A policy‐centric approach to protecting OS kernel from vulnerable LKMs. (8th March 2018)
- Record Type:
- Journal Article
- Title:
- A policy‐centric approach to protecting OS kernel from vulnerable LKMs. (8th March 2018)
- Main Title:
- A policy‐centric approach to protecting OS kernel from vulnerable LKMs
- Authors:
- Tian, Donghai
Xiong, Xi
Hu, Changzhen
Liu, Peng - Abstract:
- Summary: Loadable kernel modules (LKMs) that contain vulnerabilities are a big threat to modern operating systems (OSs). The primary reason is that there is no protection mechanism inside the kernel space when the LKM is executed. As a result, kernel module exploitation can seriously affect the OS kernel security. Although many protection systems have been developed to address this problem in the past few years, there still remain some challenges: (1) How to automatically generate a security policy before the kernel module is enforced? (2) How to properly mediate the interactions between the kernel module and the OS kernel without modifications on the existing OS, hardware, and kernel module structure? To address these challenges, we present LKM guard (LKMG), a policy‐centric system that can protect commodity OS kernel from vulnerable LKMs. Compared with previous systems, LKMG is able to generate a security policy from a kernel module and then enforce the policy during the run time. Generally, the working process of LKMG can be divided into 2 stages. First, we utilize static analysis to extract the kernel code and data access patterns from a kernel module's source code and then combine these patterns with the related memory address information to generate a security policy. Second, by leveraging the hardware‐assisted virtualization technology, LKMG isolates the kernel module from the rest of the kernel and then enforces the kernel module's execution to obey the derivedSummary: Loadable kernel modules (LKMs) that contain vulnerabilities are a big threat to modern operating systems (OSs). The primary reason is that there is no protection mechanism inside the kernel space when the LKM is executed. As a result, kernel module exploitation can seriously affect the OS kernel security. Although many protection systems have been developed to address this problem in the past few years, there still remain some challenges: (1) How to automatically generate a security policy before the kernel module is enforced? (2) How to properly mediate the interactions between the kernel module and the OS kernel without modifications on the existing OS, hardware, and kernel module structure? To address these challenges, we present LKM guard (LKMG), a policy‐centric system that can protect commodity OS kernel from vulnerable LKMs. Compared with previous systems, LKMG is able to generate a security policy from a kernel module and then enforce the policy during the run time. Generally, the working process of LKMG can be divided into 2 stages. First, we utilize static analysis to extract the kernel code and data access patterns from a kernel module's source code and then combine these patterns with the related memory address information to generate a security policy. Second, by leveraging the hardware‐assisted virtualization technology, LKMG isolates the kernel module from the rest of the kernel and then enforces the kernel module's execution to obey the derived policy. The experiments show that our system can defend against various attacks launched by the compromised kernel module effectively with moderate performance cost. … (more)
- Is Part Of:
- Software, practice & experience. Volume 48:Number 6(2018)
- Journal:
- Software, practice & experience
- Issue:
- Volume 48:Number 6(2018)
- Issue Display:
- Volume 48, Issue 6 (2018)
- Year:
- 2018
- Volume:
- 48
- Issue:
- 6
- Issue Sort Value:
- 2018-0048-0006-0000
- Page Start:
- 1269
- Page End:
- 1284
- Publication Date:
- 2018-03-08
- Subjects:
- OS kernel protection -- static analysis -- virtualization
Computer software -- Periodicals
Computer programming -- Periodicals
Computer programs -- Periodicals
005.3 - Journal URLs:
- http://onlinelibrary.wiley.com/ ↗
- DOI:
- 10.1002/spe.2576 ↗
- Languages:
- English
- ISSNs:
- 0038-0644
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 8321.453000
British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 6673.xml