Yutian Yang,Jinjiang Tu,Wenbo Shen,Songbo Zhu,Rui Chang,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2023.3334268

2024-01-01

Abstract:Nowadays, code reuse attacks impose a substantial threat to the security of operating system kernels. Control-flow graph-based CFI techniques, while effective, bring considerable performance overhead, thus limiting their practical adoption in real-world products. As an alternative approach, recent research suggests safeguarding the integrity of sensitive pointers as a countermeasure against manipulation attempts. Unfortunately, existing pointer integrity protection schemes only protect sensitive pointers partially and ignore assembly code, leaving protection gaps. To fill up these protection gaps, we propose a novel security concept named full life-cycle integrity , which enforces the integrity of a sensitive pointer at every step on its value flow chain. To realize full life-cycle integrity, we propose three novel techniques, including assembly-aware sensitivity for analyzing assembly code, Merkle PAC tree for protecting interrupt context securely and efficiently, and pointer-grained authentication for defeating spatial substitution attacks. We have developed a practical implementation of comprehensive life-cycle integrity for the Linux kernel, called ”kernel Code Pointer Authentication” (kCPA), which leverages the ARM Pointer Authentication (PAuth) mechanism. This implementation has been extended to the Apple M1 architecture for real-world evaluation on PAuth hardware. Our assessment demonstrates that kCPA effectively mitigates a range of real-world attacks while incurring a minimal 2.5% performance overhead for the Phoronix Test Suite and nearly negligible performance impact for SPEC2017 benchmarks.

Donghai Tian,Qiang Zeng,Dinghao Wu,Peng Liu,Changzhen Hu

DOI: https://doi.org/10.1109/tcc.2020.2970183

IF: 5.697

2020-01-01

IEEE Transactions on Cloud Computing

Abstract:Kernel heap buffer overflow vulnerabilities have been exposed for decades, but there are few practical countermeasures that can be applied to OS kernels. Previous solutions either suffer from high performance overhead or compatibility problems with mainstream kernels and hardware. In this article, we present Kruiser, a concurrent kernel heap buffer overflow monitor. Unlike conventional methods, the security enforcement of which is usually inlined into the kernel execution, Kruiser migrates security enforcement from the kernel's normal execution to a concurrent monitor process, leveraging the increasingly popular multi-core architectures. To reduce the synchronization overhead between the monitor process and the running kernel, we design a novel semi-synchronized non-blocking monitoring algorithm, which enables efficient runtime detection on live memory without incurring false positives. To prevent the monitor process from being tampered and provide guaranteed performance isolation, we utilize the virtualization technology to run the monitor process out of the monitored VM, while heap memory allocation information is collected inside the monitored VM in a secure and efficient way. The hybrid VM monitoring technique combined with the secure canary that cannot be counterfeited by attackers provides guaranteed overflow detection with high efficiency. We have implemented a prototype of Kruiser based on Linux and the Xen/KVM hypervisor. The evaluation shows that Kruiser can detect realistic kernel heap buffer overflow attacks in cloud environment effectively with minimal cost.

Donghai Tian,Qiang Zeng,Dinghao Wu,Peng Liu,Changzhen Hu

2012-01-01

Abstract:Kernel heap buffer overflow vulnerabilities have been exposed for decades, but there are few practical countermeasure that can be applied to OS kernels. Previous solutions either suffer from high performance overhead or compatibility problems with mainstream kernels and hardware. In this paper, we present KRUISER, a concurrent kernel heap buffer overflow monitor. Unlike conventional methods, the security enforcement of which is usually inlined into the kernel execution, Kruiser migrates security enforcement from the kernel’s normal execution to a concurrent monitor process, leveraging the increasingly popular multi-core architectures. To reduce the synchronization overhead between the monitor process and the running kernel, we design a novel semi-synchronized non-blocking monitoring algorithm, which enables efficient runtime detection on live memory without incurring false positives. To prevent the monitor process from being tampered and provide guaranteed performance isolation, we utilize the virtualization technology to run the monitor process out of the monitored VM, while heap memory allocation information is collected inside the monitored VM in a secure and efficient way. The hybrid VM monitoring technique combined with the secure canary that cannot be counterfeited by attackers provides guaranteed overflow detection with high efficiency. We have implemented a prototype of KRUISER based on Linux and the Xen hypervisor. The evaluation shows that Kruiser can detect realistic kernel heap buffer overflow attacks effectively with minimal overhead.

Xingshu Chen,Dandan Zhao,Hui Li,Lei Zhang

DOI: https://doi.org/10.13245/j.hust.160307

2016-01-01

Abstract:To trace the behavior of LKM (loadable kernel modules)rootkits,a hardware assisted vir-tualization based framework for kernel modules running in isolation was proposed to isolate drivers in an address space separate from the kernel by two sets of hardware assisted page tables and to protect integrity of the kernel stack basing on the chain composed of base pointers of stack frames.Eventually a prototype system on the full-virtualization platform of KVM was implemented which was called Hy-per-ISO (Hyper-ISOlation).The experimental result shows that the Hyper-ISO is able to monitor the control transfer processes between the untrusted module and the kernel timely,monitor the untrusted module accessing kernel code or data,and protect the kernel stack from the untrusted module.

Xi Xiong,Donghai Tian,Peng Liu

2011-01-01

Abstract:Kernel extensions are widely used by attackers to compromise the operating system kernel. With the presence of various untrusted extensions, it remains a challenging problem to comprehensively preserve the integrity of OS kernels in a practical and generic way. In this paper, we present HUKO, a hypervisor-based integrity protection system designed to protect commodity OS kernels from untrusted extensions. In HUKO system, untrusted kernel extensions can safely run to provide desired functionalities. The behaviors of untrusted extensions, however, are confined by mandatory access control policies, which significantly limit the attacker’s ability to compromise the integrity of the kernel. To guarantee multi-aspect protection and enforcement, HUKO leverages hardware assisted paging to transparently isolate untrusted extensions from the OS kernel. Moreover, HUKO overcomes the challenge of mediation overhead by introducing a novel design named subject-aware protection state transition to eliminate unnecessary privilege transitions caused by mediating allowed accesses. Our approach is practical because it requires little change for either OS kernel or extensions, and it can inherently support multiple commodity operating systems and legacy extensions. We have implemented a prototype of HUKO based on the open source Xen hypervisor. The evaluation results show that HUKO can comprehensively protect the integrity for both Linux and Windows kernel from various kinds of malicious extensions with an acceptable performance cost.

Menglong Jiang,Zhengwei Qi,Haibing Guan,Anil Kumar Karna

DOI: https://doi.org/10.1109/FCST.2009.26

2009-01-01

Abstract:With the development of network malicious code, the existing security holes in present systems facilitate data loss. Though protection methods and software are updated day by day, some recent rootkits, that can still invisibly access kernel, make new challenges for the system security. The focal point on system security is how to protect a chosen process on the infected operating system. Process protection and monitoring are becoming more and more important for emerging networks and systems. In this paper, we present a new technique, Croth, which is based on hardware virtualization technology. It introduces a novel mechanism, Cape, that is located in virtual machine monitor (VMM). The main work of Cape is to emulate most of the operations originally done by operating system. This primitive offers an additional dimension of protection beyond the hierarchical protection domains, implemented by traditional operating systems and processor architectures. The design and implementation of hiding sensitive data is also presented in this paper. Our design has been fully implemented and used to protect a wide range of legacy process without any modification on Windows operating system. Our experimental result shows that the operating system could not get accurate data while the chosen process is controlled by Croth. It has provided a little performance overhead, however, performance is still acceptable.

