Detecting exploit code execution in loadable kernel modules

Haizhi Xu, Wenliang Du, Steve J. Chapin

Research output: Chapter in Book/Entry/PoemConference contribution

3 Scopus citations

Abstract

In current extensible monolithic operating systems, loadable kernel modules (LKM) have unrestricted access to all portions of kernel memory and I/O space. As a result, kernel-module exploitation can jeopardize the integrity of the entire system. In this paper, we analyze the threat that comes from the implicit trust relationship between the operating system kernel and loadable kernel modules. We then present a specification-directed access monitoring tool-HECK, that detects kernel modules for malicious code execution. Inside the module, HECK prevents code execution on the kernel stack and the data sections; on the boundary, HECK restricts the module's access to only those kernel resources necessary for the module's operation. Our measurements show that our tool incurs 5-23% overhead on some I/O intensive applications using these modules.

Original languageEnglish (US)
Title of host publicationProceedings - 20th Annual Computer Security Applications Conference, ACSAC 2004
Pages101-110
Number of pages10
DOIs
StatePublished - 2004
Event20th Annual Computer Security Applications Conference, ACSAC 2004 - Tucson, AZ, United States
Duration: Dec 6 2004Dec 10 2004

Publication series

NameProceedings - Annual Computer Security Applications Conference, ACSAC
ISSN (Print)1063-9527

Other

Other20th Annual Computer Security Applications Conference, ACSAC 2004
Country/TerritoryUnited States
CityTucson, AZ
Period12/6/0412/10/04

ASJC Scopus subject areas

  • Software
  • General Engineering

Fingerprint

Dive into the research topics of 'Detecting exploit code execution in loadable kernel modules'. Together they form a unique fingerprint.

Cite this