research-article

Barrier: a lightweight hypervisor for protecting kernel integrity via memory isolation

Authors:

Kouichi SakuraiAuthors Info & Claims

SAC '12: Proceedings of the 27th Annual ACM Symposium on Applied Computing

Pages 1470 - 1477

https://doi.org/10.1145/2245276.2232011

Published: 26 March 2012 Publication History

Abstract

In the present operating systems such as Linux, all the kernel modules, including unknown extensions, run in the same address space. They are granted the highest privilege and can access arbitrary memory without any limitation. This is at the root of kernel rootkits, which are malware seriously threatening the kernel integrity. In this paper, we present Barrier, a lightweight hypervisor designed for enhancing the kernel integrity of personal computers by isolating the kernel modules. Since this hypervisor is designed for the OS protection on PCs, it does not implement unnecessary virtualization features that are commonly found on the general-purpose hypervisors to support running multiple OS instances concurrently on the same server. As a result, it is much smaller and also much easier to use, especially for unprofessional users. Barrier leverages the hardware-supported memory virtualization to isolate the kernel modules into different address spaces. All the interactions across address spaces have to go through a strict mediation based on some predefined MAC rules. This greatly increases the attacker's hardness to compromise the kernel integrity. We have implemented a prototype of Barrier. The evaluation results show that Barrier can well protect the kernel integrity without bringing unaffordable performance overheads.

References

[1]

T. H. R. Hund and F. Freiling. Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. USENIX Security 2009.

Digital Library

[2]

M. I. Sharif, W. Lee, and et al. Secure In-VM Monitoring Using Hardware Virtualization. CCS 2009.

Digital Library

[3]

A. Seshadri, M. Luk, and et al. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. SOSP 2007.

Digital Library

[4]

L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor Support for Identifying Covertly Executing Binaries. USENIX Security 2007.

Digital Library

[5]

R. Riley, X. Jiang, and D. Xu. Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing. RAID 2008.

Digital Library

[6]

A. Srivastava, I. Erete, and J. Giffin. Kernel Data Integrity Protection via Memory Access Control. Technical ReportGT-CS-09-04, Georgia Institute of Technology, 2009.

[7]

Z. Wang, X. Jiang, and et al. Countering Kernel Rootkits with Lightweight Hook Protection. CCS 2009.

Digital Library

[8]

E. Witchel, J. Rhee, and K. Asanovc. Mondrix: Memory Isolation for Linux Using Mondriaan Memory Protection. SOSP 2005.

Digital Library

[9]

X. Xiong, D. Tian, and P. Liu. Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions. NDSS 2011

[10]

A. Srivastava and J. Giffi. Efficient Monitoring of Untrusted Kernel-Mode Execution. NDSS 2011.

[11]

A. Nguyen, N. Schear, and et al. MAVMM: Lightweight and Purpose Built VMM for Malware Analysis. ACSAC 2009.

Digital Library

[12]

A. Baliga, V. Ganapathy, and L. Iftode. Automatic Inference and Enforcement of Kernel Data Structure Invariants. ACSAC 2008.

Digital Library

[13]

Intel 64 and IA-32 Architectures Software Developer's Manual Volume 3b: System Programming Guide.

[14]

J. Rhee, R. Riley, D. Xu. Defeating Dynamic Data Kernel Rootkit Attacks via VMM-based Guest-Transparent Monitoring. ARES 2009.

[15]

AMD64 Architecture Programmer's Manual Volume 2: System Programming. 2010.

Cited By

Bergougnoux QCartigny JGrimaud G(2018)Porting the Pip Proto-Kernel's Model to Multi-core Environments2018 IEEE 16th Intl Conf on Dependable, Autonomic and Secure Computing, 16th Intl Conf on Pervasive Intelligence and Computing, 4th Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech)10.1109/DASC/PiCom/DataCom/CyberSciTec.2018.00108(584-591)Online publication date: Aug-2018
https://doi.org/10.1109/DASC/PiCom/DataCom/CyberSciTec.2018.00108
Lyu YYan FChen YWang DShi YAgoulmine N(2018)High-performance scheduling model for multisensor gateway of cloud sensor system-based smart-livingInformation Fusion10.1016/j.inffus.2013.04.00421(42-56)Online publication date: 20-Dec-2018
https://dl.acm.org/doi/10.1016/j.inffus.2013.04.004
Lombardi FDi Pietro R(2016)Heterogeneous Architectures: Malware and CountermeasuresSecure System Design and Trustable Computing10.1007/978-3-319-14971-4_13(421-438)Online publication date: 2016
https://doi.org/10.1007/978-3-319-14971-4_13

Index Terms

Barrier: a lightweight hypervisor for protecting kernel integrity via memory isolation
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Secure in-VM monitoring using hardware virtualization
CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

Kernel-level attacks or rootkits can compromise the security of an operating system by executing with the privilege of the kernel. Current approaches use virtualization to gain higher privilege over these attacks, and isolate security tools from the ...
The Convergence of Container and Traditional Virtualization: Strengths and Limitations
Abstract
Virtual machines (VMs) are used extensively in the cloud. The underlying hypervisors allow hardware resources to be split into multiple virtual units which enables server consolidation, fault containment, and resource management. However, VMs with ...
NumChecker: detecting kernel control-flow modifying rootkits by using hardware performance counters
DAC '13: Proceedings of the 50th Annual Design Automation Conference

This paper presents NumChecker, a new Virtual Machine Monitor (VMM) based framework to detect control-flow modifying kernel rootkits in a guest Virtual Machine (VM). NumChecker detects malicious modifications to a system call in the guest VM by checking ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '12: Proceedings of the 27th Annual ACM Symposium on Applied Computing

March 2012

2179 pages

ISBN:9781450308571

DOI:10.1145/2245276

Conference Chairs:
Sascha Ossowski
University Rey Juan Carlos, Spain
,
Paola Lecca
The Microsoft Research - University of Trento COSBI, Italy

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 March 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SAC 2012

Sponsor:

SIGAPP

SAC 2012: ACM Symposium on Applied Computing

March 26 - 30, 2012

Trento, Italy

Acceptance Rates

SAC '12 Paper Acceptance Rate 270 of 1,056 submissions, 26%;

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
355
Total Downloads

Downloads (Last 12 months)7
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bergougnoux QCartigny JGrimaud G(2018)Porting the Pip Proto-Kernel's Model to Multi-core Environments2018 IEEE 16th Intl Conf on Dependable, Autonomic and Secure Computing, 16th Intl Conf on Pervasive Intelligence and Computing, 4th Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech)10.1109/DASC/PiCom/DataCom/CyberSciTec.2018.00108(584-591)Online publication date: Aug-2018
https://doi.org/10.1109/DASC/PiCom/DataCom/CyberSciTec.2018.00108
Lyu YYan FChen YWang DShi YAgoulmine N(2018)High-performance scheduling model for multisensor gateway of cloud sensor system-based smart-livingInformation Fusion10.1016/j.inffus.2013.04.00421(42-56)Online publication date: 20-Dec-2018
https://dl.acm.org/doi/10.1016/j.inffus.2013.04.004
Lombardi FDi Pietro R(2016)Heterogeneous Architectures: Malware and CountermeasuresSecure System Design and Trustable Computing10.1007/978-3-319-14971-4_13(421-438)Online publication date: 2016
https://doi.org/10.1007/978-3-319-14971-4_13

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents