research-article

Architectural Supports to Protect OS Kernels from Code-Injection Attacks and Their Applications

Authors:

Yunheung PaekAuthors Info & Claims

ACM Transactions on Design Automation of Electronic Systems (TODAES), Volume 23, Issue 1

Article No.: 10, Pages 1 - 25

https://doi.org/10.1145/3110223

Published: 31 August 2017 Publication History

Abstract

The kernel code injection is a common behavior of kernel-compromising attacks where the attackers aim to gain their goals by manipulating an OS kernel. Several security mechanisms have been proposed to mitigate such threats, but they all suffer from non-negligible performance overhead. This article introduces a hardware reference monitor, called Kargos, which can detect the kernel code injection attacks with nearly zero performance cost. Kargos monitors the behaviors of an OS kernel from outside the CPU through the standard bus interconnect and debug interface available with most major microprocessors. By watching the execution traces and memory access events in the monitored target system, Kargos uncovers attempts to execute malicious code with the kernel privilege. On top of this, we also applied the architectural supports for Kargos to the detection of ROP attacks. KS-Stack is the hardware component that builds and maintains the shadow stacks using the existing supports to detect this ROP attacks. According to our experiments, Kargos detected all the kernel code injection attacks that we tested, yet just increasing the computational loads on the target CPU by less than 1% on average. The performance overhead of the KS-Stack was also less than 1%.

References

[1]

2009. Why don’t we replace all the goto’s with C exceptions, The linux-kernel mailing list FAQ. Retrieved from http://vger.kernel.org/lkml/#s15-5 (2009).

[2]

2014. CVE-2014-3153. Online (May 2014). Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153.

[3]

2015. CVE-2015-3636. Online (May 2015). Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3636.

[4]

William A. Arbaugh, David J. Farber, and Jonathan M. Smith. 1997. A secure and reliable bootstrap architecture. In Proceedings of the IEEE Symposium on Security and Privacy.

[5]

ARM 2011. CoreSight PTM-A9 Technical Reference Manual. ARM.

[6]

ARM. 2012. ARM Architecture Reference Manual, ARM v7-A and V7-R edition, Tech. rep. ARM.

[7]

Ahmed M. Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar, Guruprasad Ganesh, Jia Ma, and Wenbo Shen. 2014. Hypervision across worlds: Real-time kernel protection from the ARM TrustZone secure world. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security.

Digital Library

[8]

Ahmed M. Azab, Kirk Swidowski, Jia Ma Bhutkar, Wenbo Shen, Ruowen Wang, and Peng Ning. 2016. SKEE: A lightweight secure kernel-level execution environment for ARM. In Proceedings of the Network 8 Distributed System Security Symposium (NDSS’16).

[9]

Tyler Bletsch, Xuxian Jiang, Vince W. Freeh, and Zhenkai Liang. 2011. Jump-oriented programming: A new class of code-reuse attack. In Proceedings of the ACM Symposium on Information, Computer and Communications Security.

Digital Library

[10]

Nicolas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-flow bending: On the effectiveness of control-flow integrity. In Proceedings of the USENIX Security Symposium (SEC’15). USENIX Association, Berkeley, CA, 161--176. Retrieved from http://dl.acm.org/citation.cfm?id=2831143.2831154.

[11]

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. 2010. Return-oriented programming without returns. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security.

Digital Library

[12]

Marc L. Corliss, E. Christopher Lewis, and Amir Roth. 2005. Using DISE to protect return addresses from attack. SIGARCH Comput. Archit. News (2005).

[13]

J. Criswell, N. Dautenhahn, and V. Adve. 2014. KCoFI: Complete control-flow integrity for commodity operating system kernels. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[14]

Thurston H. Y. Dang, Petros Maniatis, and David Wagner. 2015. The performance cost of shadow stacks and stack Canaries. In Proceedings of the ACM Symposium on Information, Computer and Communications Security.

Digital Library

[15]

Nathan Dautenhahn, Theodoros Kasampalis, Will Dietz, John Criswell, and Vikram Adve. 2015. Nested kernel: An operating system architecture for intra-kernel privilege separation. In Architectural Support for Programming Languages and Operating Systems. ACM.

Digital Library

[16]

Lucas Davi, Matthias Hanreich, Debayan Paul, Ahmad-Reza Sadeghi, Patrick Koeberl, Dean Sullivan, Orlando Arias, and Yier Jin. 2015. HAFIX: Hardware-assisted flow integrity extension. In Proceedings of the Annual Design Automation Conference.

Digital Library

[17]

Matthew Fernandez, Gerwin Klein, and Ihor Kuz. 2012. Microkernel Verification Down to Assembly. European Conference on Computer Systems (poster).

