack. Furthermore, some OS instances in virtualized environments are specifically designated to run device drivers, where drivers are the primary target of JIT ROP attacks. Using a GCC plugin that we developed, we automatically modify different kinds of kernel modules. Since the prior art tackles only user-space programs, we solve many challenges unique to the kernel code. Our evaluation shows high efficiency of Adelie's * Most of the work was done while the author worked at Virginia Tech.

show abstract

Section: Related Workmentioning

confidence: 99%

Adelie: continuous address space layout re-randomization for Linux drivers

Nikolaev

Nadeem

Stone

et al. 2022

Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

View full text Add to dashboard Cite

show abstract

“…Many hypervisor-based security systems have been designed and reported in the literature. For instance, a hypervisor can be applied for I/O related protection [9,31], for kernel integrity protection [3,13,23,26,28,41,42], and for user space protection [6,7,12,21,34,43]. By studying these systems, we identify cryptographic engine, measurement, emulation, interception and manipulation as the fundamental security primitives which are adopted in Guardian as well.…”

Section: Related Workmentioning

confidence: 99%

Guardian: Hypervisor as Security Foothold for Personal Computers

Cheng

Ding

2013

Trust and Trustworthy Computing

View full text Add to dashboard Cite

Abstract. Personal computers lack of a security foothold to allow the end-users to protect their systems or to mitigate the damage. Existing candidates either rely on a large Trusted Computing Base (TCB) or are too costly to widely deploy for commodity use. To fill this gap, we propose a hypervisor-based security foothold, named as Guardian, for commodity personal computers. We innovate a bootup and shutdown mechanism to achieve both integrity and availability of Guardian. We also propose two security utilities based on Guardian. One is a device monitor which detects malicious manipulation on camera and network adaptors. The other is hyper-firewall whereby Guardian expects incoming and outgoing network packets based on policies specified by the user. We have implemented Guardian (≈ 25K SLOC) and the two utilities (≈ 2.1K SLOC) on a PC with an Intel processor. Our experiments show that Guardian is practical and incurs insignificant overhead to the system.

show abstract

“…But SecVisor can't deal with kernel code self-modifications. So SecVisor and many follow-up solutions [2,3] assume that kernels that they protect don't contain self-modifying codes. The others [4,5] solutions which don't base on that assumption don't provide a specific or effective technology to solve the problem.…”

Section: Introductionmentioning

confidence: 99%

Self-modifying Kernel Code Verification

Wang¹,

Tu²

2017

dtcse

View full text Add to dashboard Cite

As we know, injecting malicious codes is a simple and effective way to add attack logic with the same privileges as the injection targets. Because of OS kernel vulnerabilities, the kernels face code injection threats. Considering the importance of kernels, researchers proposed some kernel code protection solutions. But almost all of them depend on an assumption that the kernels don't modify the codes of themselves. However, the self-modifying codes do exist widely in the kernels. It impedes the application of these solution to the real world. Moreover, the rest of solutions don't provide specific technologies to deal with the problem. So we propose the self-modifying kernel code verification technology to distinguish malicious kernel code modification from valid kernel code self-modifications. Our technology promotes the suitability of existing kernel code protection solutions so that we enhance the kernel security in the real environment indirectly.

show abstract

Transparent Protection of Commodity OS Kernels Using Hardware Virtualization

Cited by 9 publications

References 17 publications

Adelie: continuous address space layout re-randomization for Linux drivers

Adelie: continuous address space layout re-randomization for Linux drivers

Guardian: Hypervisor as Security Foothold for Personal Computers

Self-modifying Kernel Code Verification

Contact Info

Product

Resources

About