Institute of Electrical and Electronics Engineers (IEEE)Acta Medica Okayama2169-3536132025Enhancing Protection Against Code Reuse Attacks on IoT Devices by Randomizing Function Addresses185111185124ENKazumaSajiGraduate School of Environmental, Life, Natural Science and Technology, Okayama UniversityToshihiroYamauchiFaculty of Environmental, Life, Natural Science and Technology, Okayama UniversitySatoruKobayashiFaculty of Environmental, Life, Natural Science and Technology, Okayama UniversityHideoTaniguchiGraduate School of Environmental, Life, Natural Science and Technology, Okayama UniversityMost Internet of Things (IoT) devices currently in use are vulnerable to code reuse attacks because manufacturers typically deploy the same firmware across all devices. This uniformity enables attackers to craft a single exploit that can compromise multiple devices. To mitigate this risk, we propose a firmware diversification approach that creates multiple executable files with varying software compositions. Our approach introduces two complementary techniques: Function Address Reordering (FAR), which randomizes the order of functions within object files during compilation, and Object Address Reordering (OAR), which permutes the linking order of object files in the final executable. These techniques collectively diversify firmware instances without altering runtime behavior, making executing code reuse attacks significantly more difficult. By deploying firmware with diverse executable files, it is possible to enhance security without altering device behavior. We evaluate the effectiveness and limitations of the proposed methods when integrated into actual IoT firmware, assessing their resilience to code reuse attacks, impact on runtime behavior, and compilation overhead. Experimental results demonstrate that FAR and OAR significantly reduce the success rate of return-oriented programming attacks while incurring minimal performance overhead. This study offers a scalable, hardware-independent defense against code reuse attacks that increases resilience without a significant performance overhead, rendering it practical for widespread adoption in various IoT applications.No potential conflict of interest relevant to this article was reported.Springer Nature SingaporeActa Medica Okayama1865-09292025Evaluation of a Startup Program Identification for Efficient and Accurate IoT Security Investigations417431ENYutaShimamotoGraduate School of Environmental, Life, Natural Science and Technology, Okayama UniversityJiratchayaPhinyodomSchool of Engineering, Okayama UniversityRyotaYoshimotoGraduate School of Environmental, Life, Natural Science and Technology, Okayama UniversityHiroyukiUekawaNTT Social Informatics LaboratoriesMitsuakiAkiyamaNTT Social Informatics LaboratoriesToshihiroYamauchiFaculty of Environmental, Life, Natural Science and Technology, Okayama UniversityNot all file in firmware are executed while using Internet of Things (IoT) devices and hundreds to approximately a thousand executable and linkable format files exist in one firmware. Therefore, security investigations without prioritization may lead to investigate programs that are not executed while using IoT devices first. This has resulted in inefficient security investigations. To perform efficient security investigations, we proposed a method that can identify programs executed during the startup process. However, only two firmware were used for the evaluation which can only evaluate one of the two startup sequences in the OpenWrt-based firmware. In addition, security investigations to validate whether the proposed method addresses the problem of inefficient security investigations were limited to OpenWrt-based firmware. In this study, we use more firmware data for evaluation and validation. We use nine firmware not used in previous studies including startup methods that have not previously been used for evaluation. In addition, we increase the number of firmware used for validation to 225. The evaluation results demonstrate that the proposed method can identify with only few false positives. The validation demonstrates that efficiency can be improved and prioritizing investigations by considering the proposed method result is worthwhile.No potential conflict of interest relevant to this article was reported.Springer Nature SingaporeActa Medica Okayama0302-97432025RKPM: Restricted Kernel Page Mechanism to Mitigate Privilege Escalation Attacks213231ENHirokiKuzunoGraduate School of Engineering, Kobe UniversityToshihiroYamauchiFaculty of Environmental, Life, Natural Science and Technology, Okayama UniversityKernel memory corruption attacks against operating systems exploit kernel vulnerabilities to overwrite kernel data. Kernel address space layout randomization makes it difficult to identify kernel data by randomizing their virtual address space. Control flow integrity (CFI) prevents unauthorized kernel code execution by verifying kernel function calls. However, these countermeasures do not prohibit writing to kernel data. If the virtual address of privileged information is specified and CFI is circumvented, the privileged information can be modified by a kernel memory corruption attack. In this paper, we propose a restricted kernel page mechanism (RKPM) to mitigate kernel memory corruption attacks by introducing restricted kernel pages to protect the kernel data specified in the kernel. The RKPM focuses on the fact that kernel memory corruption attacks attempt to read the virtual addresses around the privileged information. The RKPM adopts page table mapping handling and a memory protection key to control the read and write restrictions of the restricted kernel pages. This allows us to mitigate kernel memory corruption attacks by capturing reads to the restricted kernel page before the privileged information is overwritten. As an evaluation of the RKPM, we confirmed that it can mitigate privilege escalation attacks on the latest Linux