[18]

André V. Fidalgo, Manuel G. Gericota, Gustavo R. Alves, and José M. Ferreira. 2011. Real-time fault injection using enhanced on-chip debug infrastructures. Microprocessors and Microsystems 35, 4 (2011), 441--452. http://dx.doi.org/10.1016/j.micpro.2010.10.002.

Digital Library

[19]

X. Ge, N. Talele, M. Payer, and T. Jaeger. 2016. Fine-grained control-flow integrity for kernel software. In Proceedings of the 2016 IEEE European Symposium on Security and Privacy (EuroSP’16).

[20]

Xinyang Ge, Hayawardh Vijayakumar, and Trent Jaeger. 2014. SPROBES: Enforcing kernel code integrity on the TrustZone architecture. In Proceedings of the IEEE Mobile Security Technologies Workshop.

[21]

Jason John Gionta. 2015. Prevention and detection of memory compromise. PhD thesis. North Carolina State University. https://repository.lib.ncsu.edu/bitstream/handle/1840.16/10246/etd.pdf?sequence=2.

[22]

Cristiano Giuffrida, Anton Kuijsten, and Andrew S. Tanenbaum. 2012. Enhanced operating system security through efficient and fine-grained address space randomization. In Proceedings of the USENIX Security Symposium (Security’12). USENIX Association, Berkeley, CA, 40--40. Retrieved from http://dl.acm.org/citation.cfm?id=2362793.2362833.

[23]

Owen S. Hofmann, Alan M. Dunn, Sangman Kim, Indrajit Roy, and Emmett Witchel. 2011. Ensuring operating system kernel integrity with OSck. In Architectural Support for Programming Languages and Operating Systems. ACM.

Digital Library

[24]

Ralf Hund, Thorsten Holz, and Felix C. Freiling. 2009. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In Proceedings of the USENIX Security Symposium.

[25]

Inc. IDC Research. 2015. Smartphone OS Market Share, 2015 Q2. Retrieved from http://www.idc.com/prodserv/smartphone-os-market-share.jsp (2015).

[26]

K. Inoue. 2006. Lock and unlock: A data management algorithm for a security-aware cache. In Proceedings of the IEEE International Conference on Electronics, Circuits and Systems (ICECS’06).

[27]

INTEL. 2013. Intel R 64 and IA-32 architectures software developer’s manual. Volume 3b: System Programming Guide (Part 2) (2013).

[28]

Intel. 2014. Intel Quark Soc X1000 Datasheet. Intel.

[29]

Intel. 2014. Intel Quark SoC X1000 Secure Boot. Intel.

[30]

Intel 2014. Intel64 and IA-32 Architectures Software Developer’s Manual. Intel.

[31]

Intel. 2016. Control-flow Enforcement Technology Preview. Intel.

[32]

iVeia. 2015. Building Android 4.2.2 BSP on ZC702. Retrieved from http://www.wiki.xilinx.com/Building+Android+4.2.2+BSP+on+ZC702 (2015).

[33]

Daehee Jang, Hojoon Lee, Minsu Kim, Daehyeok Kim, Daegyeong Kim, and Brent Byunghoon Kang. 2014. ATRA: Address translation redirection attack against hardware-based external monitors. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM.

Digital Library

[34]

Jeffrey Katcher. 1997. Postmark: A New File System Benchmark. Technical Report. Technical Report TR3022, Network Appliance, 1997. Retrieved from www.netapp.com/tech_library/3022.html.

[35]

Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal verification of an OS kernel. In Proceedings of the ACM Symposium on Operating System Principles.

Digital Library

[36]

P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. 2014. SoK: Automated software diversity. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[37]

Hojoon Lee, HyunGon Moon, DaeHee Jang, Kihwan Kim, Jihoon Lee, Yunheung Paek, and Brent ByungHoon Kang. 2013. KI-Mon: A hardware-assisted event-triggered monitoring platform for mutable kernel object. In Proceedings of the USENIX Security Symposium.

[38]

Jinyong Lee, Yongje Lee, Hyungon Moon, Ingoo Heo, and Yunheung Paek. 2015. Extrax: Security extension to extract cache resident information for snoop-based external monitors. In Proceedings of the Conference on Design, Automation 8 Test in Europe.

[39]

Ruby B. Lee, David K. Karig, John P. McGregor, and Zhijie Shi. 2004. Enlisting hardware architecture to thwart malicious code injection. In Proceedings of the Conference on Security in Pervasive Computing.

[40]

Yongje Lee, Ingoo Heo, Dongil Hwang, Kyungmin Kim, and Yunheung Paek. 2015. Towards a practical solution to detect code reuse attacks on ARM mobile devices. In Proceedings of the Workshop on Hardware and Architectural Support for Security and Privacy. ACM.