Dongyang Zhan,Lin Ye,Binxing Fang,Hongli Zhang,Xiaojiang Du

DOI: https://doi.org/10.1007/s00500-017-2745-x

2017-01-01

Abstract:Kernel control-flow integrity (CFI) of virtual machines is very important to cloud security. VMI-based dynamic tracing and analyzing methods are promising options for checking kernel CFI in cloud. However, the CFI monitors based on tracing always work at instruction or branch level and result in serious virtual machine performance degradation. To meet the performance requirements in the cloud, we present a page-level dynamic VMI-based kernel CFI checking solution. We trace VM kernel execution at page level, which means that the in-page instruction execution cannot trigger our monitor. As a result, the tracing overhead can be greatly reduced. Based on page-level execution information, we propose two policies to describe the kernel control-flow so as to build the secure kernel control-flow database in the learning stage. In the monitoring stage, we compare runtime execution information with the secure database to check kernel CFI. To further reduce the monitoring overhead, we propose two performance optimization strategies. We implement the prototype on Xen and leverage hardware events to trace VM memory page execution. Then, we evaluate the effectiveness and performance of the prototype. The experimental results prove that our system has enough detection capability and the overhead is acceptable.

Donghai Tian,Dingjun Qi,Li Zhan,Yuhang Yin,Changzhen Hu,Jingfeng Xue

DOI: https://doi.org/10.1007/978-3-319-64701-2_11

2017-01-01

Abstract:Control-flow hijacking attacks are a very dangerous threat to software security in that they can hijack the programs execution to execute malicious code. There have been many solutions proposed for countering these attacks, but majority of them suffer from the following limitations: (1) Some methods could be bypassed by advanced code reuse attacks; (2) Some methods will incur considerable performance cost; (3) Some methods need to modify the target program. To address these problems, we present APIdefender, a kernel-based solution to defeat control-flow attacks. Our method is compatible with the existing software and hardware. The basic idea of our approach is to confine the sensitive API invocations by comparing the invocation context with the baseline information that is obtained by offline analysis. To perform the run-time enforcement for the API invocations, we leverage some commodity hardware features. The experiments show that APIdefender can detect malicious API invocations effectively with a little performance overhead.

Lin Ye,Xiangzhan Yu,Lei Yu,Bin Guo,Dongyang Zhan,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/ACCESS.2018.2859767

IF: 3.9

2018-01-01

IEEE Access

Abstract:With the advancement of cloud computing, the control flow integrity (CFI) of virtual machines' kernel becomes more and more important for the security of cloud services. Many CFI checking and protecting approaches have been proposed. Among them, dynamic analysis approaches have the best detection capability, but they are rarely used because of the high overhead introduced to the virtual machines to be monitored. In this paper, we propose a function-level kernel CFI checking approach to meet the performance requirements in the cloud. By combining the static memory analysis and the dynamic tracing, our system can achieve high detection capability with low overhead. Since the analysis and tracing targets of our system are kernel functions, our system incurs lower overhead to the monitored virtual machines than the instruction-level monitors. We propose two models to describe the kernel control flows. After building the secure control flow database by learning the normal behaviors, we can detect abnormal control flows in real time. With the help of virtualization and virtual machine introspection techniques, we implement a prototype system in the hardware virtualization environment. From the evaluation, our system has high detection capability with reasonable overhead.

Weizhong Qiang,Jiawei Yang,Hai Jin,Xuanhua Shi

DOI: https://doi.org/10.1109/access.2018.2866498

IF: 3.9

2018-01-01

IEEE Access

Abstract:Kernels of operating systems are written in low-level unsafe languages, which make them inevitably vulnerable to memory corruption attacks. Most existing kernel defense mechanisms focus on preventing control-data attacks. Recently, attackers have turned the direction to non-control-data attacks by hijacking data flow, so as to bypass current defense mechanisms. Previous work has proved that noncontrol-data attacks are the critical threat to kernels. One of the important purposes of these attacks is to achieve privilege escalation by overwriting sensitive kernel data. The goal of our research is to develop a lightweight protection mechanism to mitigate non-control-data attacks that compromise sensitive kernel data. We propose an approach that enforces data integrity of sensitive kernel data by preventing the illegal write to these data to mitigate privilege escalation attacks. The main challenge of the proposed approach is to validate the modification of sensitive kernel data at runtime. The validation routine must verify the legitimacy of the duplicated sensitive data and ensure the credibility of the verification. To address this challenge, we modify the system call entry point to monitor the change of the sensitive kernel data without any change to Linux access control mechanism. Then, we use stack canaries to protect the duplication of sensitive kernel data that are used for integrity checking. In addition, we protect the integrity of sensitive kernel data by forbidding illegal updates to them. We have implemented the prototype for Linux kernel on Ubuntu Linux platform. The evaluation results of our prototype demonstrate that it can mitigate privilege escalation attacks and its performance overhead is moderate.

