Efficient Monitoring of Untrusted Kernel-Mode Execution
نویسندگان
چکیده
Recent malware instances execute completely in the kernel as drivers; they do not contain any user-level malicious processes. This design evades the system call monitoring used by many software security solutions, including malware analyzers and host-based intrusion detectors that track only user-level processes. To trace the behavior of kernel malware instances, we design and implement a hypervisor-based system called Gateway that monitors kernel APIs invoked by drivers. Gateway creates a hardened, non-bypassable monitoring interface by isolating drivers in an address space separate from the kernel. To overcome the performance degradation introduced by switches between these separate address spaces, our design rewrites binary kernel and driver code at runtime and generates new code on demand to optimize the address space transition speed. Our experimental measurements show performance overheads of 10% or better, with many overheads less than 1%. Our security evaluation shows that Gateway is able to monitor all kernel APIs invoked by malicious drivers across its non-bypassable interface.
منابع مشابه
A Fay: Extensible Distributed Tracing from Kernels to Clusters
Fay is a flexible platform for the efficient collection, processing, and analysis of software execution traces. Fay provides dynamic tracing through use of runtime instrumentation and distributed aggregation within machines and across clusters. At the lowest level, Fay can be safely extended with new tracing primitives, including even untrusted, fully-optimized machine code, and Fay can be appl...
متن کاملSecure Execution of Mutually Mistrusting Software
Commodity operating systems, e.g. Linux and Android, running on PC or smartphone, are ubiquitous in home, commercial, government, and military settings. The booming popularity of PC and smartphone makes the commodity operating system an attractive target for attacks. These systems are tasked with a variety of applications, e.g. from secure software provided by trusted enterprises to regular app...
متن کاملOperating System Support for Process Confinement
Execution of untrusted software can compromise a whole system. Tools for restricting access of software to system resources are essential for security maintenance. Operating systems should offer functionality for building tools which could run in user mode with no special privileges while providing full access control. Thus, they could be made available to any user in the system. In this paper ...
متن کاملBOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments
In the past decade, we have come to rely on computers for various safety and security-critical tasks, such as securing our homes, operating our vehicles, and controlling our finances. To facilitate these tasks, chip manufacturers have begun including trusted execution environments (TEEs) in their processors, which enable critical code (e.g., cryptographic functions) to run in an isolated hardwa...
متن کاملProtecting Commodity Operating System Kernels from Vulnerable Device Drivers (Full Version)
Device drivers on commodity operating systems execute with kernel privilege and have unfettered access to kernel data structures. Several recent attacks demonstrate that such poor isolation exposes kernel data to exploits against vulnerable device drivers, for example through buffer overruns in packet processing code. Prior architectures to isolate kernel data from driver code either sacrifice ...
متن کامل