Proceedings of the 10th international conference on Architectural support for programming languages and operating systems
CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs
CC '02 Proceedings of the 11th International Conference on Compiler Construction
Xen and the art of virtualization
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Terra: a virtual machine-based platform for trusted computing
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
SubVirt: Implementing malware with virtual machines
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
A comparison of software and hardware techniques for x86 virtualization
Proceedings of the 12th international conference on Architectural support for programming languages and operating systems
The slab allocator: an object-caching kernel memory allocator
USTC'94 Proceedings of the USENIX Summer 1994 Technical Conference on USENIX Summer 1994 Technical Conference - Volume 1
XFI: software guards for system address spaces
OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Secure web applications via automatic partitioning
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Automated detection of persistent kernel control-flow attacks
Proceedings of the 14th ACM conference on Computer and communications security
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction
Proceedings of the 14th ACM conference on Computer and communications security
VMM-based hidden process detection and identification using Lycosid
Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Lares: An Architecture for Secure Active Monitoring Using Virtualization
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Ether: malware analysis via hardware virtualization extensions
Proceedings of the 15th ACM conference on Computer and communications security
Introduction and overview of the multics system
AFIPS '65 (Fall, part I) Proceedings of the November 30--December 1, 1965, fall joint computer conference, part I
Automatic Inference and Enforcement of Kernel Data Structure Invariants
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Hypervisor support for identifying covertly executing binaries
SS'08 Proceedings of the 17th conference on Security symposium
Fast byte-granularity software fault isolation
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
Countering kernel rootkits with lightweight hook protection
Proceedings of the 16th ACM conference on Computer and communications security
Automatic discovery of parasitic malware
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
The turtles project: design and implementation of nested virtualization
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Exploiting hardware advances for software testing and debugging (NIER track)
Proceedings of the 33rd International Conference on Software Engineering
Operating system interface obfuscation and the revealing of hidden operations
DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
Information Sciences: an International Journal
Hi-index | 0.00 |
Commodity operating system kernels isolate applications via separate memory address spaces provided by virtual memory management hardware. However, kernel memory is unified and mixes core kernel code with driver components of different provenance. Kernel-level malicious software exploits this lack of isolation between the kernel and its modules by illicitly modifying security-critical kernel data structures. In this paper, we design an access control policy and enforcement system that prevents kernel components with low trust from altering security-critical data used by the kernel to manage its own execution. Our policies are at the granularity of kernel variables and structure elements, and they can protect data structures dynamically allocated at runtime. Our hypervisor-based design uses memory page protection bits as part of its policy enforcement. The granularity difference between page-level protection and variable-level policies challenges the system's ability to remain performant. We develop kernel data-layout partitioning and reorganization techniques to maintain kernel performance in the presence of our protections. We show that our system can prevent malicious modifications to security-critical kernel data with small overhead. By offering protection for critical kernel data structures, we can detect unknown kernel-level malware and guarantee that security utilities relying on the integrity of kernel-level state remain accurate.