The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
운영체제를 대상으로 한 공격에 대한 대응책은 커널 취약점으로 인한 보안 침해를 방지하는 데 매우 효과적입니다. 공격자는 이러한 공격을 통해 자격 증명 정보를 덮어쓰고 임의의 프로그램 실행을 통해 보안 기능을 극복합니다. 감독자 모드 액세스 방지, 감독자 모드 실행 방지 및 No eXecute 비트와 같은 CPU 기능은 액세스 권한 제어 및 가상 메모리에서의 데이터 실행을 용이하게 합니다. 또한 Linux는 커널 주소 공간 레이아웃 무작위화, 제어 흐름 무결성 및 커널 페이지 테이블 격리를 포함한 여러 보호 방법을 통해 커널 취약점 영향을 통해 실제 공격을 줄입니다. 커널 취약성은 사용자와 커널 모드 간의 상호 작용에 의존하므로 이러한 방법을 조합하면 공격을 완화할 수 있지만 커널 가상 메모리 손상은 여전히 발생할 수 있습니다(예: eBPF 취약성은 커널 모드에서만 악의적인 메모리 덮어쓰기를 허용합니다). 커널 가상 메모리를 모니터링하는 비밀 관찰 메커니즘을 갖춘 KMO(Kernel Memory Observer)를 소개합니다. KMO는 커널 가상 메모리에서 불법적인 데이터 조작/쓰기를 감지할 수 있는 가상 메모리에 대한 대체 설계입니다. KMO는 커널 가상 메모리 손상을 확인하고, 시스템 호출 인수를 검사하고, 직접 매핑 영역을 강제로 매핑 해제합니다. KMO를 평가한 결과, 실제 커널 취약점을 통해 무력화되는 보안 기능이 포함된 커널 가상 메모리 손상을 탐지할 수 있는 것으로 나타났습니다. 또한 결과에 따르면 시스템 호출 오버헤드 대기 시간은 0.002 µs ~ 8.246 µs이고 웹 애플리케이션 벤치마크 범위는 각 HTTP 액세스에 대해 39.70 µs ~ 390.52 µs인 반면 KMO는 태그 기반 변환 참조 버퍼를 사용하여 이러한 오버헤드를 줄입니다. .
Hiroki KUZUNO
SECOM Co., Ltd.,Okayama University
Toshihiro YAMAUCHI
Okayama University
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
부
Hiroki KUZUNO, Toshihiro YAMAUCHI, "Identification of Kernel Memory Corruption Using Kernel Memory Secret Observation Mechanism" in IEICE TRANSACTIONS on Information,
vol. E103-D, no. 7, pp. 1462-1475, July 2020, doi: 10.1587/transinf.2019ICP0011.
Abstract: Countermeasures against attacks targeting an operating system are highly effective in preventing security compromises caused by kernel vulnerability. An adversary uses such attacks to overwrite credential information, thereby overcoming security features through arbitrary program execution. CPU features such as Supervisor Mode Access Prevention, Supervisor Mode Execution Prevention and the No eXecute bit facilitate access permission control and data execution in virtual memory. Additionally, Linux reduces actual attacks through kernel vulnerability affects via several protection methods including Kernel Address Space Layout Randomization, Control Flow Integrity, and Kernel Page Table Isolation. Although the combination of these methods can mitigate attacks as kernel vulnerability relies on the interaction between the user and the kernel modes, kernel virtual memory corruption can still occur (e.g., the eBPF vulnerability allows malicious memory overwriting only in the kernel mode). We present the Kernel Memory Observer (KMO), which has a secret observation mechanism to monitor kernel virtual memory. KMO is an alternative design for virtual memory can detect illegal data manipulation/writing in the kernel virtual memory. KMO determines kernel virtual memory corruption, inspects system call arguments, and forcibly unmaps the direct mapping area. An evaluation of KMO reveals that it can detect kernel virtual memory corruption that contains the defeating security feature through actual kernel vulnerabilities. In addition, the results indicate that the system call overhead latency ranges from 0.002 µs to 8.246 µs, and the web application benchmark ranges from 39.70 µs to 390.52 µs for each HTTP access, whereas KMO reduces these overheads by using tag-based Translation Lookaside Buffers.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2019ICP0011/_p
부
@ARTICLE{e103-d_7_1462,
author={Hiroki KUZUNO, Toshihiro YAMAUCHI, },
journal={IEICE TRANSACTIONS on Information},
title={Identification of Kernel Memory Corruption Using Kernel Memory Secret Observation Mechanism},
year={2020},
volume={E103-D},
number={7},
pages={1462-1475},
