Policy-centric protection of OS kernel from vulnerable loadable kernel modules

Donghai Tian*, Xi Xiong, Changzhen Hu, Peng Liu

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

2 Citations (Scopus)

Abstract

Due to lack of the protecting mechanism in the kernel space, the loadable kernel modules (LKM) may be exploited and thus seriously affecting the OS kernel's security via utilizing the implicit or explicit vulnerabilities. Although lots of systems have been developed to address the above problem, there still remain some challenges. a) How to automatically generate a security policy before the kernel module is enforced? b) How to properly mediate the interactions between the kernel module and OS kernel to ensure the policy consistence without modifications (or least changes) on the existing OS, hardware, and kernel module structure? In this paper, we present LKMG, a policy-centric system which can protect commodity OS kernel from vulnerable loadable kernel modules. More powerful than previous systems, LKMG is able to generate a security policy form the kernel module, and then enforce the policy during the kernel module's execution. Generally, the working process of LKMG can be divided into two stages. First, we utilize static analysis to extract the kernel code and data access patterns from a kernel module's source code, and then combine these patterns with the related memory address information to generate a security policy. Second, by leveraging hardware-based virtualization technology, LKMG isolates the kernel module from the rest of the kernel, and then enforces the kernel module's execution to obey the derived policy. The experiment show that our system can defend against various loadable kernel module exploitations effectively with moderate performance overhead.

Original languageEnglish
Title of host publicationInformation Security Practice and Experience - 7th International Conference, ISPEC 2011, Proceedings
Pages317-332
Number of pages16
DOIs
Publication statusPublished - 2011
Event7th International Conference on Information Security Practice and Experience, ISPEC 2011 - Guangzhou, China
Duration: 30 May 20111 Jun 2011

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6672 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference7th International Conference on Information Security Practice and Experience, ISPEC 2011
Country/TerritoryChina
CityGuangzhou
Period30/05/111/06/11

Fingerprint

Dive into the research topics of 'Policy-centric protection of OS kernel from vulnerable loadable kernel modules'. Together they form a unique fingerprint.

Cite this

Tian, D., Xiong, X., Hu, C., & Liu, P. (2011). Policy-centric protection of OS kernel from vulnerable loadable kernel modules. In Information Security Practice and Experience - 7th International Conference, ISPEC 2011, Proceedings (pp. 317-332). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6672 LNCS). https://doi.org/10.1007/978-3-642-21031-0_24