kernel. We also measured that there was a certain overhead in the kernel performance. This study enhances kernel security by mitigating privilege escalation attacks through the use of software or hardware based restricted kernel pages.No potential conflict of interest relevant to this article was reported.IEEEActa Medica Okayama2024kdMonitor: Kernel Data Monitor for Detecting Kernel Memory Corruption6673ENHirokiKuzunoGraduate School of Engineering, Kobe UniversityToshihiroYamauchiOkayama University,Faculty of Environmental, Life, Natural Science and TechnologyPrivilege escalation attacks through memory corruption via kernel vulnerabilities pose significant threats to operating systems. Although the extended Berkley Packet Filter has been employed to trace kernel code execution by inserting interrupts before and after kernel code invocations, it does not track operations before and after kernel data writes, thus hindering effective kernel data monitoring. In this study, we introduce a kernel data monitor (kdMonitor), which is a novel security mechanism designed to detect unauthorized alterations in the monitored kernel data of a dedicated kernel page. The kdMonitor incorporates two distinct methods. The first is periodic monitoring which regularly outputs the monitored kernel data of the dedicated kernel pages. The second is dynamic monitoring, which restricts write access to a dedicated kernel page, supplements any write operations with page faults, and outputs the monitored kernel data of dedicated kernel pages. kdMonitor enables real-time tracking of specified kernel data of the dedicated kernel page residing in the kernel's virtual memory space from the separated machine. Using kdMonitor, we demonstrated its capability to pinpoint tampering with user process privileged information stemming from privilege escalation attacks on the kernel. Through an empirical evaluation, we validated the effectiveness of kdMonitor in detecting privilege escalation attacks by user processes on Linux. Performance assessments revealed that kdMonitor achieved an attack detection time of 0.83 seconds with an overhead of 0.726 %.No potential conflict of interest relevant to this article was reported.Springer Nature SwitzerlandActa Medica Okayama0302-97432023vkTracer: Vulnerable Kernel Code Tracing to Generate Profile of Kernel Vulnerability222234ENHirokiKuzunoGraduate School of Engineering, Kobe UniversityToshihiroYamauchiFaculty of Natural Science and Technology, Okayama UniversityVulnerable kernel codes are a threat to an operating system kernel. An adversary’s user process can forcefully invoke a vulnerable kernel code to cause privilege escalation or denial of service (DoS). Although service providers or security operators have to determine the effect of kernel vulnerabilities on their environment to decide the kernel updating, the list of vulnerable kernel codes are not provided from the common vulnerabilities and exposures (CVE) report. It is difficult to identify the vulnerable kernel codes from the exploitation result of the kernel which indicates the account information or the kernel suspension. To identify the details of kernel vulnerabilities, this study proposes a vulnerable kernel code tracer (vkTracer), which employs an alternative viewpoint using proof-of-concept (PoC) code to create a profile of kernel vulnerability. vkTracer traces the user process of the PoC code and the running kernel to hook the invocation of the vulnerable kernel codes. Moreover, vkTracer extracts the whole kernel component’s information using the running and static kernel image and debug section. The evaluation results indicated that vkTracer could trace PoC code executions (e.g., privilege escalation and DoS), identify vulnerable kernel codes, and generate kernel vulnerability profiles. Furthermore, the implementation of vkTracer revealed that the identification overhead ranged from 5.2683 s to 5.2728 s on the PoC codes and the acceptable system call latency was 3.7197 μs.No potential conflict of interest relevant to this article was reported.Acta Medica Okayama2025Towards SBOM-based Access Control for Transparent and Explicit Program ExecutionENYutaShimamotoOkayama UniversityHiroyukiUekawaNTT Social Informatics LaboratoriesMitsuakiAkiyamaNTT Social Informatics LaboratoriesToshihiroYamauchiOkayama UniversityAlthough a Software Bill of Materials (SBOM) plays a key role in software transparency, inconsistencies in SBOM descriptions can undermine its value. To address this, we propose a novel approach to program access control, SBOMAC, which leverages Mandatory Access Control (MAC) systems to ensure transparent and explicit program execution. In this study, we identify the challenges associated with implementing this approach and present preliminary investigation results to address these challenges.No potential conflict of interest relevant to this article was reported.Springer International PublishingActa Medica Okayama0302-97432022CyNER: Information Extraction from Unstructured Text of CTI Sources with Noncontextual IOCs85104ENShotaFujiiGraduate School of Natural Science and Technology, Okayama UniversityNobutakaKawaguchiResearch & Development Group, Hitachi, Ltd.TomohiroShigemotoResearch & Development Group, Hitachi, Ltd.ToshihiroYamauchiFaculty of Natural Science and Technology, Okayama UniversityCybersecurity threats have been increasing and growing more sophisticated year by year. In such circumstances, gathering Cyber Threat Intelligence (CTI) and following up with up-to-date threat information is crucial. Structured CTI such as Structured Threat Information eXpression (STIX) is particularly useful because it can automate security operations such as updating FW/IDS rules and analyzing attack trends. However, as most CTIs are written in natural language, manual analysis with domain knowledge is required, which becomes quite time-consuming.<br>
