In traditional framework,mandatory access control(MAC) system and malicious software are run in kernel mode. Malicious software can stop MAC systems to be started and make it do invalid. This problem cannot be solved ...In traditional framework,mandatory access control(MAC) system and malicious software are run in kernel mode. Malicious software can stop MAC systems to be started and make it do invalid. This problem cannot be solved under the traditional framework if the operating system(OS) is comprised since malwares are running in ring 0 level. In this paper,we propose a novel way to use hypervisors to protect kernel integrity and the access control system in commodity operating systems. We separate the access control system into three parts: policy management(PM),security server(SS) and policy enforcement(PE). Policy management and the security server reside in the security domain to protect them against malware and the isolation feather of the hypervisor can protect them from attacks. We add an access vector cache(AVC) between SS and PE in the guest OS,in order to speed up communication between the guest OS and the security domain. The policy enforcement module is retained in the guest OS for performance. The security of AVC and PE can be ensured by using a memory protection mechanism. The goal of protecting the OS kernel is to ensure the security of the execution path. We implementthe system by a modified Xen hypervisor. The result shows that we can secure the security of the access control system in the guest OS with no overhead compared with modules in the latter. Our system offers a centralized security policy for virtual domains in virtual machine environments.Keywords: hypervisor; virtualization; memo-展开更多
Kernel hooks are very important con- trol data in OS kernel. Once these data are com- promised by attackers, they can change the control flow of OS kemel's execution. Previ- ous solutions suffer from limitations in t...Kernel hooks are very important con- trol data in OS kernel. Once these data are com- promised by attackers, they can change the control flow of OS kemel's execution. Previ- ous solutions suffer from limitations in that: 1) some methods require modifying the source code of OS kernel and kernel modules, which is less practical for wide deployment; 2) other methods cannot well protect the kernel hooks and function return addresses inside kernel mo- dules whose memory locations cannot be pre- determined. To address these problems, we propose OPKH, an on-the-fly hook protection system based on the virtualization technology. Compared with previous solutions, OPKH off- ers the protected OS a fully transparent envi- ronment and an easy deployment. In general, the working procedure of OPKH can be di- vided into two steps. First, we utilise the me- mory virtualization for offiine profiling so that the dynamic hooks can be identified. Second, we exploit the online patching technique to in- strument the hooks for run-time protection. The experiments show that our system can pro- tect the dynamic hooks effectively with mini- mal performance overhead.展开更多
Heap overflow attack is one of the major memory corruption attacks that have become prevalent for decades. To defeat this attack,many protection methods are proposed in recent years. However,most of these existing met...Heap overflow attack is one of the major memory corruption attacks that have become prevalent for decades. To defeat this attack,many protection methods are proposed in recent years. However,most of these existing methods focus on user-level heap overflow detection. Only a few methods are proposed for kernel heap protection. Moreover,all these kernel protection methods need modifying the existing OS kernel so that they may not be adopted in practice. To address this problem,we propose a lightweight virtualization-based solution that can protect the kernel heap buffers allocated for the target kernel modules. The key idea of our approach is to combine the static binary analysis and virtualization technology to trap a memory allocation operation of the target kernel module,and then add one secure canary word to the end of the allocated buffer. After that,a monitor process is launched to check the integrity of the canaries. The evaluations show that our system can detect kernel heap overflow attacks effectively with minimal performance cost.展开更多
基金supported by the National 973 Basic Research Program of China under grant No.2014CB340600the National Natural Science Foundation of China under grant No.61370230 and No.61662022+1 种基金Program for New Century Excellent Talents in University Under grant NCET-13-0241Natural Science Foundation of Huhei Province under Grant No.2016CFB371
文摘In traditional framework,mandatory access control(MAC) system and malicious software are run in kernel mode. Malicious software can stop MAC systems to be started and make it do invalid. This problem cannot be solved under the traditional framework if the operating system(OS) is comprised since malwares are running in ring 0 level. In this paper,we propose a novel way to use hypervisors to protect kernel integrity and the access control system in commodity operating systems. We separate the access control system into three parts: policy management(PM),security server(SS) and policy enforcement(PE). Policy management and the security server reside in the security domain to protect them against malware and the isolation feather of the hypervisor can protect them from attacks. We add an access vector cache(AVC) between SS and PE in the guest OS,in order to speed up communication between the guest OS and the security domain. The policy enforcement module is retained in the guest OS for performance. The security of AVC and PE can be ensured by using a memory protection mechanism. The goal of protecting the OS kernel is to ensure the security of the execution path. We implementthe system by a modified Xen hypervisor. The result shows that we can secure the security of the access control system in the guest OS with no overhead compared with modules in the latter. Our system offers a centralized security policy for virtual domains in virtual machine environments.Keywords: hypervisor; virtualization; memo-
基金supported in part by the National High Technology Research and Development Program of China(863 Program)under Grant No.2009AA01Z433the Project of National Ministry under Grant No.A21201-10006the Open Foundation of State Key Laboratory of Information Security(Institute of Information Engineering,Chinese Academy of Sciences)under Grant No.2013-4-1
文摘Kernel hooks are very important con- trol data in OS kernel. Once these data are com- promised by attackers, they can change the control flow of OS kemel's execution. Previ- ous solutions suffer from limitations in that: 1) some methods require modifying the source code of OS kernel and kernel modules, which is less practical for wide deployment; 2) other methods cannot well protect the kernel hooks and function return addresses inside kernel mo- dules whose memory locations cannot be pre- determined. To address these problems, we propose OPKH, an on-the-fly hook protection system based on the virtualization technology. Compared with previous solutions, OPKH off- ers the protected OS a fully transparent envi- ronment and an easy deployment. In general, the working procedure of OPKH can be di- vided into two steps. First, we utilise the me- mory virtualization for offiine profiling so that the dynamic hooks can be identified. Second, we exploit the online patching technique to in- strument the hooks for run-time protection. The experiments show that our system can pro- tect the dynamic hooks effectively with mini- mal performance overhead.
基金supported in part by National Natural Science Foundation of China (NSFC) under Grant No.61602035the National Key Research and Development Program of China under Grant No.2016YFB0800700+1 种基金the Opening Project of Shanghai Key Laboratory of Integrated Administration Technologies for Information SecurityOpen Found of Key Laboratory of IOT Application Technology of Universities in Yunnan Province under Grant No.2015IOT03
文摘Heap overflow attack is one of the major memory corruption attacks that have become prevalent for decades. To defeat this attack,many protection methods are proposed in recent years. However,most of these existing methods focus on user-level heap overflow detection. Only a few methods are proposed for kernel heap protection. Moreover,all these kernel protection methods need modifying the existing OS kernel so that they may not be adopted in practice. To address this problem,we propose a lightweight virtualization-based solution that can protect the kernel heap buffers allocated for the target kernel modules. The key idea of our approach is to combine the static binary analysis and virtualization technology to trap a memory allocation operation of the target kernel module,and then add one secure canary word to the end of the allocated buffer. After that,a monitor process is launched to check the integrity of the canaries. The evaluations show that our system can detect kernel heap overflow attacks effectively with minimal performance cost.