Digital Library

[41]

Yongje Lee, Jinyong Lee, Ingoo Heo, Dongil Hwang, and Yunheung Paek. 2016. Integration of ROP/JOP monitoring IPs in an ARM-based SoC. In Proceedings of the Conference on Design, Automation 8 Test in Europe.

[42]

Ziyi Liu, JongHyuk Lee, Junyuan Zeng, Yuanfeng Wen, Zhiqiang Lin, and Weidong Shi. 2013. CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM. In Proceedings of the International Symposium on Computer Architecture.

Digital Library

[43]

Larry McVoy and Carl Staelin. 1996. Lmbench: Portable tools for performance analysis. In Proceedings of the Usenix Annual Technical Conference.

[44]

Hyungon Moon, Hojoon Lee, Jihoon Lee, Kihwan Kim, Yunheung Paek, and Brent Byunghoon Kang. 2012. Vigilare: Toward snoop-based kernel integrity monitor. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM.

Digital Library

[45]

Hyungon Moon, Jinyong Lee, Dongil Hwang, Seonhwa Jung, Jiwon Seo, and Yunheung Paek. 2016. Architectural supports to protect OS kernels from code-injection attacks. In Proceedings of the Conference on Hardware and Architectural Support for Security and Privacy (HASP’16).

Digital Library

[46]

T. Murray, D. Matichuk, M. Brassil, P. Gammie, T. Bourke, S. Seefried, C. Lewis, Xin Gao, and G. Klein. 2013. seL4: From general purpose to a proof of information flow enforcement. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[47]

H. Ozdoganoglu, T. N. Vijaykumar, C. E. Brodley, B. A. Kuperman, and A. Jalote. 2006. SmashGuard: A hardware solution to prevent security attacks on the function return address. IEEE Trans. Comput. (2006).

[48]

PaX Team. 2004. PaX non-executable pages design 8 implementation. Retrieved from http://pax.grsecurity.net/docs/noexec.txt.

[49]

Nick L. Petroni Jr, Timothy Fraser, Jesus Molina, and William A. Arbaugh. 2004. Copilot-a coprocessor-based kernel runtime integrity monitor. In Proceedings of the USENIX Security Symposium.

[50]

Nick L. Petroni Jr and Michael Hicks. 2007. Automated detection of persistent kernel control-flow attacks. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM.

Digital Library

[51]

Marta Portela-García et al. 2012. On the use of embedded debug features for permanent and transient fault resilience in microprocessors. Microprocessors and Microsystems (2012).

[52]

Ryan Riley, Xuxian Jiang, and Dongyan Xu. 2008. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In Recent Advances in Intrusion Detection. Springer.

Digital Library

[53]

Electronics Samsung. 2012. Exynos 4. Retrieved from http://www.samsung.com/global/business/semiconductor/product/application/detail?productId=77458iaId=844.

[54]

F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. 2015. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[55]

Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. 2007. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. Proceedings of the ACM Symposium on Operating System Principles (2007).

Digital Library

[56]

Thomas Sewell, Simon Winwood, Peter Gammie, Toby Murray, June Andronick, and Gerwin Klein. 2011. seL4 enforces integrity. In Proceedings of the International Conference on Interactive Theorem Proving.

[57]

Thomas Arthur Leck Sewell, Magnus O. Myreen, and Gerwin Klein. 2013. Translation validation for a verified OS kernel. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation.

Digital Library

[58]

Hovav Shacham. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security.

Digital Library

[59]

K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A. Sadeghi. 2013. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[60]

Dean Sullivan, Orlando Arias, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, and Yier Jin. 2016. Strategy without tactics: Policy-agnostic hardware-enhanced control-flow integrity. In Proceedings of the Annual Design Automation Conference.

Digital Library

[61]

L. Szekeres, M. Payer, T. Wei, and D. Song. 2013. SoK: Eternal war in memory. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[62]

Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing forward-edge control-flow integrity in GCC 8 LLVM. In Proceedings of the USENIX Security Symposium. USENIX Association, San Diego, CA, 941--955.

[63]

Victor van der Veen, Dennis Andriesse, Enes Göktas, Ben Gras, Lionel Sambuc, Asia Slowinska, Herbert Bos, and Cristiano Giuffrida. 2015. Practical context-sensitive CFI. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 927--940.

Digital Library

[64]

Sebastian Vogl, Robert Gawlik, Behrad Garmany, Thomas Kittel, Jonas Pfoh, Claudia Eckert, and Thorsten Holz. 2014. Dynamic hooks: Hiding control flow changes within non-control data. In Proceedings of the USENIX Security Symposium. USENIX Association.

