KMO: Kernel Memory Observer to Identify Memory Corruption by Secret Inspection Mechanism

Hiroki Kuzuno, Toshihiro Yamauchi

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Kernel vulnerability attacks may allow attackers to execute arbitrary program code and achieve privilege escalation through credential overwriting, thereby avoiding security features. Major Linux protection methods include Kernel Address Space Layout Randomization, Control Flow Integrity, and Kernel Page Table Isolation. All of these mitigate kernel vulnerability affects and actual attacks. In addition, the No eXecute bit, Supervisor Mode Access Prevention, and Supervisor Mode Execution Prevention are CPU features for managing access permission and data execution in virtual memory. Although combinations of these methods can reduce the attack availability of kernel vulnerability based on the interaction between the user and kernel modes, kernel virtual memory corruption is still possible (e.g., the eBPF vulnerability executes the attack code only in the kernel mode). To monitor kernel virtual memory, we present the Kernel Memory Observer (KMO), which has a secret inspection mechanism and offers an alternative design for virtual memory. It allows the detection of illegal data manipulation/writing in the kernel virtual memory. KMO identifies the kernel virtual memory corruption, monitors system call arguments, and enables unmapping from the direct mapping area. An evaluation of our method indicates that it can detect the actual kernel vulnerabilities leading to kernel virtual memory corruption. In addition, the results show that the overhead is 0.038 $$\upmu $$ s to 2.505 $$\upmu $$ s in terms of system call latency, and the application benchmark is 371.0 $$\upmu $$ s to 1,990.0 $$\upmu $$ s for 100,000 HTTP accesses.

Original languageEnglish
Title of host publicationInformation Security Practice and Experience - 15th International Conference, ISPEC 2019, Proceedings
EditorsSwee-Huay Heng, Javier Lopez
PublisherSpringer
Pages75-94
Number of pages20
ISBN (Print)9783030343385
DOIs
Publication statusPublished - Jan 1 2019
Event15th International Conference on Information Security Practice and Experience, ISPEC 2019 - Kuala Lumpur, Malaysia
Duration: Nov 26 2019Nov 28 2019

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume11879 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference15th International Conference on Information Security Practice and Experience, ISPEC 2019
CountryMalaysia
CityKuala Lumpur
Period11/26/1911/28/19

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Fingerprint Dive into the research topics of 'KMO: Kernel Memory Observer to Identify Memory Corruption by Secret Inspection Mechanism'. Together they form a unique fingerprint.

  • Cite this

    Kuzuno, H., & Yamauchi, T. (2019). KMO: Kernel Memory Observer to Identify Memory Corruption by Secret Inspection Mechanism. In S-H. Heng, & J. Lopez (Eds.), Information Security Practice and Experience - 15th International Conference, ISPEC 2019, Proceedings (pp. 75-94). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11879 LNCS). Springer. https://doi.org/10.1007/978-3-030-34339-2_5