Nai Xia,Bing Mao,Qingkai Zeng,Li Xie

DOI: https://doi.org/10.1007/978-3-540-77505-8_8

2007-01-01

Abstract:Control-hijacking attacks are known as critical threats to software security. Control flow monitoring is a kind of important method to mitigate this problem. In this paper, we present a new method for program control flow monitoring. Based on the static analysis of a program, we apply very simple instrumentation of a progam's source code to encode its runtime function level control flow traces and check the correctness of the traces in the OS kernel. Experiments show that this method has a tiny performance impact and is still highly effective in detecting control-hijacking attacks. We also propose to automatically handle non-standard control flow by learning programs' dynamic profiling data. Our method is hopeful to be enforceable in different environments because it does not depend closely on specific platform features and the underlying techniques can be easily found in many platforms.

Donghai Tian,Xiaoqi Jia,Junhua Chen,Changzhen Hui

2017-01-01

Journal of information science and engineering

Abstract:Keyloggers have been studied for many years, but they still pose a severe threat to information security. Keyloggers can record highly sensitive information, and then transfer it to remote attackers. Previous solutions suffer from limitations in that: 1) Most methods focus on user-level keylogger detection; 2) Some methods need to modify OS kernels; 3) Most methods can be bypassed when the OS kernel is compromised. In this paper, we present LAKEED, an online defense against the kernel-level keylogger by utilizing the hardware assisted virtualization technology. Our system is compatible with the commodity operating system, and it can protect the running OS transparently. The basic idea of our approach is to isolate the target kernel extension that may contain the keylogger from keyboard drivers’ execution environment and then monitor their potential interactions. By comparing the runtime information with the execution baseline that is obtained by the offline analysis, the keylogger can be identified. The evaluation shows that LAKEED can defeat kernel-level keyloggers effectively with low performance overhead.

Jianhua Sun,Hao Chen,Cheng Chang,Xingbang Li

2013-01-01

Computing and Informatics

Abstract:Kernel rootkits pose significant challenges on defensive techniques as they run at the highest privilege level along with the protection systems. Modern architectural approaches such as the NX protection have been used in mitigating attacks, however determined attackers can still bypass these defenses with specifically crafted payloads. In this paper, we propose a virtualized Harvard memory architecture to address the kernel code integrity problem, which virtually separates the code fetch and data access on the kernel code to prevent kernel from code modifications. We have implemented the proposed mechanism in commodity operating system, and the experimental results show that our approach is effective and incurs very low overhead.

Donghai Tian,Deguang Kong,Changzhen Hu,Peng Liu

DOI: https://doi.org/10.1109/securware.2010.9

2010-01-01

Abstract:Operating system security (OS) is the basis for trust computing. As the kernel rootkits become popular and lots of kernel vulnerabilities are exposed, the OS kernel suffers a large number of attacks. It is difficult to protect the kernel by its own module because the kernel rootkits has the same ability to cripple the security module within the same kernel space. Recently, with the virtualization renaissance, virtualization technology provides many new ways to improve the system security. Utilizing this new technology, we present a kernel protection system called VMhuko. By monitoring the kernel data access actively, VMhuko can defend the kennel data attacks on the fly. The intensive experiment shows that VMhuko can protect the kernel with moderate performance.

