KMO: Kernel Memory Observer to Identify Memory Corruption by Secret Inspection Mechanism

Hiroki Kuzuno; Toshihiro Yamauchi

doi:10.1007/978-3-030-34339-2_5

KMO: Kernel Memory Observer to Identify Memory Corruption by Secret Inspection Mechanism

Hiroki Kuzuno, Toshihiro Yamauchi

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

3 Citations (Scopus)

Abstract

Kernel vulnerability attacks may allow attackers to execute arbitrary program code and achieve privilege escalation through credential overwriting, thereby avoiding security features. Major Linux protection methods include Kernel Address Space Layout Randomization, Control Flow Integrity, and Kernel Page Table Isolation. All of these mitigate kernel vulnerability affects and actual attacks. In addition, the No eXecute bit, Supervisor Mode Access Prevention, and Supervisor Mode Execution Prevention are CPU features for managing access permission and data execution in virtual memory. Although combinations of these methods can reduce the attack availability of kernel vulnerability based on the interaction between the user and kernel modes, kernel virtual memory corruption is still possible (e.g., the eBPF vulnerability executes the attack code only in the kernel mode). To monitor kernel virtual memory, we present the Kernel Memory Observer (KMO), which has a secret inspection mechanism and offers an alternative design for virtual memory. It allows the detection of illegal data manipulation/writing in the kernel virtual memory. KMO identifies the kernel virtual memory corruption, monitors system call arguments, and enables unmapping from the direct mapping area. An evaluation of our method indicates that it can detect the actual kernel vulnerabilities leading to kernel virtual memory corruption. In addition, the results show that the overhead is 0.038 $$\upmu $$ s to 2.505 $$\upmu $$ s in terms of system call latency, and the application benchmark is 371.0 $$\upmu $$ s to 1,990.0 $$\upmu $$ s for 100,000 HTTP accesses.

Original language	English
Title of host publication	Information Security Practice and Experience - 15th International Conference, ISPEC 2019, Proceedings
Editors	Swee-Huay Heng, Javier Lopez
Publisher	Springer
Pages	75-94
Number of pages	20
ISBN (Print)	9783030343385
DOIs	https://doi.org/10.1007/978-3-030-34339-2_5
Publication status	Published - 2019
Event	15th International Conference on Information Security Practice and Experience, ISPEC 2019 - Kuala Lumpur, Malaysia Duration: Nov 26 2019 → Nov 28 2019

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	11879 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	15th International Conference on Information Security Practice and Experience, ISPEC 2019
Country/Territory	Malaysia
City	Kuala Lumpur
Period	11/26/19 → 11/28/19

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-030-34339-2_5

Cite this

Kuzuno, H., & Yamauchi, T. (2019). KMO: Kernel Memory Observer to Identify Memory Corruption by Secret Inspection Mechanism. In S-H. Heng, & J. Lopez (Eds.), Information Security Practice and Experience - 15th International Conference, ISPEC 2019, Proceedings (pp. 75-94). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11879 LNCS). Springer. https://doi.org/10.1007/978-3-030-34339-2_5

KMO: Kernel Memory Observer to Identify Memory Corruption by Secret Inspection Mechanism. / Kuzuno, Hiroki; Yamauchi, Toshihiro.
Information Security Practice and Experience - 15th International Conference, ISPEC 2019, Proceedings. ed. / Swee-Huay Heng; Javier Lopez. Springer, 2019. p. 75-94 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11879 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kuzuno, H & Yamauchi, T 2019, KMO: Kernel Memory Observer to Identify Memory Corruption by Secret Inspection Mechanism. in S-H Heng & J Lopez (eds), Information Security Practice and Experience - 15th International Conference, ISPEC 2019, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11879 LNCS, Springer, pp. 75-94, 15th International Conference on Information Security Practice and Experience, ISPEC 2019, Kuala Lumpur, Malaysia, 11/26/19. https://doi.org/10.1007/978-3-030-34339-2_5

Kuzuno H, Yamauchi T. KMO: Kernel Memory Observer to Identify Memory Corruption by Secret Inspection Mechanism. In Heng S-H, Lopez J, editors, Information Security Practice and Experience - 15th International Conference, ISPEC 2019, Proceedings. Springer. 2019. p. 75-94. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-34339-2_5

Kuzuno, Hiroki ; Yamauchi, Toshihiro. / KMO : Kernel Memory Observer to Identify Memory Corruption by Secret Inspection Mechanism. Information Security Practice and Experience - 15th International Conference, ISPEC 2019, Proceedings. editor / Swee-Huay Heng ; Javier Lopez. Springer, 2019. pp. 75-94 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{47709109d2b04de1b72b9afb86fb08a5,

title = "KMO: Kernel Memory Observer to Identify Memory Corruption by Secret Inspection Mechanism",

