The Linux kernel is the monolithic kernel, and the boundaries among the objects in the kernel are not particularly clear. Once the malicious module is loaded in the kernel, it can almost access the entire kernel. This breaks the principle of least privilege. To overcome it, in this paper, we propose LeMo which is the novel architecture to hold the module with least privilege in the kernel. In LeMo, the modules are restricted to access the necessary kernel objects. To the end, before the module is loaded in the kernel, the patched kernel build a new page table for the module. With page-based access control, the patched kernel is capable of preventing the malicious modules to arbitrarily access the kernel. We have implemented the prototype of LeMo which provide the tools which load or unload the module. Our evaluation show that LeMo is able to defeat the malicious module with a acceptable performance overhead.
[1]
George C. Necula,et al.
SafeDrive: safe and recoverable extensions using language-based techniques
,
2006,
OSDI '06.
[2]
Jie Yin,et al.
KFUR: A New Kernel Extension Security Model
,
2012
.
[3]
Silas Boyd-Wickizer,et al.
Tolerating Malicious Device Drivers in Linux
,
2010,
USENIX Annual Technical Conference.
[4]
Xi Wang,et al.
Software fault isolation with API integrity and multi-principal modules
,
2011,
SOSP.
[5]
Brian N. Bershad,et al.
Improving the reliability of commodity operating systems
,
2005,
TOCS.
[6]
Krste Asanovic,et al.
Mondrix: memory isolation for linux using mondriaan memory protection
,
2005,
SOSP '05.
[7]
Donghai Tian,et al.
Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions
,
2011,
NDSS.