KPRM: Kernel Page Restriction Mechanism to Prevent Kernel Memory Corruption

Hiroki Kuzuno, Toshihiro Yamauchi

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

An operating system (OS) comprises a mechanism for sharing the kernel address space with each user process. An adversary’s user process compromises the OS kernel through memory corruption, exploiting the kernel vulnerability. It overwrites the kernel code related to security features or the kernel data containing privilege information. Process-local memory and system call isolation divide one kernel address space into multiple kernel address spaces. While user processes create their own kernel address space, these methods leave the kernel code vulnerable. Further, an adversary’s user process can involve malicious code that elevates from user mode to kernel mode. Herein, we propose the kernel page restriction mechanism (KPRM), which is a novel security design that prohibits vulnerable kernel code execution and prevents writing to the kernel data from an adversary’s user process. The KPRM dynamically unmaps the kernel page of vulnerable kernel code and attack target kernel data from the kernel address space. This removes the reference of the unmapped kernel page from the kernel page table at the system call invocation. The KPRM achieves that an adversary’s user process can not employ the reference of unmapped kernel page to exploit the kernel through vulnerable kernel code on the running kernel. We implemented KPRM on the latest Linux kernel and showed that it successfully thwarts actual proof-of-concept kernel vulnerability attacks that may cause kernel memory corruption. In addition, the KPRM performance results indicated limited kernel processing overhead in software benchmarks and a low impact on user applications.

Original languageEnglish
Title of host publicationAdvances in Information and Computer Security - 16th International Workshop on Security, IWSEC 2021, Proceedings
EditorsToru Nakanishi, Ryo Nojima
PublisherSpringer Science and Business Media Deutschland GmbH
Pages45-63
Number of pages19
ISBN (Print)9783030859862
DOIs
Publication statusPublished - 2021
Event16th International Workshop on Security, IWSEC 2021 - Virtual, Online
Duration: Sep 8 2021Sep 10 2021

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume12835 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference16th International Workshop on Security, IWSEC 2021
CityVirtual, Online
Period9/8/219/10/21

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Fingerprint

Dive into the research topics of 'KPRM: Kernel Page Restriction Mechanism to Prevent Kernel Memory Corruption'. Together they form a unique fingerprint.

Cite this