Enforcing kernel constraints by hardware-assisted virtualization

This article deals with kernel security protection. We propose a characterization of malicious kernel-targeted actions, based on how the way they act to corrupt the kernel. Then, we discuss security measures able to counter such attacks. We finally expose our approach based on hardware-virtualization that is partially implemented into our demonstrator Hytux, which is inspired from bluepill (Rutkowska in subverting vista kernel for fun and profit. In: Black Hat in Las Vegas, 2006), a malware that installs itself as a lightweight hypervisor—on a hardware-virtualization compliant CPU—and puts a running Microsoft Windows Operating System into a virtual machine. However, in contrast with bluepill, Hytux is a lightweight hypervisor that implements protection mechanisms in a more privileged mode than the Linux kernel.

[1]  Intel Corportation,et al.  IA-32 Intel Architecture Software Developers Manual , 2004 .

[2]  Éric Filiol Computer Viruses: from Theory to Applications , 2005 .

[3]  A. Kivity,et al.  kvm : the Linux Virtual Machine Monitor , 2007 .

[4]  Duflot,et al.  Using CPU System Management Mode to Circumvent Operating System Security Functions , 2022 .

[5]  Lexi Pimenidis,et al.  hacking in physically addressable memory a proof of concept , 2007 .

[6]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[7]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[8]  Éric Filiol,et al.  Computer Viruses: from theory to applications (Collection IRIS) , 2005 .

[9]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[10]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[11]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[12]  Loïc Duflot,et al.  CPU bugs, CPU backdoors and consequences on security , 2008, Journal in Computer Virology.

[13]  Lexi Pimenidis,et al.  Targeting Physically Addressable Memory , 2007, DIMVA.

[14]  Frédéric Raynal,et al.  Rootkit modeling and experiments under Linux , 2007, Journal in Computer Virology.

[15]  Cliff Changchun Zou,et al.  SMM rootkits: a new breed of OS independent malware , 2008, SecureComm.