TY - GEN
T1 - Mkm
T2 - 15th International Workshop on Security, IWSEC 2020
AU - Kuzuno, Hiroki
AU - Yamauchi, Toshihiro
N1 - Funding Information:
This work was partially supported by JSPS KAKENHI Grant Number JP19H04109.
Publisher Copyright:
© Springer Nature Switzerland AG 2020.
PY - 2020
Y1 - 2020
N2 - Countermeasures against kernel vulnerability attacks on an operating system (OS) are highly important kernel features. Some kernels adopt several kernel protection methods such as mandatory access control, kernel address space layout randomization, control flow integrity, and kernel page table isolation; however, kernel vulnerabilities can still be exploited to execute attack codes and corrupt kernel memory. To accomplish this, adversaries subvert kernel protection methods and invoke these kernel codes to avoid administrator privileges restrictions and gain complete control of the target host. To prevent such subversion, we present Multiple Kernel Memory (MKM), which offers a novel security mechanism using an alternative design for kernel memory separation that was developed to reduce the kernel attack surface and mitigate the effects of illegal data manipulation in the kernel memory. The proposed MKM is capable of isolating kernel memory and dedicates the trampoline page table for a gateway of page table switching and the security page table for kernel protection methods. The MKM encloses the vulnerable kernel code in the kernel page table. The MKM mechanism achieves complete separation of the kernel code execution range of the virtual address space on each page table. It ensures that vulnerable kernel code does not interact with different page tables. Thus, the page table switching of the trampoline and the kernel protection methods of the security page tables are protected from vulnerable kernel code in other page tables. An evaluation of MKM indicates that it protects the kernel code and data on the trampoline and security page tables from an actual kernel vulnerabilities that lead to kernel memory corruption. In addition, the performance results show that the overhead is 0.020 $$\mu $$s to 0.5445 $$\mu $$s, in terms of the system call latency and the application overhead average is 196.27 $$\mu $$s to 6,685.73 $$\mu $$s, for each download access of 100,000 Hypertext Transfer Protocol sessions.
AB - Countermeasures against kernel vulnerability attacks on an operating system (OS) are highly important kernel features. Some kernels adopt several kernel protection methods such as mandatory access control, kernel address space layout randomization, control flow integrity, and kernel page table isolation; however, kernel vulnerabilities can still be exploited to execute attack codes and corrupt kernel memory. To accomplish this, adversaries subvert kernel protection methods and invoke these kernel codes to avoid administrator privileges restrictions and gain complete control of the target host. To prevent such subversion, we present Multiple Kernel Memory (MKM), which offers a novel security mechanism using an alternative design for kernel memory separation that was developed to reduce the kernel attack surface and mitigate the effects of illegal data manipulation in the kernel memory. The proposed MKM is capable of isolating kernel memory and dedicates the trampoline page table for a gateway of page table switching and the security page table for kernel protection methods. The MKM encloses the vulnerable kernel code in the kernel page table. The MKM mechanism achieves complete separation of the kernel code execution range of the virtual address space on each page table. It ensures that vulnerable kernel code does not interact with different page tables. Thus, the page table switching of the trampoline and the kernel protection methods of the security page tables are protected from vulnerable kernel code in other page tables. An evaluation of MKM indicates that it protects the kernel code and data on the trampoline and security page tables from an actual kernel vulnerabilities that lead to kernel memory corruption. In addition, the performance results show that the overhead is 0.020 $$\mu $$s to 0.5445 $$\mu $$s, in terms of the system call latency and the application overhead average is 196.27 $$\mu $$s to 6,685.73 $$\mu $$s, for each download access of 100,000 Hypertext Transfer Protocol sessions.
UR - http://www.scopus.com/inward/record.url?scp=85091107688&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85091107688&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-58208-1_6
DO - 10.1007/978-3-030-58208-1_6
M3 - Conference contribution
AN - SCOPUS:85091107688
SN - 9783030582074
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 97
EP - 116
BT - Advances in Information and Computer Security - 15th International Workshop on Security, IWSEC 2020, Proceedings
A2 - Aoki, Kazumaro
A2 - Kanaoka, Akira
PB - Springer Science and Business Media Deutschland GmbH
Y2 - 2 September 2020 through 4 September 2020
ER -