Prevention of Kernel Memory Corruption Using Kernel Page Restriction Mechanism

Abstract

An adversary's user process can compromise the security of the operating system (OS) kernel, and subsequent invocation of the vulnerable kernel code can cause kernel memory corruption. The vulnerable kernel code could overwrite the kernel data containing the privilege information of user processes or the kernel data related to security features (i.e., mandatory access control). As a means of kernel protection, OS researchers have proposed the multiple kernel address space approach that partitions the kernel address space to protect the kernel memory from memory corruption (e.g., process-local memory and system call isolation). However, in the previous approach, the vulnerable kernel code and the kernel data targeted for attack still reside in the same kernel memory. Consequently, to compromise the kernel, adversaries simply focus on calling the latest vulnerable kernel code, which relies on the starting points of the kernel attack process. With the aim of preventing such subversion attacks, this paper proposes the kernel page restriction mechanism (KPRM), which employs an alternative design and method to obviate kernel memory corruption. The objective of the KPRM is to prohibit vulnerable kernel code execution and prevent writing to the kernel data from an adversary's user process. KPRM ensures the unmapping of vulnerable kernel code or kernel data to prevent the exploitation of the kernel due to kernel vulnerability. Therefore, an adversary's user process is obstructed from executing vulnerable kernel code and overwriting kernel data on the running kernel. Evaluation results indicate that actual proof-of-concept attacks on vulnerable kernel code resulting in kernel memory corruption can successfully be prevented by KPRM. Moreover, the implementations of KPRM indicate that the maximum latency for system calls is 0.703µs, while the overhead for 100,000 Hypertext Transfer Protocol (HTTP) downloads via a web client program ranged from 1.188% to 4.093% of the access overhead. In addition, KPRM implementations achieved acceptable overheads of 2.459% and 2.193% for the kernel compile time.