Comprehensive and Efficient Protection of Kernel Control Data

Li, Jinku; Wang, Zhi; Bletsch, Tyler; Srinivasan, Deepa; Grace, Mike; Jiang, Xuxian

doi:10.1109/tifs.2011.2159712

Cited by 32 publications

(10 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The precise points-to sets can only be determined globally, which makes modularity and dynamic library reuse challenging. This the main reason why this solution works great with monolithic kernels [70] or hypervisors [71], where every module is statically linked together, but has not been deployed for dynamically linked applications. A weaker, but more practical policy is restricting indirect control transfers to the union of all their points-to sets (cf.…”

Section: B Control-flow Integritymentioning

confidence: 99%

SoK: Eternal War in Memory

Szekeres

Payer

Wei

et al. 2013

2013 IEEE Symposium on Security and Privacy

545

343

View full text Add to dashboard Cite

Memory corruption bugs in software written in low-level languages like C or C++ are one of the oldest problems in computer security. The lack of safety in these languages allows attackers to alter the program's behavior or take full control over it by hijacking its control flow. This problem has existed for more than 30 years and a vast number of potential solutions have been proposed, yet memory corruption attacks continue to pose a serious threat. Real world exploits show that all currently deployed protections can be defeated.This paper sheds light on the primary reasons for this by describing attacks that succeed on today's systems. We systematize the current knowledge about various protection techniques by setting up a general model for memory corruption attacks. Using this model we show what policies can stop which attacks. The model identifies weaknesses of currently deployed techniques, as well as other proposed protections enforcing stricter policies.We analyze the reasons why protection mechanisms implementing stricter polices are not deployed. To achieve wide adoption, protection mechanisms must support a multitude of features and must satisfy a host of requirements. Especially important is performance, as experience shows that only solutions whose overhead is in reasonable bounds get deployed.A comparison of different enforceable policies helps designers of new protection mechanisms in finding the balance between effectiveness (security) and efficiency. We identify some open research problems, and provide suggestions on improving the adoption of newer techniques.

show abstract

Section: B Control-flow Integritymentioning

confidence: 99%

SoK: Eternal War in Memory

Szekeres

Payer

Wei

et al. 2013

2013 IEEE Symposium on Security and Privacy

545

343

View full text Add to dashboard Cite

show abstract

“…Like them, we build software counters by inserting increment-trigger instruction before each monitored instruction. SBCFI Petroni and Hicks (2007) and Indexed hook Li et al (2011) present two interesting approaches to protect kernel control flow. Since the attackers usually persistently modify kernel control data to prolong the control of the kernel, SBCFI Petroni and Hicks (2007) checks the kernel control data in interval for the less performance overhead.…”

Section: Protecting Intended Control Flowmentioning

confidence: 99%

“…There is a collection of CFI efforts Abadi et al (2005); Petroni and Hicks (2007); ; Li et al (2011); . However, most of them target to keep known control flow in good integrity, but fail to catch hidden control flow.…”

Section: Introductionmentioning

confidence: 99%

BeCFI: detecting hidden control flow with performance monitoring counters

Shi

Yuan

et al. 2016

IJHPCN

View full text Add to dashboard Cite

Most of existing control flow integrity efforts target keeping intended control flow in good integrity. However, they fail to expose hidden control flow that may be introduced by the execution of rootkits, ROP gadgets, etc. To overcome the challenge, we propose an innovative approach BeCFI to detect hidden control flow based on crossview principle. Since modern processors are capable of observing the execution of all branch instructions, BeCFI obtains the hardware view with the support of performance monitoring counters(PMC). To obtain software view, we build a software-based counters by compiler-patching and binary-overwriting, and monitors the execution of branch instruction with software-based counters. If a control transfer only appears in hardware view, BeCFI considers that it is hidden control transfer. We have developed a prototype system on Intel x86 Linux kernel. Our evaluations show BeCFI is capable of detecting the hidden control flow introduced by kernel rootkits and ROP attacks. Furthermore our performance tests demonstrates that BeCFI incurs an acceptable overhead.

show abstract

“…Furthermore, HookSafe only protects the hooks but not the non-control data. IndexedHooks [51] provides an alternative implementation of CFI for the FreeBSD 8.0 kernel by replacing function addresses with indexes into read-only tables, but IndexedHooks still requires source code.…”

Section: Specialized Integrity Property Measurementmentioning

confidence: 99%

“…IndexedHooks [51] provides an alternative implementation of CFI for the FreeBSD 8.0 kernel by replacing function addresses with indexes into read-only tables, and it is capable of supporting new device drivers. However, similar to SBCFI, IndexedHooks requires source code so it does not satisfy the inclusiveness requirement.…”

Section: False Alarmsmentioning

confidence: 99%

Integrity-Based Kernel Malware Detection

Zhu¹

View full text Add to dashboard Cite

Kernel-level malware is one of the most dangerous threats to the security of users on the Internet, so there is an urgent need for its detection. The most popular detection approach is misuse-based detection. However, it cannot catch up with today's advanced malware that increasingly apply polymorphism and obfuscation. In this thesis, we present our integrity-based detection for kernel-level malware, which does not rely on the specific features of malware.We have developed an integrity analysis system that can derive and monitor integrity properties for commodity operating systems kernels. In our system, we focus on two classes of integrity properties: data invariants and integrity of Kernel Queue (KQ) requests.

show abstract

Comprehensive and Efficient Protection of Kernel Control Data

Cited by 32 publications

References 26 publications

SoK: Eternal War in Memory

SoK: Eternal War in Memory

BeCFI: detecting hidden control flow with performance monitoring counters

Integrity-Based Kernel Malware Detection

Contact Info

Product

Resources

About