Semi-Synchronized Non-Blocking Concurrent Kernel Cruising

Kernel heap buffer overflow vulnerabilities have been exposed for decades, but there are few practical countermeasures that can be applied to OS kernels. Previous solutions either suffer from high performance overhead or compatibility problems with mainstream kernels and hardware. In this article, w...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on cloud computing 2022-04, Vol.10 (2), p.1428-1444
Main Authors: Tian, Donghai, Zeng, Qiang, Wu, Dinghao, Liu, Peng, Hu, Changzhen
Format: Article
Language:English
Subjects:
Algorithms
Buffers
Cloud computing
Computer architecture
concurrent monitoring
Data structures
heap buffer overflow
Kernel
Kernels
Memory management
Monitoring
non-blocking
Overflow
Security
semi-synchronized
Slabs
Synchronism
Virtualization
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Kernel heap buffer overflow vulnerabilities have been exposed for decades, but there are few practical countermeasures that can be applied to OS kernels. Previous solutions either suffer from high performance overhead or compatibility problems with mainstream kernels and hardware. In this article, we present Kruiser , a concurrent kernel heap buffer overflow monitor. Unlike conventional methods, the security enforcement of which is usually inlined into the kernel execution, Kruiser migrates security enforcement from the kernel's normal execution to a concurrent monitor process, leveraging the increasingly popular multi-core architectures. To reduce the synchronization overhead between the monitor process and the running kernel, we design a novel semi-synchronized non-blocking monitoring algorithm, which enables efficient runtime detection on live memory without incurring false positives. To prevent the monitor process from being tampered and provide guaranteed performance isolation, we utilize the virtualization technology to run the monitor process out of the monitored VM, while heap memory allocation information is collected inside the monitored VM in a secure and efficient way. The hybrid VM monitoring technique combined with the secure canary that cannot be counterfeited by attackers provides guaranteed overflow detection with high efficiency. We have implemented a prototype of Kruiser based on Linux and the Xen/KVM hypervisor. The evaluation shows that Kruiser can detect realistic kernel heap buffer overflow attacks in cloud environment effectively with minimal cost.
ISSN:2168-7161
2168-7161
2372-0018
DOI:10.1109/TCC.2020.2970183