Architectural Supports to Protect OS Kernels from Code-Injection Attacks and Their Applications-Reference-Cited by-同舟云学术

Architectural Supports to Protect OS Kernels from Code-Injection Attacks and Their Applications

Published:2017-10-17 Issue:1 Volume:23 Page:1-25
ISSN:1084-4309
Container-title:ACM Transactions on Design Automation of Electronic Systems
language:en
Short-container-title:ACM Trans. Des. Autom. Electron. Syst.

Author:

Moon Hyungon¹,Lee Jinyong¹,Hwang Dongil¹,Jung Seonhwa¹,Seo Jiwon¹,Paek Yunheung¹

Affiliation:

1. ECE and ISRC, Seoul National University, Gwanak-gu, Seoul, Korea

Abstract

The kernel code injection is a common behavior of kernel-compromising attacks where the attackers aim to gain their goals by manipulating an OS kernel. Several security mechanisms have been proposed to mitigate such threats, but they all suffer from non-negligible performance overhead. This article introduces a hardware reference monitor, called Kargos, which can detect the kernel code injection attacks with nearly zero performance cost. Kargos monitors the behaviors of an OS kernel from outside the CPU through the standard bus interconnect and debug interface available with most major microprocessors. By watching the execution traces and memory access events in the monitored target system, Kargos uncovers attempts to execute malicious code with the kernel privilege. On top of this, we also applied the architectural supports for Kargos to the detection of ROP attacks. KS-Stack is the hardware component that builds and maintains the shadow stacks using the existing supports to detect this ROP attacks. According to our experiments, Kargos detected all the kernel code injection attacks that we tested, yet just increasing the computational loads on the target CPU by less than 1% on average. The performance overhead of the KS-Stack was also less than 1%.

Funder

Korea governmen

National Research Foundation of Kore

Institute for Information 8 communications Technology Promotio

Development on the SW/HW modules of Processor Monitor for System Intrusion Detection)

MSIP(Ministry of Science, ICT and Future Planning), Korea

Cloud based Security Intelligence Technology Development for the Customized Security Service Provisioning

IIT

ITR

Publisher

Association for Computing Machinery (ACM)

Subject

Electrical and Electronic Engineering,Computer Graphics and Computer-Aided Design,Computer Science Applications

Link

https://dl.acm.org/doi/pdf/10.1145/3110223

Reference67 articles.

1. 2014. CVE-2014-3153. Online (May 2014). Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153. 2014. CVE-2014-3153. Online (May 2014). Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153.

2. 2015. CVE-2015-3636. Online (May 2015). Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3636. 2015. CVE-2015-3636. Online (May 2015). Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3636.

3. A secure and reliable bootstrap architecture

4. ARM 2011. CoreSight PTM-A9 Technical Reference Manual. ARM. ARM 2011. CoreSight PTM-A9 Technical Reference Manual. ARM.

Cited by 3 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Protecting Kernel Code Integrity with PMP on RISC-V;Lecture Notes in Computer Science;2024

2. Kernel Code Integrity Protection at the Physical Address Level on RISC-V;IEEE Access;2023

3. A Hardware Platform for Ensuring OS Kernel Integrity on RISC-V;Electronics;2021-08-26