TY - GEN
T1 - Detecting exploit code execution in loadable kernel modules
AU - Xu, Haizhi
AU - Du, Wenliang
AU - Chapin, Steve J.
N1 - Copyright:
Copyright 2011 Elsevier B.V., All rights reserved.
PY - 2004
Y1 - 2004
N2 - In current extensible monolithic operating systems, loadable kernel modules (LKM) have unrestricted access to all portions of kernel memory and I/O space. As a result, kernel-module exploitation can jeopardize the integrity of the entire system. In this paper, we analyze the threat that comes from the implicit trust relationship between the operating system kernel and loadable kernel modules. We then present a specification-directed access monitoring tool-HECK, that detects kernel modules for malicious code execution. Inside the module, HECK prevents code execution on the kernel stack and the data sections; on the boundary, HECK restricts the module's access to only those kernel resources necessary for the module's operation. Our measurements show that our tool incurs 5-23% overhead on some I/O intensive applications using these modules.
AB - In current extensible monolithic operating systems, loadable kernel modules (LKM) have unrestricted access to all portions of kernel memory and I/O space. As a result, kernel-module exploitation can jeopardize the integrity of the entire system. In this paper, we analyze the threat that comes from the implicit trust relationship between the operating system kernel and loadable kernel modules. We then present a specification-directed access monitoring tool-HECK, that detects kernel modules for malicious code execution. Inside the module, HECK prevents code execution on the kernel stack and the data sections; on the boundary, HECK restricts the module's access to only those kernel resources necessary for the module's operation. Our measurements show that our tool incurs 5-23% overhead on some I/O intensive applications using these modules.
UR - http://www.scopus.com/inward/record.url?scp=21644456634&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=21644456634&partnerID=8YFLogxK
U2 - 10.1109/CSAC.2004.18
DO - 10.1109/CSAC.2004.18
M3 - Conference contribution
AN - SCOPUS:21644456634
SN - 0769522521
T3 - Proceedings - Annual Computer Security Applications Conference, ACSAC
SP - 101
EP - 110
BT - Proceedings - 20th Annual Computer Security Applications Conference, ACSAC 2004
T2 - 20th Annual Computer Security Applications Conference, ACSAC 2004
Y2 - 6 December 2004 through 10 December 2004
ER -