KPRM: Kernel Page Restriction Mechanism to Prevent Kernel Memory Corruption

Hiroki Kuzuno; Toshihiro Yamauchi

doi:10.1007/978-3-030-85987-9_3

KPRM: Kernel Page Restriction Mechanism to Prevent Kernel Memory Corruption

Hiroki Kuzuno, Toshihiro Yamauchi

School of Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

1 Citation (Scopus)

Abstract

An operating system (OS) comprises a mechanism for sharing the kernel address space with each user process. An adversary’s user process compromises the OS kernel through memory corruption, exploiting the kernel vulnerability. It overwrites the kernel code related to security features or the kernel data containing privilege information. Process-local memory and system call isolation divide one kernel address space into multiple kernel address spaces. While user processes create their own kernel address space, these methods leave the kernel code vulnerable. Further, an adversary’s user process can involve malicious code that elevates from user mode to kernel mode. Herein, we propose the kernel page restriction mechanism (KPRM), which is a novel security design that prohibits vulnerable kernel code execution and prevents writing to the kernel data from an adversary’s user process. The KPRM dynamically unmaps the kernel page of vulnerable kernel code and attack target kernel data from the kernel address space. This removes the reference of the unmapped kernel page from the kernel page table at the system call invocation. The KPRM achieves that an adversary’s user process can not employ the reference of unmapped kernel page to exploit the kernel through vulnerable kernel code on the running kernel. We implemented KPRM on the latest Linux kernel and showed that it successfully thwarts actual proof-of-concept kernel vulnerability attacks that may cause kernel memory corruption. In addition, the KPRM performance results indicated limited kernel processing overhead in software benchmarks and a low impact on user applications.

Original language	English
Title of host publication	Advances in Information and Computer Security - 16th International Workshop on Security, IWSEC 2021, Proceedings
Editors	Toru Nakanishi, Ryo Nojima
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	45-63
Number of pages	19
ISBN (Print)	9783030859862
DOIs	https://doi.org/10.1007/978-3-030-85987-9_3
Publication status	Published - 2021
Event	16th International Workshop on Security, IWSEC 2021 - Virtual, Online Duration: Sept 8 2021 → Sept 10 2021

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	12835 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	16th International Workshop on Security, IWSEC 2021
City	Virtual, Online
Period	9/8/21 → 9/10/21

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-030-85987-9_3

Cite this

Kuzuno, H., & Yamauchi, T. (2021). KPRM: Kernel Page Restriction Mechanism to Prevent Kernel Memory Corruption. In T. Nakanishi, & R. Nojima (Eds.), Advances in Information and Computer Security - 16th International Workshop on Security, IWSEC 2021, Proceedings (pp. 45-63). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12835 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-030-85987-9_3

KPRM: Kernel Page Restriction Mechanism to Prevent Kernel Memory Corruption. / Kuzuno, Hiroki; Yamauchi, Toshihiro.
Advances in Information and Computer Security - 16th International Workshop on Security, IWSEC 2021, Proceedings. ed. / Toru Nakanishi; Ryo Nojima. Springer Science and Business Media Deutschland GmbH, 2021. p. 45-63 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12835 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kuzuno, H & Yamauchi, T 2021, KPRM: Kernel Page Restriction Mechanism to Prevent Kernel Memory Corruption. in T Nakanishi & R Nojima (eds), Advances in Information and Computer Security - 16th International Workshop on Security, IWSEC 2021, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12835 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 45-63, 16th International Workshop on Security, IWSEC 2021, Virtual, Online, 9/8/21. https://doi.org/10.1007/978-3-030-85987-9_3

Kuzuno H, Yamauchi T. KPRM: Kernel Page Restriction Mechanism to Prevent Kernel Memory Corruption. In Nakanishi T, Nojima R, editors, Advances in Information and Computer Security - 16th International Workshop on Security, IWSEC 2021, Proceedings. Springer Science and Business Media Deutschland GmbH. 2021. p. 45-63. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-85987-9_3

Kuzuno, Hiroki ; Yamauchi, Toshihiro. / KPRM : Kernel Page Restriction Mechanism to Prevent Kernel Memory Corruption. Advances in Information and Computer Security - 16th International Workshop on Security, IWSEC 2021, Proceedings. editor / Toru Nakanishi ; Ryo Nojima. Springer Science and Business Media Deutschland GmbH, 2021. pp. 45-63 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{73ba6f6303ea4200b76da41159e750ff,

title = "KPRM: Kernel Page Restriction Mechanism to Prevent Kernel Memory Corruption",