[65]

Sebastian Vogl, Jonas Pfoh, Thomas Kittel, and Claudia Eckert. 2014. Persistent data-only malware: Function hooks without code. In Proceedings of the Network 8 Distributed System Security Symposium (NDSS’14).

[66]

Xiaoguang Wang, Yue Chen, Zhi Wang, Yong Qi, and Yajin Zhou. 2015. SecPod: A framework for virtualization-based security systems. In Proceedings of the Usenix Annual Technical Conference. USENIX Association.

[67]

Zhi Wang and Xuxian Jiang. 2010. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proceedings of the IEEE Symposium on Security and Privacy. 380--395.

Digital Library

[68]

Xilinx. 2013. Zynq-7000 All Programmable SoC Technical Reference Manual. (2013).

Cited By

Ha SYu MMoon HLee J(2023)Kernel Code Integrity Protection at the Physical Address Level on RISC-VIEEE Access10.1109/ACCESS.2023.328587611(62358-62367)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3285876
Ha SMoon H(2023)Protecting Kernel Code Integrity with PMP on RISC-VInformation Security Applications10.1007/978-981-99-8024-6_18(231-243)Online publication date: 23-Aug-2023
https://dl.acm.org/doi/10.1007/978-981-99-8024-6_18
Kwon DHwang DPaek Y(2021)A Hardware Platform for Ensuring OS Kernel Integrity on RISC-VElectronics10.3390/electronics1017206810:17(2068)Online publication date: 26-Aug-2021
https://doi.org/10.3390/electronics10172068

Index Terms

Architectural Supports to Protect OS Kernels from Code-Injection Attacks and Their Applications
1. Security and privacy
  1. Security in hardware
    1. Hardware security implementation
  2. Systems security
    1. Operating systems security

Recommendations

Architectural Supports to Protect OS Kernels from Code-Injection Attacks
HASP '16: Proceedings of the Hardware and Architectural Support for Security and Privacy 2016

The kernel code injection is a common behavior of kernel -compromising attacks where the attackers aim to gain their goals by manipulating an OS kernel. Several security mechanisms have been proposed to mitigate such threats, but they all suffer from ...
Control-Flow Integrity: Precision, Security, and Performance

Memory corruption errors in C/C++ programs remain the most common source of security vulnerabilities in today’s systems. Control-flow hijacking attacks exploit memory corruption vulnerabilities to divert program execution away from the intended control ...
Prevent kernel return-oriented programming attacks using hardware virtualization
ISPEC'12: Proceedings of the 8th international conference on Information Security Practice and Experience

ROP attack introduced briefly in this paper is a serious threat to compute systems. Kernel ROP attack is great challenge to existing defenses because attackers have system privilege, little prerequisite to mount attacks, and the disability of existing ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Design Automation of Electronic Systems

ACM Transactions on Design Automation of Electronic Systems Volume 23, Issue 1

January 2018

279 pages

ISSN:1084-4309

EISSN:1557-7309

DOI:10.1145/3129756

Editor:
Naehyuck Chang
Korea Advanced Institute of Science and Technology, Korea

Issue’s Table of Contents

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Journal Family

ACM Journals for the Design of Smart and Connected Systems

Publication History

Published: 31 August 2017

Accepted: 01 June 2017

Revised: 01 June 2017

Received: 01 October 2016

Published in TODAES Volume 23, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Korea government(MSIP)
National Research Foundation of Korea(NRF)
Institute for Information 8 communications Technology Promotion(IITP)
Development on the SW/HW modules of Processor Monitor for System Intrusion Detection)
MSIP(Ministry of Science, ICT and Future Planning), Korea
Cloud based Security Intelligence Technology Development for the Customized Security Service Provisioning
IITP(Institute for Information 8 communications Technology Promotion)
ITRC(Information Technology Research Center)

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
380
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)2

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ha SYu MMoon HLee J(2023)Kernel Code Integrity Protection at the Physical Address Level on RISC-VIEEE Access10.1109/ACCESS.2023.328587611(62358-62367)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3285876
Ha SMoon H(2023)Protecting Kernel Code Integrity with PMP on RISC-VInformation Security Applications10.1007/978-981-99-8024-6_18(231-243)Online publication date: 23-Aug-2023
https://dl.acm.org/doi/10.1007/978-981-99-8024-6_18
Kwon DHwang DPaek Y(2021)A Hardware Platform for Ensuring OS Kernel Integrity on RISC-VElectronics10.3390/electronics1017206810:17(2068)Online publication date: 26-Aug-2021
https://doi.org/10.3390/electronics10172068

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents