Papers

Peer-reviewed Last author Corresponding author Open access
Aug, 2021

Mitigation of Kernel Memory Corruption Using Multiple Kernel Memory Mechanism.

IEEE Access
  • Hiroki Kuzuno
  • ,
  • Toshihiro Yamauchi

Volume
9
Number
First page
111651
Last page
111665
Language
English
Publishing type
Research paper (scientific journal)
DOI
10.1109/ACCESS.2021.3101452
Publisher
Institute of Electrical and Electronics Engineers ({IEEE})

Operating systems adopt kernel protection methods (e.g., mandatory access control, kernel address space layout randomization, control flow integrity, and kernel page table isolation) as essential countermeasures to reduce the likelihood of kernel vulnerability attacks. However, kernel memory corruption can still occur via the execution of malicious kernel code at the kernel layer. This is because the vulnerable kernel code and the attack target kernel code or kernel data are located in the same kernel address space. To gain complete control of a host, adversaries focus on kernel code invocations, such as function pointers that rely on the starting points of the kernel protection methods. To mitigate such subversion attacks, this paper presents multiple kernel memory (MKM), which employs an alternative design for kernel address space separation. The MKM mechanism focuses on the isolation granularity of the kernel address space during each execution of the kernel code. MKM provides two kernel address spaces, namely, i) the trampoline kernel address space, which acts as the gateway feature between user and kernel modes and ii) the security kernel address space, which utilizes the localization of the kernel protection methods (i.e., kernel observation). Additionally, MKM achieves the encapsulation of the vulnerable kernel code to prevent access to the kernel code invocations of the separated kernel address space. The evaluation results demonstrated that MKM can protect the kernel code and kernel data from a proof-of-concept kernel vulnerability that could lead to kernel memory corruption. In addition, the performance results of MKM indicate that the system call overhead latency ranges from 0.020 μs to 0.5445 μs , while the web application benchmark ranges from 196.27 μs to 6, 685.73 μs for each download access of 100,000 Hypertext Transfer Protocol sessions. MKM attained a 97.65% system benchmark score and a 99.76% kernel compilation time.

Link information
DOI
https://doi.org/10.1109/ACCESS.2021.3101452
DBLP
https://dblp.uni-trier.de/rec/journals/access/KuzunoY21
Web of Science
https://gateway.webofknowledge.com/gateway/Gateway.cgi?GWVersion=2&SrcAuth=JSTA_CEL&SrcApp=J_Gate_JST&DestLinkType=FullRecord&KeyUT=WOS:000684671700001&DestApp=WOS_CPL
URL
https://dblp.uni-trier.de/db/journals/access/access9.html#KuzunoY21
Scopus
https://www.scopus.com/inward/record.uri?partnerID=HzOxMe3b&scp=85111588137&origin=inward Open access
Scopus Citedby
https://www.scopus.com/inward/citedby.uri?partnerID=HzOxMe3b&scp=85111588137&origin=inward
ID information
  • DOI : 10.1109/ACCESS.2021.3101452
  • ISSN : 2169-3536
  • eISSN : 2169-3536
  • DBLP ID : journals/access/KuzunoY21
  • ORCID - Put Code : 102809452
  • SCOPUS ID : 85111588137
  • Web of Science ID : WOS:000684671700001

Export
BibTeX RIS