abstract = "An operating system (OS) comprises a mechanism for sharing the kernel address space with each user process. An adversary{\textquoteright}s user process compromises the OS kernel through memory corruption, exploiting the kernel vulnerability. It overwrites the kernel code related to security features or the kernel data containing privilege information. Process-local memory and system call isolation divide one kernel address space into multiple kernel address spaces. While user processes create their own kernel address space, these methods leave the kernel code vulnerable. Further, an adversary{\textquoteright}s user process can involve malicious code that elevates from user mode to kernel mode. Herein, we propose the kernel page restriction mechanism (KPRM), which is a novel security design that prohibits vulnerable kernel code execution and prevents writing to the kernel data from an adversary{\textquoteright}s user process. The KPRM dynamically unmaps the kernel page of vulnerable kernel code and attack target kernel data from the kernel address space. This removes the reference of the unmapped kernel page from the kernel page table at the system call invocation. The KPRM achieves that an adversary{\textquoteright}s user process can not employ the reference of unmapped kernel page to exploit the kernel through vulnerable kernel code on the running kernel. We implemented KPRM on the latest Linux kernel and showed that it successfully thwarts actual proof-of-concept kernel vulnerability attacks that may cause kernel memory corruption. In addition, the KPRM performance results indicated limited kernel processing overhead in software benchmarks and a low impact on user applications.",

author = "Hiroki Kuzuno and Toshihiro Yamauchi",

note = "Funding Information: Acknowledgment. This work was partially supported by Japan Society for the Promotion of Science (JSPS) KAKENHI Grant Number JP19H04109. Publisher Copyright: {\textcopyright} 2021, Springer Nature Switzerland AG.; 16th International Workshop on Security, IWSEC 2021 ; Conference date: 08-09-2021 Through 10-09-2021",

year = "2021",

doi = "10.1007/978-3-030-85987-9_3",

language = "English",

isbn = "9783030859862",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "45--63",

editor = "Toru Nakanishi and Ryo Nojima",

booktitle = "Advances in Information and Computer Security - 16th International Workshop on Security, IWSEC 2021, Proceedings",

address = "Germany",

}

TY - GEN

T1 - KPRM

T2 - 16th International Workshop on Security, IWSEC 2021

AU - Kuzuno, Hiroki

AU - Yamauchi, Toshihiro

N1 - Funding Information: Acknowledgment. This work was partially supported by Japan Society for the Promotion of Science (JSPS) KAKENHI Grant Number JP19H04109. Publisher Copyright: © 2021, Springer Nature Switzerland AG.

PY - 2021

Y1 - 2021

N2 - An operating system (OS) comprises a mechanism for sharing the kernel address space with each user process. An adversary’s user process compromises the OS kernel through memory corruption, exploiting the kernel vulnerability. It overwrites the kernel code related to security features or the kernel data containing privilege information. Process-local memory and system call isolation divide one kernel address space into multiple kernel address spaces. While user processes create their own kernel address space, these methods leave the kernel code vulnerable. Further, an adversary’s user process can involve malicious code that elevates from user mode to kernel mode. Herein, we propose the kernel page restriction mechanism (KPRM), which is a novel security design that prohibits vulnerable kernel code execution and prevents writing to the kernel data from an adversary’s user process. The KPRM dynamically unmaps the kernel page of vulnerable kernel code and attack target kernel data from the kernel address space. This removes the reference of the unmapped kernel page from the kernel page table at the system call invocation. The KPRM achieves that an adversary’s user process can not employ the reference of unmapped kernel page to exploit the kernel through vulnerable kernel code on the running kernel. We implemented KPRM on the latest Linux kernel and showed that it successfully thwarts actual proof-of-concept kernel vulnerability attacks that may cause kernel memory corruption. In addition, the KPRM performance results indicated limited kernel processing overhead in software benchmarks and a low impact on user applications.

AB - An operating system (OS) comprises a mechanism for sharing the kernel address space with each user process. An adversary’s user process compromises the OS kernel through memory corruption, exploiting the kernel vulnerability. It overwrites the kernel code related to security features or the kernel data containing privilege information. Process-local memory and system call isolation divide one kernel address space into multiple kernel address spaces. While user processes create their own kernel address space, these methods leave the kernel code vulnerable. Further, an adversary’s user process can involve malicious code that elevates from user mode to kernel mode. Herein, we propose the kernel page restriction mechanism (KPRM), which is a novel security design that prohibits vulnerable kernel code execution and prevents writing to the kernel data from an adversary’s user process. The KPRM dynamically unmaps the kernel page of vulnerable kernel code and attack target kernel data from the kernel address space. This removes the reference of the unmapped kernel page from the kernel page table at the system call invocation. The KPRM achieves that an adversary’s user process can not employ the reference of unmapped kernel page to exploit the kernel through vulnerable kernel code on the running kernel. We implemented KPRM on the latest Linux kernel and showed that it successfully thwarts actual proof-of-concept kernel vulnerability attacks that may cause kernel memory corruption. In addition, the KPRM performance results indicated limited kernel processing overhead in software benchmarks and a low impact on user applications.

UR - http://www.scopus.com/inward/record.url?scp=85115221834&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85115221834&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-85987-9_3

DO - 10.1007/978-3-030-85987-9_3

M3 - Conference contribution

AN - SCOPUS:85115221834

SN - 9783030859862

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 45

EP - 63

BT - Advances in Information and Computer Security - 16th International Workshop on Security, IWSEC 2021, Proceedings

A2 - Nakanishi, Toru

A2 - Nojima, Ryo

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 8 September 2021 through 10 September 2021

ER -

KPRM: Kernel Page Restriction Mechanism to Prevent Kernel Memory Corruption

Abstract

Publication series

Conference

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this