Mitigation of Kernel Memory Corruption Using Multiple Kernel Memory Mechanism

Mitigation of Kernel Memory Corruption Using Multiple Kernel Memory Mechanism

Operating systems adopt kernel protection methods (e.g., mandatory access control, kernel address space layout randomization, control flow integrity, and kernel page table isolation) as essential countermeasures to reduce the likelihood of kernel vulnerability attacks. However, kernel memory corrupt...

Full description

Bibliographic Details
Main Authors: Hiroki Kuzuno, Toshihiro Yamauchi
Format: Article
Language:English
Published: IEEE 2021-01-01
Series:IEEE Access
Subjects:
Memory corruption
kernel vulnerability
system security
operating system
Online Access:https://ieeexplore.ieee.org/document/9502080/
id doaj-2216e9d7624d443793afd1398a9ada33
record_format Article
spelling doaj-2216e9d7624d443793afd1398a9ada332021-08-13T23:00:56ZengIEEEIEEE Access2169-35362021-01-01911165111166510.1109/ACCESS.2021.31014529502080Mitigation of Kernel Memory Corruption Using Multiple Kernel Memory MechanismHiroki Kuzuno0https://orcid.org/0000-0003-2686-2541Toshihiro Yamauchi1https://orcid.org/0000-0001-6226-5715Intelligent Systems Laboratory, SECOM Company Ltd., Tokyo, Mitaka, JapanGraduate School of Natural Science and Technology, Okayama University, Okayama, JapanOperating systems adopt kernel protection methods (e.g., mandatory access control, kernel address space layout randomization, control flow integrity, and kernel page table isolation) as essential countermeasures to reduce the likelihood of kernel vulnerability attacks. However, kernel memory corruption can still occur via the execution of malicious kernel code at the kernel layer. This is because the vulnerable kernel code and the attack target kernel code or kernel data are located in the same kernel address space. To gain complete control of a host, adversaries focus on kernel code invocations, such as function pointers that rely on the starting points of the kernel protection methods. To mitigate such subversion attacks, this paper presents multiple kernel memory (MKM), which employs an alternative design for kernel address space separation. The MKM mechanism focuses on the isolation granularity of the kernel address space during each execution of the kernel code. MKM provides two kernel address spaces, namely, i) the trampoline kernel address space, which acts as the gateway feature between user and kernel modes and ii) the security kernel address space, which utilizes the localization of the kernel protection methods (i.e., kernel observation). Additionally, MKM achieves the encapsulation of the vulnerable kernel code to prevent access to the kernel code invocations of the separated kernel address space. The evaluation results demonstrated that MKM can protect the kernel code and kernel data from a proof-of-concept kernel vulnerability that could lead to kernel memory corruption. In addition, the performance results of MKM indicate that the system call overhead latency ranges from <inline-formula> <tex-math notation="LaTeX">$0.020~\mu \text{s}$ </tex-math></inline-formula> to <inline-formula> <tex-math notation="LaTeX">$0.5445~\mu \text{s}$ </tex-math></inline-formula>, while the web application benchmark ranges from <inline-formula> <tex-math notation="LaTeX">$196.27~\mu \text{s}$ </tex-math></inline-formula> to 6,<inline-formula> <tex-math notation="LaTeX">$685.73~\mu \text{s}$ </tex-math></inline-formula> for each download access of 100,000 Hypertext Transfer Protocol sessions. MKM attained a 97.65&#x0025; system benchmark score and a 99.76&#x0025; kernel compilation time.https://ieeexplore.ieee.org/document/9502080/Memory corruptionkernel vulnerabilitysystem securityoperating system
collection DOAJ
language English
format Article
sources DOAJ
author Hiroki Kuzuno
Toshihiro Yamauchi
spellingShingle Hiroki Kuzuno
Toshihiro Yamauchi
Mitigation of Kernel Memory Corruption Using Multiple Kernel Memory Mechanism
IEEE Access
Memory corruption
kernel vulnerability
system security
operating system
author_facet Hiroki Kuzuno
Toshihiro Yamauchi
author_sort Hiroki Kuzuno
title Mitigation of Kernel Memory Corruption Using Multiple Kernel Memory Mechanism
title_short Mitigation of Kernel Memory Corruption Using Multiple Kernel Memory Mechanism
title_full Mitigation of Kernel Memory Corruption Using Multiple Kernel Memory Mechanism
title_fullStr Mitigation of Kernel Memory Corruption Using Multiple Kernel Memory Mechanism
title_full_unstemmed Mitigation of Kernel Memory Corruption Using Multiple Kernel Memory Mechanism
title_sort mitigation of kernel memory corruption using multiple kernel memory mechanism
publisher IEEE
series IEEE Access
issn 2169-3536
publishDate 2021-01-01
description Operating systems adopt kernel protection methods (e.g., mandatory access control, kernel address space layout randomization, control flow integrity, and kernel page table isolation) as essential countermeasures to reduce the likelihood of kernel vulnerability attacks. However, kernel memory corruption can still occur via the execution of malicious kernel code at the kernel layer. This is because the vulnerable kernel code and the attack target kernel code or kernel data are located in the same kernel address space. To gain complete control of a host, adversaries focus on kernel code invocations, such as function pointers that rely on the starting points of the kernel protection methods. To mitigate such subversion attacks, this paper presents multiple kernel memory (MKM), which employs an alternative design for kernel address space separation. The MKM mechanism focuses on the isolation granularity of the kernel address space during each execution of the kernel code. MKM provides two kernel address spaces, namely, i) the trampoline kernel address space, which acts as the gateway feature between user and kernel modes and ii) the security kernel address space, which utilizes the localization of the kernel protection methods (i.e., kernel observation). Additionally, MKM achieves the encapsulation of the vulnerable kernel code to prevent access to the kernel code invocations of the separated kernel address space. The evaluation results demonstrated that MKM can protect the kernel code and kernel data from a proof-of-concept kernel vulnerability that could lead to kernel memory corruption. In addition, the performance results of MKM indicate that the system call overhead latency ranges from <inline-formula> <tex-math notation="LaTeX">$0.020~\mu \text{s}$ </tex-math></inline-formula> to <inline-formula> <tex-math notation="LaTeX">$0.5445~\mu \text{s}$ </tex-math></inline-formula>, while the web application benchmark ranges from <inline-formula> <tex-math notation="LaTeX">$196.27~\mu \text{s}$ </tex-math></inline-formula> to 6,<inline-formula> <tex-math notation="LaTeX">$685.73~\mu \text{s}$ </tex-math></inline-formula> for each download access of 100,000 Hypertext Transfer Protocol sessions. MKM attained a 97.65&#x0025; system benchmark score and a 99.76&#x0025; kernel compilation time.
topic Memory corruption
kernel vulnerability
system security
operating system
url https://ieeexplore.ieee.org/document/9502080/
work_keys_str_mv AT hirokikuzuno mitigationofkernelmemorycorruptionusingmultiplekernelmemorymechanism
AT toshihiroyamauchi mitigationofkernelmemorycorruptionusingmultiplekernelmemorymechanism
_version_ 1721208071910326272

Similar Items