期刊文献+

OPKH: A Lightweight Online Approach to Protecting Kernel Hooks in Kernel Modules

OPKH:轻量级在线保护内核模块中内核钩子的方法(英文)
下载PDF
导出
摘要 Kernel hooks are very important con- trol data in OS kernel. Once these data are com- promised by attackers, they can change the control flow of OS kemel's execution. Previ- ous solutions suffer from limitations in that: 1) some methods require modifying the source code of OS kernel and kernel modules, which is less practical for wide deployment; 2) other methods cannot well protect the kernel hooks and function return addresses inside kernel mo- dules whose memory locations cannot be pre- determined. To address these problems, we propose OPKH, an on-the-fly hook protection system based on the virtualization technology. Compared with previous solutions, OPKH off- ers the protected OS a fully transparent envi- ronment and an easy deployment. In general, the working procedure of OPKH can be di- vided into two steps. First, we utilise the me- mory virtualization for offiine profiling so that the dynamic hooks can be identified. Second, we exploit the online patching technique to in- strument the hooks for run-time protection. The experiments show that our system can pro- tect the dynamic hooks effectively with mini- mal performance overhead. Kernel hooks are very important control data in OS kernel.Once these data are compromised by attackers,they can change the control flow of OS kernel’s execution.Previous solutions suffer from limitations in that:1)some methods require modifying the source code of OS kernel and kernel modules,which is less practical for wide deployment;2)other methods cannot well protect the kernel hooks and function return addresses inside kernel modules whose memory locations cannot be predetermined.To address these problems,we propose OPKH,an on-the-fly hook protection system based on the virtualization technology.Compared with previous solutions,OPKH offers the protected OS a fully transparent environment and an easy deployment.In general,the working procedure of OPKH can be divided into two steps.First,we utilise the memory virtualization for offline profiling so that the dynamic hooks can be identified.Second,we exploit the online patching technique to instrument the hooks for run-time protection.The experiments show that our system can protect the dynamic hooks effectively with minimal performance overhead.
出处 《China Communications》 SCIE CSCD 2013年第11期15-23,共9页 中国通信(英文版)
基金 supported in part by the National High Technology Research and Development Program of China(863 Program)under Grant No.2009AA01Z433 the Project of National Ministry under Grant No.A21201-10006 the Open Foundation of State Key Laboratory of Information Security(Institute of Information Engineering,Chinese Academy of Sciences)under Grant No.2013-4-1
关键词 kernel hook virtualization tech-nology online patching 内核模块 保护系统 挂钩 操作系统内核 线方法 轻量级 虚拟化技术 控制数据
  • 相关文献

参考文献17

  • 1Attacking the Core: Kernel Exploiting Notes [EB/Oll. [2013-9-5]. http://phrack.org/issues. html?issue=64&id=6.
  • 2PAYNE B D, CARBONE M, lEE W, et al. Secure and Flexible Monitoring of Virtual Machines [C]// Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007): December 10-14, 2007. Miami Beach, Fl, USA, 2007: 385-397.
  • 3WANG Zhi, JIANG Xuxian, CUI Weidong, et al. Countering Kernel Rootkits with lightweight Hook Protection[C]// Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS): November 9-13, 2009. Chicago, IL, USA, 2009: 545-554.
  • 4BOVET D, CESATI M. Understanding the Linux Kernel[M]. 3rd ed. Sebastopol, CA, USA: O'Reilly & Associates Inc., 2005.
  • 5INTEL COPERATION. Intel 64 and IA-32 Architectures Software[EB/OL]. [2013-9-5]. http:// www.intel.com/Assets/PDF/manuaIi253669.pdf.
  • 6PAYNE B D, CARBONE M, SHARIF M, et aL. Lares: An Architecture for Secure Active Monitoring Using Virtualization[C]// Proceedings of the 2008 IEEE Symposium on Security and Privacy (SP 2008): May 18-22, 2008. Oakland, CA, USA, 2008: 233-247.
  • 7SHARIF M, LEE Wenke, CUI Weidong, et aL. Secure in-VM Monitoring Using Hardware Virtualization[C]// Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS): November 9-13,2009. Chicago, IL, USA, 2009: 477-487.
  • 8PETRONI JR N L, HICKS M. Automated Detection of Persistent Kernel Control-Flow Attacks[C]// Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07): October 29-November 2, 2007. Alexandria, VA, USA, 2007: 103-115.
  • 9HOFMANN 0 S, DUNN A M, KIM S, et aL. Ensuring Operating System Kernel Integrity with OSck[C]// Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS): March 5-11, 2011. Newport Beach, CA, USA, 2011: 279-290.
  • 10TIAN Donghai, ZENG Qiang, WU Dinghao, et aL. Kruiser: Semi-Synchronized Non-blocking Concurrent Kernel Heap Buffer Overflow Monitoring[C]// Proceedings of the 19th Annual Network & Distributed System Security Symposium (NDSS): February 5-8, 2012. San Diego, CA, USA, 2012.

二级参考文献29

  • 1DAVI L, DMITRIENKO A, EGELE M, et al. MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones[C]// Proceedings of the 19th Network and Distributed System Security Symposium: February 5-8, 2012, San Diego, California.
  • 2HOFMANN O, DUNN A, KIM S, et al. Ensuring Operating System Kemel Integrity with OSck[C]// Proceeding of the 16th International Conference on Architectural Support for Programming Languages and Operating Systems: March 5- 11,2011, Newport Beach, CA, USA. ACM Press, 2011 : 279- 290.
  • 3WANG Zhi, JIANG Xuanxian, CUI Weidong, et al. Countering Kernel Rootkits with Lightweight Hook Protection [C]//Proceedings of the 16th ACM Conference on Computer and Communications Security: November 9-13, 2009, Chicago, Illinois, USA. ACM Press, 2009: 545-554.
  • 4LI Jinku, WANG Zhi, BLETSCH T, et al. Corrprehensive and Efficient Protection of Kemel Control Data[J]. IEEE Transactions on Information Forensics and Security, 2011, 6(4): 1404-1417.
  • 5lntel. IA-32 Intel Architecture Software Developer's Manual Volume 3B: System Programming Guide [EB/OL]. http://www. intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html, 2011.
  • 6UnixBench [EB/OL]. http://ftp.tux.org/pub/benchmarks/system/unixbench, 2012.
  • 7SFSHADRI A, LUK M, QU Ning, et al. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes [C]// Proceedings of the 21st Symposium on Operating Systems Principles: October 14-17, 2007, Stevenson, Washington, USA. ACM Press, 335-350.
  • 8RILEY R, JIANG Xuxian, XU Dongyan. Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing[C]//Proceedings of 1 lth Proceedings of the l lth Recent Advances in Intrusion Detection: Sepetember 15-17, 2008, Cambridge, MA, USA. Springer-Verlag, 2008: 1-20.
  • 9PETRONI N, HICKS M. Automated Detection of Persistent Kernel Control-Flow Attacks [C]// Proceedings of the 14th ACM Conference on Computer and Communications Security: October 29-November 2, 2007, Alelxandria, VA, USA. ACM Press, 103-115.
  • 10WANG Zhi, JIANG Xuxian, CUI Weidong, et al. Countering Persistent Kernel Rootldts Through Systematic Hook Discovery[C]// Proceedings of the l lth Recent Advances in Intrusion Detection: September 15-17, 2008, MIT, Cambridge, Massachusetts, USA. Springer-Verlag, 2008: 21-38.

共引文献2

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部