LI Xun,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.12.015

2011-01-01

Computer Science

Abstract:Kernel-level attacks compromise operating system security by tampering with critical data and control flow in the kernel.Current approaches defend against these attacks by applying code integrity or control flow integrity control methods.However,they focus on only a certain aspect and cannot give a complete integrity monitoring solution.This paper analyzed the kernel integrity principle and got practical requirements to ensure kernel integrity.Critical data objects effect operating system function directly.Only certain code is able to modify critical data objects at certain conditions to ensure data integrity.All factors about code execution sequence are protected and monitored to ensure control flow integrity.Implementation in Xen VMM(Virtual Machine Monitor) using hardware virtualization,or referred to as HVM(Hardware Virtual Machine) is introduced to protect and monitor Linux kernel.Experiments show that the solution can detect and prevent attacks and bugs compromising the kernel.

Abhinav Srivastava,Jonathon Giffin

DOI: https://doi.org/10.1145/2420950.2421012

2012-01-01

Abstract:Commodity operating system kernels isolate applications via separate memory address spaces provided by virtual memory management hardware. However, kernel memory is unified and mixes core kernel code with driver components of different provenance. Kernel-level malicious software exploits this lack of isolation between the kernel and its modules by illicitly modifying security-critical kernel data structures. In this paper, we design an access control policy and enforcement system that prevents kernel components with low trust from altering security-critical data used by the kernel to manage its own execution. Our policies are at the granularity of kernel variables and structure elements, and they can protect data structures dynamically allocated at runtime. Our hypervisor-based design uses memory page protection bits as part of its policy enforcement. The granularity difference between page-level protection and variable-level policies challenges the system's ability to remain performant. We develop kernel data-layout partitioning and reorganization techniques to maintain kernel performance in the presence of our protections. We show that our system can prevent malicious modifications to security-critical kernel data with small overhead. By offering protection for critical kernel data structures, we can detect unknown kernel-level malware and guarantee that security utilities relying on the integrity of kernel-level state remain accurate.

Ahmed M. Azab,Kirk Swidowski,Rohan Bhutkar,Jia Ma,Wenbo Shen,Ruowen Wang,Peng Ning

DOI: https://doi.org/10.14722/ndss.2016.23009

2016-01-01

Abstract:Previous research on kernel monitoring and protection widely relies on higher privileged system components, such as hardware virtualization extensions, to isolate security tools from potential kernel attacks.These approaches increase both the maintenance effort and the code base size of privileged system components, which consequently increases the risk of having security vulnerabilities.SKEE, which stands for Secure Kernellevel Execution Environment, solves this fundamental problem.SKEE is a novel system that provides an isolated lightweight execution environment at the same privilege level of the kernel.SKEE is designed for commodity ARM platforms.Its main goal is to allow secure monitoring and protection of the kernel without active involvement of higher privileged software.SKEE provides a set of novel techniques to guarantee isolation.It creates a protected address space that is not accessible to the kernel, which is challenging to achieve when both the kernel and the isolated environment share the same privilege level.SKEE solves this challenge by preventing the kernel from managing its own memory translation tables.Hence, the kernel is forced to switch to SKEE to modify the system's memory layout.In turn, SKEE verifies that the requested modification does not compromise the isolation of the protected address space.Switching from the OS kernel to SKEE exclusively passes through a well-controlled switch gate.This switch gate is carefully designed so that its execution sequence is atomic and deterministic.These properties combined guarantee that a potentially compromised kernel cannot exploit the switching sequence to compromise the isolation.If the kernel attempts to violate these properties, it will only cause the system to fail without exposing the protected address space.SKEE exclusively controls access permissions of the entire OS memory.Hence, it prevents attacks that attempt to inject unverified code into the kernel.Moreover, it can be easily extended to intercept other system events in order to support various intrusion detection and integrity verification tools.This paper presents a SKEE prototype that runs on both 32-bit ARMv7 and 64-bit ARMv8 architectures.Performance evaluation results demonstrate that SKEE is a practical solution for real world systems.1 These authors contributed equally to this work I. INTRODUCTIONMany of the current commodity operating systems, like Linux, Windows, and FreeBSD, rely on monolithic kernels, which store security and access control policies in memory regions that are accessible to their whole code base.Hence, the security of the whole system relies on a large Trusted Computing Base (TCB) that includes the base kernel code in addition to potentially buggy device drivers.An exploit of a monolithic kernel would allow complete access to the entire system memory and resources.In addition, it can effectively bypass kernel level security protection mechanisms.Recent incidents [1], [2], [5], [28], [32], [53] show that exploiting the OS kernel is a real threat.Hence, there is a need for security tools that provide monitoring and protection of the kernel.These tools have to be properly isolated so that they are protected from potential kernel exploitation.

