MKM: Multiple Kernel Memory for Protecting Page Table Switching Mechanism Against Memory Corruption

Countermeasures against kernel vulnerability attacks on an operating system (OS) are highly important kernel features. Some kernels adopt several kernel protection methods such as mandatory access control, kernel address space layout randomization, control flow integrity, and kernel page table isolation; however, kernel vulnerabilities can still be exploited to execute attack codes and corrupt kernel memory. To accomplish this, adversaries subvert kernel protection methods and invoke these kernel codes to avoid administrator privileges restrictions and gain complete control of the target host. To prevent such subversion, we present Multiple Kernel Memory (MKM), which offers a novel security mechanism using an alternative design for kernel memory separation that was developed to reduce the kernel attack surface and mitigate the effects of illegal data manipulation in the kernel memory. The proposed MKM is capable of isolating kernel memory and dedicates the trampoline page table for a gateway of page table switching and the security page table for kernel protection methods. The MKM encloses the vulnerable kernel code in the kernel page table. The MKM mechanism achieves complete separation of the kernel code execution range of the virtual address space on each page table. It ensures that vulnerable kernel code does not interact with different page tables. Thus, the page table switching of the trampoline and the kernel protection methods of the security page tables are protected from vulnerable kernel code in other page tables. An evaluation of MKM indicates that it protects the kernel code and data on the trampoline and security page tables from an actual kernel vulnerabilities that lead to kernel memory corruption. In addition, the performance results show that the overhead is 0.020 \(\mu \)s to 0.5445 \(\mu \)s, in terms of the system call latency and the application overhead average is 196.27 \(\mu \)s to 6,685.73 \(\mu \)s , for each download access of 100,000 Hypertext Transfer Protocol sessions.

[1]  Marco Cesati,et al.  Understanding the Linux Kernel - from I / O ports to process management: covers Linux Kernel version 2.4 (2. ed.) , 2005 .

[2]  Toshihiro Yamauchi,et al.  KMO: Kernel Memory Observer to Identify Memory Corruption by Secret Inspection Mechanism , 2019, ISPEC.

[3]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[4]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[5]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[6]  Sotiris Ioannidis,et al.  GRIM: Leveraging GPUs for Kernel Integrity Monitoring , 2016, RAID.

[7]  Liang Deng,et al.  Dancing with Wolves: Towards Practical Event-driven VMM Monitoring , 2017, VEE.

[8]  Theodore A. Linden Operating System Structures to Support Security and Reliable Software , 1976, CSUR.

[9]  Koen Koning,et al.  kMVX: Detecting Kernel Information Leaks with Multi-variant Execution , 2019, ASPLOS.

[10]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[11]  Rüdiger Kapitza,et al.  Quantifiable Run-Time Kernel Attack Surface Reduction , 2014, DIMVA.

[12]  Xi Wang,et al.  Linux kernel vulnerabilities: state-of-the-art defenses and open problems , 2011, APSys.

[13]  Dongxi Liu,et al.  KASR: A Reliable and Practical Approach to Attack Surface Reduction of Commodity OS Kernels , 2018, RAID.

[14]  Rakesh Bobba,et al.  MultiK: A Framework for Orchestrating Multiple Specialized Kernels , 2019, ArXiv.

[15]  Will Dietz,et al.  Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation , 2015, ASPLOS.

[16]  Carsten Willems,et al.  Practical Timing Side Channel Attacks against Kernel Space ASLR , 2013, 2013 IEEE Symposium on Security and Privacy.

[17]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[18]  Angelos D. Keromytis,et al.  kGuard: Lightweight Kernel Protection against Return-to-User Attacks , 2012, USENIX Security Symposium.

[19]  Dong Du,et al.  EPTI: Efficient Defence against Meltdown Attack for Unpatched VMs , 2018, USENIX Annual Technical Conference.

[20]  Trent Jaeger,et al.  Sprobes: Enforcing Kernel Code Integrity on the TrustZone Architecture , 2014, ArXiv.

[21]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[22]  Ahmad-Reza Sadeghi,et al.  PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables , 2017, NDSS.

[23]  Angelos D. Keromytis,et al.  kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse , 2017, EuroSys.

[24]  Stefan Mangard,et al.  KASLR is Dead: Long Live KASLR , 2017, ESSoS.