abstract={Countermeasures against attacks targeting an operating system are highly effective in preventing security compromises caused by kernel vulnerability. An adversary uses such attacks to overwrite credential information, thereby overcoming security features through arbitrary program execution. CPU features such as Supervisor Mode Access Prevention, Supervisor Mode Execution Prevention and the No eXecute bit facilitate access permission control and data execution in virtual memory. Additionally, Linux reduces actual attacks through kernel vulnerability affects via several protection methods including Kernel Address Space Layout Randomization, Control Flow Integrity, and Kernel Page Table Isolation. Although the combination of these methods can mitigate attacks as kernel vulnerability relies on the interaction between the user and the kernel modes, kernel virtual memory corruption can still occur (e.g., the eBPF vulnerability allows malicious memory overwriting only in the kernel mode). We present the Kernel Memory Observer (KMO), which has a secret observation mechanism to monitor kernel virtual memory. KMO is an alternative design for virtual memory can detect illegal data manipulation/writing in the kernel virtual memory. KMO determines kernel virtual memory corruption, inspects system call arguments, and forcibly unmaps the direct mapping area. An evaluation of KMO reveals that it can detect kernel virtual memory corruption that contains the defeating security feature through actual kernel vulnerabilities. In addition, the results indicate that the system call overhead latency ranges from 0.002 µs to 8.246 µs, and the web application benchmark ranges from 39.70 µs to 390.52 µs for each HTTP access, whereas KMO reduces these overheads by using tag-based Translation Lookaside Buffers.},
keywords={},
doi={10.1587/transinf.2019ICP0011},
ISSN={1745-1361},
month={July},}
부
TY - JOUR
TI - Identification of Kernel Memory Corruption Using Kernel Memory Secret Observation Mechanism
T2 - IEICE TRANSACTIONS on Information
SP - 1462
EP - 1475
AU - Hiroki KUZUNO
AU - Toshihiro YAMAUCHI
PY - 2020
DO - 10.1587/transinf.2019ICP0011
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E103-D
IS - 7
JA - IEICE TRANSACTIONS on Information
Y1 - July 2020
AB - Countermeasures against attacks targeting an operating system are highly effective in preventing security compromises caused by kernel vulnerability. An adversary uses such attacks to overwrite credential information, thereby overcoming security features through arbitrary program execution. CPU features such as Supervisor Mode Access Prevention, Supervisor Mode Execution Prevention and the No eXecute bit facilitate access permission control and data execution in virtual memory. Additionally, Linux reduces actual attacks through kernel vulnerability affects via several protection methods including Kernel Address Space Layout Randomization, Control Flow Integrity, and Kernel Page Table Isolation. Although the combination of these methods can mitigate attacks as kernel vulnerability relies on the interaction between the user and the kernel modes, kernel virtual memory corruption can still occur (e.g., the eBPF vulnerability allows malicious memory overwriting only in the kernel mode). We present the Kernel Memory Observer (KMO), which has a secret observation mechanism to monitor kernel virtual memory. KMO is an alternative design for virtual memory can detect illegal data manipulation/writing in the kernel virtual memory. KMO determines kernel virtual memory corruption, inspects system call arguments, and forcibly unmaps the direct mapping area. An evaluation of KMO reveals that it can detect kernel virtual memory corruption that contains the defeating security feature through actual kernel vulnerabilities. In addition, the results indicate that the system call overhead latency ranges from 0.002 µs to 8.246 µs, and the web application benchmark ranges from 39.70 µs to 390.52 µs for each HTTP access, whereas KMO reduces these overheads by using tag-based Translation Lookaside Buffers.
ER -