TY - JOUR
T1 - KEcruiser
T2 - A novel control flow protection for kernel extensions
AU - Tian, Donghai
AU - Ma, Rui
AU - Jia, Xiaoqi
AU - Hu, Changzhen
N1 - Publisher Copyright:
© 2019 Elsevier B.V.
PY - 2019/11
Y1 - 2019/11
N2 - Vulnerable kernel extensions are severe threats to the security of modern operating systems. Due to lack of protection mechanism in the kernel space, the kernel extension exploitation could take over the entire operating system's control. To enhance security and reliability of kernel extensions, many solutions mainly rely on adding the kernel isolation mechanisms to confine the execution behaviors of kernel extensions. However, previous methods suffer from limitations in terms of compatibility and performance cost. To address these issues, we present KEcruiser, a novel control flow protection mechanism for kernel extensions. The basic idea of our approach is to monitor the control flow of a kernel extension and then identify the abnormal execution behavior during run-time. Based on the recent hardware feature, our system can collect the kernel control flow information efficiently. By leveraging the virtualization technology, our security monitor is deployed outside of the target VM so that the kernel control flow can be checked securely. To ensure the monitoring correctness and concurrency, we make use of Lamport's ring buffer algorithm. Our system is compatible with the existing commodity operating system, and it can protect the running kernel extensions transparently. The experiments show that KEcruiser can effectively identify control flow violation occurred in kernel extensions with small performance cost.
AB - Vulnerable kernel extensions are severe threats to the security of modern operating systems. Due to lack of protection mechanism in the kernel space, the kernel extension exploitation could take over the entire operating system's control. To enhance security and reliability of kernel extensions, many solutions mainly rely on adding the kernel isolation mechanisms to confine the execution behaviors of kernel extensions. However, previous methods suffer from limitations in terms of compatibility and performance cost. To address these issues, we present KEcruiser, a novel control flow protection mechanism for kernel extensions. The basic idea of our approach is to monitor the control flow of a kernel extension and then identify the abnormal execution behavior during run-time. Based on the recent hardware feature, our system can collect the kernel control flow information efficiently. By leveraging the virtualization technology, our security monitor is deployed outside of the target VM so that the kernel control flow can be checked securely. To ensure the monitoring correctness and concurrency, we make use of Lamport's ring buffer algorithm. Our system is compatible with the existing commodity operating system, and it can protect the running kernel extensions transparently. The experiments show that KEcruiser can effectively identify control flow violation occurred in kernel extensions with small performance cost.
KW - Control flow
KW - Kernel extensions
KW - Protection mechanism
KW - Virtualization
UR - http://www.scopus.com/inward/record.url?scp=85065529617&partnerID=8YFLogxK
U2 - 10.1016/j.future.2019.05.008
DO - 10.1016/j.future.2019.05.008
M3 - Article
AN - SCOPUS:85065529617
SN - 0167-739X
VL - 100
SP - 1
EP - 9
JO - Future Generation Computer Systems
JF - Future Generation Computer Systems
ER -