Guest-Transparent Instruction Authentication for Self-Patching Kernels

Dannie Stanley Zhui Deng Dongyan Xu Rick Porter Shane Snyder Mon, Oct 29, 2012

Attackers can exploit vulnerable programs that are running with elevated permissions to insert kernel rootkits into a system. Security mechanisms have been created to prevent kernel rootkit implantation by relocating the vulnerable physical system to a guest virtual machine and enforcing a W ⊕ KX memory access control policy from the host virtual machine monitor. Such systems must also be able to identify and authorize the introduction of known-good kernel code. Previous works use cryptographic hashes to verify the integrity of kernel code at load-time. The hash creation and verification procedure depends on immutable kernel code. However, some modern kernels contain self-patching kernel code; they may overwrite executable instructions in memory after load-time. Such dynamic patching may occur for a variety of reason including: CPU optimizations, multiprocessor compatibility adjustments, and advanced debugging. The previous hash verification procedure cannot handle such modifications. We describe the design and implementation of a procedure that verifies the integrity of each modified instruction as it is introduced into the guest kernel. Our experiments with a self-patching Linux guest kernel show that our system can correctly detect and verify all valid instruction modifications and reject all invalid ones. In most cases our patch-level verification procedure incurs only nominal performance impact.

Resources

236 W. Reade Ave., Upland, IN 46989 · 765-998-5162 · cseinfo@cse.taylor.edu
Copyright © 2016 Taylor University Computer Science and Engineering