abstract = "Kernel vulnerability attacks may allow attackers to execute arbitrary program code and achieve privilege escalation through credential overwriting, thereby avoiding security features. Major Linux protection methods include Kernel Address Space Layout Randomization, Control Flow Integrity, and Kernel Page Table Isolation. All of these mitigate kernel vulnerability affects and actual attacks. In addition, the No eXecute bit, Supervisor Mode Access Prevention, and Supervisor Mode Execution Prevention are CPU features for managing access permission and data execution in virtual memory. Although combinations of these methods can reduce the attack availability of kernel vulnerability based on the interaction between the user and kernel modes, kernel virtual memory corruption is still possible (e.g., the eBPF vulnerability executes the attack code only in the kernel mode). To monitor kernel virtual memory, we present the Kernel Memory Observer (KMO), which has a secret inspection mechanism and offers an alternative design for virtual memory. It allows the detection of illegal data manipulation/writing in the kernel virtual memory. KMO identifies the kernel virtual memory corruption, monitors system call arguments, and enables unmapping from the direct mapping area. An evaluation of our method indicates that it can detect the actual kernel vulnerabilities leading to kernel virtual memory corruption. In addition, the results show that the overhead is 0.038 $$\upmu $$ s to 2.505 $$\upmu $$ s in terms of system call latency, and the application benchmark is 371.0 $$\upmu $$ s to 1,990.0 $$\upmu $$ s for 100,000 HTTP accesses.",

author = "Hiroki Kuzuno and Toshihiro Yamauchi",

note = "Funding Information: This work was partially supported by JSPS KAKENHI Grant Funding Information: This work was partially supported by JSPS KAKENHI Grant Number JP19H04109. Publisher Copyright: {\textcopyright} Springer Nature Switzerland AG, 2019.; 15th International Conference on Information Security Practice and Experience, ISPEC 2019 ; Conference date: 26-11-2019 Through 28-11-2019",

year = "2019",

doi = "10.1007/978-3-030-34339-2_5",

language = "English",

isbn = "9783030343385",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "75--94",

editor = "Swee-Huay Heng and Javier Lopez",

booktitle = "Information Security Practice and Experience - 15th International Conference, ISPEC 2019, Proceedings",

}

TY - GEN

T1 - KMO

T2 - 15th International Conference on Information Security Practice and Experience, ISPEC 2019

AU - Kuzuno, Hiroki

AU - Yamauchi, Toshihiro

N1 - Funding Information: This work was partially supported by JSPS KAKENHI Grant Funding Information: This work was partially supported by JSPS KAKENHI Grant Number JP19H04109. Publisher Copyright: © Springer Nature Switzerland AG, 2019.

PY - 2019

Y1 - 2019

N2 - Kernel vulnerability attacks may allow attackers to execute arbitrary program code and achieve privilege escalation through credential overwriting, thereby avoiding security features. Major Linux protection methods include Kernel Address Space Layout Randomization, Control Flow Integrity, and Kernel Page Table Isolation. All of these mitigate kernel vulnerability affects and actual attacks. In addition, the No eXecute bit, Supervisor Mode Access Prevention, and Supervisor Mode Execution Prevention are CPU features for managing access permission and data execution in virtual memory. Although combinations of these methods can reduce the attack availability of kernel vulnerability based on the interaction between the user and kernel modes, kernel virtual memory corruption is still possible (e.g., the eBPF vulnerability executes the attack code only in the kernel mode). To monitor kernel virtual memory, we present the Kernel Memory Observer (KMO), which has a secret inspection mechanism and offers an alternative design for virtual memory. It allows the detection of illegal data manipulation/writing in the kernel virtual memory. KMO identifies the kernel virtual memory corruption, monitors system call arguments, and enables unmapping from the direct mapping area. An evaluation of our method indicates that it can detect the actual kernel vulnerabilities leading to kernel virtual memory corruption. In addition, the results show that the overhead is 0.038 $$\upmu $$ s to 2.505 $$\upmu $$ s in terms of system call latency, and the application benchmark is 371.0 $$\upmu $$ s to 1,990.0 $$\upmu $$ s for 100,000 HTTP accesses.

AB - Kernel vulnerability attacks may allow attackers to execute arbitrary program code and achieve privilege escalation through credential overwriting, thereby avoiding security features. Major Linux protection methods include Kernel Address Space Layout Randomization, Control Flow Integrity, and Kernel Page Table Isolation. All of these mitigate kernel vulnerability affects and actual attacks. In addition, the No eXecute bit, Supervisor Mode Access Prevention, and Supervisor Mode Execution Prevention are CPU features for managing access permission and data execution in virtual memory. Although combinations of these methods can reduce the attack availability of kernel vulnerability based on the interaction between the user and kernel modes, kernel virtual memory corruption is still possible (e.g., the eBPF vulnerability executes the attack code only in the kernel mode). To monitor kernel virtual memory, we present the Kernel Memory Observer (KMO), which has a secret inspection mechanism and offers an alternative design for virtual memory. It allows the detection of illegal data manipulation/writing in the kernel virtual memory. KMO identifies the kernel virtual memory corruption, monitors system call arguments, and enables unmapping from the direct mapping area. An evaluation of our method indicates that it can detect the actual kernel vulnerabilities leading to kernel virtual memory corruption. In addition, the results show that the overhead is 0.038 $$\upmu $$ s to 2.505 $$\upmu $$ s in terms of system call latency, and the application benchmark is 371.0 $$\upmu $$ s to 1,990.0 $$\upmu $$ s for 100,000 HTTP accesses.

UR - http://www.scopus.com/inward/record.url?scp=85076711600&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85076711600&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-34339-2_5

DO - 10.1007/978-3-030-34339-2_5

M3 - Conference contribution

AN - SCOPUS:85076711600

SN - 9783030343385

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 75

EP - 94

BT - Information Security Practice and Experience - 15th International Conference, ISPEC 2019, Proceedings

A2 - Heng, Swee-Huay

A2 - Lopez, Javier

PB - Springer

Y2 - 26 November 2019 through 28 November 2019

ER -