DriverGuard: a fine-grained protection on I/O flows
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Virtualization: Issues, security threats, and solutions
ACM Computing Surveys (CSUR)
| Hi-index | 0.00 |
We propose HyperShield, which is a hypervisor that can be inserted into and removed from a running operating system, for improving security. While many existing security-oriented hypervisors require modifying or rebooting an overlying operating system, HyperShield does not require this. HyperShield is intended to be a general framework for various security mechanisms. The current implementation provides two mechanisms for preventing kernel-level buffer overflow. One detects the execution of user code with the kernel privilege, and the other detects malicious modification of a return address in a control stack. HyperShield is implemented on Linux as a loadable kernel module. When the module is inserted, it places itself under the operating system and executes as a hypervisor. The operating system is migrated into a virtual machine and managed by the hypervisor. HyperShield detects attacks by combining virtualization of memory management with a hardware-assisted execution-bit feature. We have confirmed through experiments that HyperShield successfully prevented kernel-level buffer overflow attacks.