Mondrix: memory isolation for linux using mondriaan memory protection
Proceedings of the twentieth ACM symposium on Operating systems principles
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Automatic Inference and Enforcement of Kernel Data Structure Invariants
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Hypervisor support for identifying covertly executing binaries
SS'08 Proceedings of the 17th conference on Security symposium
Secure in-VM monitoring using hardware virtualization
Proceedings of the 16th ACM conference on Computer and communications security
Countering kernel rootkits with lightweight hook protection
Proceedings of the 16th ACM conference on Computer and communications security
MAVMM: Lightweight and Purpose Built VMM for Malware Analysis
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Return-oriented rootkits: bypassing kernel code integrity protection mechanisms
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
| Hi-index | 0.00 |
In the present operating systems such as Linux, all the kernel modules, including unknown extensions, run in the same address space. They are granted the highest privilege and can access arbitrary memory without any limitation. This is at the root of kernel rootkits, which are malware seriously threatening the kernel integrity. In this paper, we present Barrier, a lightweight hypervisor designed for enhancing the kernel integrity of personal computers by isolating the kernel modules. Since this hypervisor is designed for the OS protection on PCs, it does not implement unnecessary virtualization features that are commonly found on the general-purpose hypervisors to support running multiple OS instances concurrently on the same server. As a result, it is much smaller and also much easier to use, especially for unprofessional users. Barrier leverages the hardware-supported memory virtualization to isolate the kernel modules into different address spaces. All the interactions across address spaces have to go through a strict mediation based on some predefined MAC rules. This greatly increases the attacker's hardness to compromise the kernel integrity. We have implemented a prototype of Barrier. The evaluation results show that Barrier can well protect the kernel integrity without bringing unaffordable performance overheads.