You shall not (by)pass!

Voulimeneas, Alexios; Vinck, Jonas; Mechelinck, Ruben; Volckaert, Stijn

doi:10.1145/3492321.3519560

Cited by 18 publications

(1 citation statement)

References 48 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…ERIM is proposed as a separation method for the protected user process data into different user processes using PSU [20]. Cerberus is proposed as a sandbox framework for user application using the PSU [21]. Kernel Data Protection using the MPK: To protect the kernel code and kernel data using the MPK in the kernel, xMP proposes a security mechanism that provides multiple domains.…”

Section: Related Workmentioning

confidence: 99%

Protection Mechanism of Kernel Data Using Memory Protection Key

KUZUNO,

YAMAUCHI

2023

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

Memory corruption can modify the kernel data of an operating system kernel through exploiting kernel vulnerabilities that allow privilege escalation and defeats security mechanisms. To prevent memory corruption, the several security mechanisms are proposed. Kernel address space layout randomization randomizes the virtual address layout of the kernel. The kernel control flow integrity verifies the order of invoking kernel codes. The additional kernel observer focuses on the unintended privilege modifications. However, illegal writing of kernel data is not prevented by these existing security mechanisms. Therefore, an adversary can achieve the privilege escalation and the defeat of security mechanisms. This study proposes a kernel data protection mechanism (KDPM), which is a novel security design that restricts the writing of specific kernel data. The KDPM adopts a memory protection key (MPK) to control the write restriction of kernel data. The KDPM with the MPK ensures that the writing of privileged information for user processes and the writing of kernel data related to the mandatory access control. These are dynamically restricted during the invocation of specific system calls and the execution of specific kernel codes. Further, the KDPM is implemented on the latest Linux with an MPK emulator. The evaluation results indicate the possibility of preventing the illegal writing of kernel data. The KDPM showed an acceptable performance cost, measured by the overhead, which was from 2.96% to 9.01% of system call invocations, whereas the performance load on the MPK operations was 22.1 ns to 1347.9 ns. Additionally, the KDPM requires 137 to 176 instructions for its implementations.

show abstract

Section: Related Workmentioning

confidence: 99%