KEcruiser: A novel control flow protection for kernel extensions

Vulnerable kernel extensions are severe threats to the security of modern operating systems. Due to lack of protection mechanism in the kernel space, the kernel extension exploitation could take over the entire operating system's control. To enhance security and reliability of kernel extensions, many solutions mainly rely on adding the kernel isolation mechanisms to confine the execution behaviors of kernel extensions. However, previous methods suffer from limitations in terms of compatibility and performance cost. To address these issues, we present KEcruiser, a novel control flow protection mechanism for kernel extensions. The basic idea of our approach is to monitor the control flow of a kernel extension and then identify the abnormal execution behavior during run-time. Based on the recent hardware feature, our system can collect the kernel control flow information efficiently. By leveraging the virtualization technology, our security monitor is deployed outside of the target VM so that the kernel control flow can be checked securely. To ensure the monitoring correctness and concurrency, we make use of Lamport's ring buffer algorithm. Our system is compatible with the existing commodity operating system, and it can protect the running kernel extensions transparently. The experiments show that KEcruiser can effectively identify control flow violation occurred in kernel extensions with small performance cost.