Sep, 2021
KPRM: Kernel Page Restriction Mechanism to Prevent Kernel Memory Corruption
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
- ,
- Volume
- 12835 LNCS
- Number
- First page
- 45
- Last page
- 63
- Language
- English
- Publishing type
- Research paper (international conference proceedings)
- DOI
- 10.1007/978-3-030-85987-9_3
- Publisher
- Springer International Publishing
An operating system (OS) comprises a mechanism for sharing the kernel address space with each user process. An adversary’s user process compromises the OS kernel through memory corruption, exploiting the kernel vulnerability. It overwrites the kernel code related to security features or the kernel data containing privilege information. Process-local memory and system call isolation divide one kernel address space into multiple kernel address spaces. While user processes create their own kernel address space, these methods leave the kernel code vulnerable. Further, an adversary’s user process can involve malicious code that elevates from user mode to kernel mode. Herein, we propose the kernel page restriction mechanism (KPRM), which is a novel security design that prohibits vulnerable kernel code execution and prevents writing to the kernel data from an adversary’s user process. The KPRM dynamically unmaps the kernel page of vulnerable kernel code and attack target kernel data from the kernel address space. This removes the reference of the unmapped kernel page from the kernel page table at the system call invocation. The KPRM achieves that an adversary’s user process can not employ the reference of unmapped kernel page to exploit the kernel through vulnerable kernel code on the running kernel. We implemented KPRM on the latest Linux kernel and showed that it successfully thwarts actual proof-of-concept kernel vulnerability attacks that may cause kernel memory corruption. In addition, the KPRM performance results indicated limited kernel processing overhead in software benchmarks and a low impact on user applications.
- Link information
-
- DOI
- https://doi.org/10.1007/978-3-030-85987-9_3
- DBLP
- https://dblp.uni-trier.de/rec/conf/iwsec/KuzunoY21
- Web of Science
- https://gateway.webofknowledge.com/gateway/Gateway.cgi?GWVersion=2&SrcAuth=JSTA_CEL&SrcApp=J_Gate_JST&DestLinkType=FullRecord&KeyUT=WOS:000708084400003&DestApp=WOS_CPL
- URL
- https://dblp.uni-trier.de/conf/iwsec/2021
- URL
- https://dblp.uni-trier.de/db/conf/iwsec/iwsec2021.html#KuzunoY21
- Scopus
- https://www.scopus.com/inward/record.uri?partnerID=HzOxMe3b&scp=85115221834&origin=inward
- Scopus Citedby
- https://www.scopus.com/inward/citedby.uri?partnerID=HzOxMe3b&scp=85115221834&origin=inward
- ID information
-
- DOI : 10.1007/978-3-030-85987-9_3
- ISSN : 0302-9743
- eISSN : 1611-3349
- ISBN : 9783030859862
- ISBN : 9783030859879
- DBLP ID : conf/iwsec/KuzunoY21
- ORCID - Put Code : 99020995
- SCOPUS ID : 85115221834
- Web of Science ID : WOS:000708084400003