Hung-Min Sun,Hsun Wang,King-Hang Wang,Chien-Ming Chen

DOI: https://doi.org/10.1109/tc.2011.46

IF: 3.183

2011-01-01

IEEE Transactions on Computers

Abstract:As new vulnerabilities on Windows systems are reported endlessly, it is more practical to stop polymorphic malicious code from exploiting these vulnerabilities by building an behavior-based monitor, rather than adopting a signature-based detection system or fixing these vulnerabilities. Many behavior-based monitors have been proposed for Windows systems to serve this purpose. Some of them hook high-level system APIs to detect the suspicious behaviors of code. However, they cannot detect malicious code that directly invokes Native APIs. In this paper, we present a novel security scheme that hooks Native APIs in the kernel mode. This method effectively prevents malicious code calling Native APIs directly. It introduces an average eight percent computation overhead into the system. Analyses and a series of experiments are given in the paper to support our claims.

Donghai Tian,Xi Xiong,Changzhen Hu,Peng Liu

DOI: https://doi.org/10.1002/spe.2576

2018-01-01

Abstract:Loadable kernel modules (LKMs) that contain vulnerabilities are a big threat to modern operating systems (OSs). The primary reason is that there is no protection mechanism inside the kernel space when the LKM is executed. As a result, kernel module exploitation can seriously affect the OS kernel security. Although many protection systems have been developed to address this problem in the past few years, there still remain some challenges: (1) How to automatically generate a security policy before the kernel module is enforced? (2) How to properly mediate the interactions between the kernel module and the OS kernel without modifications on the existing OS, hardware, and kernel module structure? To address these challenges, we present LKM guard (LKMG), a policy-centric system that can protect commodity OS kernel from vulnerable LKMs. Compared with previous systems, LKMG is able to generate a security policy from a kernel module and then enforce the policy during the run time. Generally, the working process of LKMG can be divided into 2 stages. First, we utilize static analysis to extract the kernel code and data access patterns from a kernel module's source code and then combine these patterns with the related memory address information to generate a security policy. Second, by leveraging the hardware-assisted virtualization technology, LKMG isolates the kernel module from the rest of the kernel and then enforces the kernel module's execution to obey the derived policy. The experiments show that our system can defend against various attacks launched by the compromised kernel module effectively with moderate performance cost.

Benshan Mei,Saisai Xia,Wenhao Wang,Dongdai Lin

2024-07-18

Abstract:Confidential computing safeguards sensitive computations from untrusted clouds, with Confidential Virtual Machines (CVMs) providing a secure environment for guest OS. However, CVMs often come with large and vulnerable operating system kernels, making them susceptible to attacks exploiting kernel weaknesses. The imprecise control over the read/write access in the page table has allowed attackers to exploit vulnerabilities. The lack of security hierarchy leads to insufficient separation between untrusted applications and guest OS, making the kernel susceptible to direct threats from untrusted programs. This study proposes Cabin, an isolated execution framework within guest VM utilizing the latest AMD SEV-SNP technology. Cabin shields untrusted processes to the user space of a lower virtual machine privilege level (VMPL) by introducing a proxy-kernel between the confined processes and the guest OS. Furthermore, we propose execution protection mechanisms based on fine-gained control of VMPL privilege for vulnerable programs and the proxy-kernel to minimize the attack surface. We introduce asynchronous forwarding mechanism and anonymous memory management to reduce the performance impact. The evaluation results show that the Cabin framework incurs a modest overhead (5% on average) on Nbench and WolfSSL benchmarks.

Cryptography and Security