TY - JOUR
T1 - Prevention of Kernel Memory Corruption Using Kernel Page Restriction Mechanism
AU - Kuzuno, Hiroki
AU - Yamauchi, Toshihiro
N1 - Funding Information:
Acknowledgments This work was partially supported by the Japan Society for the Promotion of Science (JSPS) KAKENHI Grant Number JP19H04109 and JP22H03592. Hiroki’s contributions contained in the paper was done when he belonged to SECOM Co., Ltd.
Publisher Copyright:
© 2022 Information Processing Society of Japan.
PY - 2022/9
Y1 - 2022/9
N2 - An adversary’s user process can compromise the security of the operating system (OS) kernel, and sub-sequent invocation of the vulnerable kernel code can cause kernel memory corruption. The vulnerable kernel code could overwrite the kernel data containing the privilege information of user processes or the kernel data related to security features (i.e., mandatory access control). As a means of kernel protection, OS researchers have proposed the multiple kernel address space approach that partitions the kernel address space to protect the kernel memory from memory corruption (e.g., process-local memory and system call isolation). However, in the previous approach, the vulnerable kernel code and the kernel data targeted for attack still reside in the same kernel memory. Consequently, to compromise the kernel, adversaries simply focus on calling the latest vulnerable kernel code, which relies on the starting points of the kernel attack process. With the aim of preventing such subversion attacks, this paper proposes the kernel page restriction mechanism (KPRM), which employs an alternative design and method to obviate kernel memory corruption. The objective of the KPRM is to prohibit vulnerable kernel code execution and prevent writing to the kernel data from an adversary’s user process. KPRM ensures the unmapping of vulnerable kernel code or kernel data to prevent the exploitation of the kernel due to kernel vulnerability. Therefore, an adversary’s user process is obstructed from executing vulnerable kernel code and overwriting kernel data on the running kernel. Evaluation results indicate that actual proof-of-concept attacks on vulnerable kernel code resulting in kernel memory corruption can successfully be prevented by KPRM. Moreover, the implementations of KPRM indicate that the maximum latency for system calls is 0.703 µs, while the overhead for 100,000 Hypertext Transfer Protocol (HTTP) downloads via a web client program ranged from 1.188% to 4.093% of the access overhead. In addition, KPRM implementations achieved acceptable overheads of 2.459% and 2.193% for the kernel compile time.
AB - An adversary’s user process can compromise the security of the operating system (OS) kernel, and sub-sequent invocation of the vulnerable kernel code can cause kernel memory corruption. The vulnerable kernel code could overwrite the kernel data containing the privilege information of user processes or the kernel data related to security features (i.e., mandatory access control). As a means of kernel protection, OS researchers have proposed the multiple kernel address space approach that partitions the kernel address space to protect the kernel memory from memory corruption (e.g., process-local memory and system call isolation). However, in the previous approach, the vulnerable kernel code and the kernel data targeted for attack still reside in the same kernel memory. Consequently, to compromise the kernel, adversaries simply focus on calling the latest vulnerable kernel code, which relies on the starting points of the kernel attack process. With the aim of preventing such subversion attacks, this paper proposes the kernel page restriction mechanism (KPRM), which employs an alternative design and method to obviate kernel memory corruption. The objective of the KPRM is to prohibit vulnerable kernel code execution and prevent writing to the kernel data from an adversary’s user process. KPRM ensures the unmapping of vulnerable kernel code or kernel data to prevent the exploitation of the kernel due to kernel vulnerability. Therefore, an adversary’s user process is obstructed from executing vulnerable kernel code and overwriting kernel data on the running kernel. Evaluation results indicate that actual proof-of-concept attacks on vulnerable kernel code resulting in kernel memory corruption can successfully be prevented by KPRM. Moreover, the implementations of KPRM indicate that the maximum latency for system calls is 0.703 µs, while the overhead for 100,000 Hypertext Transfer Protocol (HTTP) downloads via a web client program ranged from 1.188% to 4.093% of the access overhead. In addition, KPRM implementations achieved acceptable overheads of 2.459% and 2.193% for the kernel compile time.
KW - kernel vulnerability
KW - memory corruption
KW - operating system
KW - system security
UR - http://www.scopus.com/inward/record.url?scp=85139154273&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85139154273&partnerID=8YFLogxK
U2 - 10.2197/IPSJJIP.30.563
DO - 10.2197/IPSJJIP.30.563
M3 - Article
AN - SCOPUS:85139154273
SN - 0387-5806
VL - 30
SP - 563
EP - 576
JO - Journal of Information Processing
JF - Journal of Information Processing
ER -