In this work, we propose CyNER, a method for automatically structuring CTIs and converting them into STIX format. CyNER extracts named entities in the context of CTI and then extracts the relations between named entities and IOCs in order to convert them into STIX. In addition, by using key phrase extraction, CyNER can extract relations between IOCs that lack contextual information, such as those listed at the bottom of a CTI, and named entities. We describe our design and implementation of CyNER and demonstrate that it can extract named entities with the F-measure of 0.80 and extract relations between named entities and IOCs with the maximum accuracy of 81.6%. Our analysis of structured CTI showed that CyNER can extract IOCs that are not included in existing reputation sites, and that it can automatically extract IOCs that have been exploited for a long time and across multiple attack groups. CyNER is thus expected to contribute to the efficiency of CTI analysis.No potential conflict of interest relevant to this article was reported.IEEEActa Medica Okayama2832-13242023Analyzing Post-injection Attacker Activities in IoT Devices: A Comprehensive Log Analysis Approach292297ENHervetVictorOkayama UniversitySatoruKobayashiFaculty of Environmental, Life, Natural Science and Technology, Okayama UniversityToshihiroYamauchiFaculty of Environmental, Life, Natural Science and Technology, Okayama UniversityWith the continuous proliferation of Internet of Things (IoT) devices, malware threats that specifically target these devices continue to increase. The urgent need for robust security measures is predicated on a comprehensive understanding of the behavioral patterns of IoT malware. However, previous studies have often overlooked the analysis of command sequences in Telnet logs. This study bridges this research gap by examining the post-injection behaviors of attackers. By analyzing a vast dataset comprising more than ten million logs collected from an IoT honeypot, we reveal three distinct post-injection activity patterns, each with unique characteristics. These patterns provide pivotal insights that not only help distinguish between legitimate operations and attempted attacks, but also drive the development of robust cybersecurity measures that effectively deter such behaviors. The nuances discovered in this study contribute significantly to IoT security by enhancing our understanding of malware tactics and informing targeted defense strategies.No potential conflict of interest relevant to this article was reported.IEEEActa Medica Okayama2832-13242023Prevention Method for Stack Buffer Overflow Attack in TA Command Calls in OP-TEE274278ENKaitoShibaGraduate School of Natural Science and Technology, Okayama UniversityHirokiKuzunoGraduate School of Engineering, Kobe UniversityToshihiroYamauchiFaculty of Environmental, Life, Natural Science and Technology, Okayama UniversityTEE systems provide normal world and secure world. It is impossible to gain access to the secure world directly from the normal world. However, vulnerabilities in the secure world can cause attacks to compromise the secure world. In this study, we investigate the security features applied to trusted applications (TA) in OP-TEE and clarify the lack of protection against stack buffer overflow in TA command calls. We also propose a method for preventing attacks that exploit stack buffer overflows in TA command calls. In addition, the experimental results show that attacks on the vulnerable TAs can be prevented with the proposed method and the overhead can be evaluated.No potential conflict of interest relevant to this article was reported.IEEEActa Medica Okayama2379-18962023Evaluation of Effectiveness of MAC Systems Based on LSM for Protecting IoT Devices161167ENMasatoMikiGraduate School of Natural Science and Technology, Okayama UniversityToshihiroYamauchiFaculty of Environmental, Life, Natural Science and Technology, Okayama UniversitySatoruKobayashiFaculty of Environmental, Life, Natural Science and Technology, Okayama UniversityNumerous active attacks targeting Internet of Things (IoT) devices exist. They exploit the latest vulnerabilities discovered in IoT devices. Therefore, Mandatory Access Control (MAC) systems based on Linux Security Modules (LSM), such as SELinux and AppArmor, are effective security features for IoT devices because they can mitigate the impact of attacks even if software vulnerabilities are discovered. However, they are not adopted by most IoT devices. The existing approaches are insufficient for investigating the causes of this problem.In this study, we comprehensively investigated what factors can affect the applicability of MAC systems based on LSM in IoT devices. We focused on how frequently cases can occur where they cannot be adopted, owing to each factor. To increase the comprehensiveness of the factors affecting the adoption of MAC systems in IoT devices, we investigated the kernel version, CPU architecture, and support for BusyBox in addition to the investigation of resources, which conducted in previous studies. We also conducted simulated experiments based on the attack method of Mirai to investigate whether MAC systems can protect against IoT malware. Finally, we discuss the impact of a combination of these factors on MAC system adoption.No potential conflict of interest relevant to this article was reported.IEEEActa Medica Okayama2833-23502023Non Real-Time Data Transmission Performance Analysis of PROFINET for Assuring Data Transmission Quality236244ENTakashiNorimatsuGraduate School of Natural Science and Technology, Okayama UniversityToshihiroYamauchiFaculty of Environmental, Life, Natural Science and Technology, Okayama UniversityThe industrial Ethernet PROFINET supports three different data transmission modes: isochronous real-time (IRT), real-time (RT), and non real-time (NRT) transmitting data requiring hard, soft, and no real-time performances, respectively. The data transmission latency in the NRT increased with the amount of data transmission in the IRT, RT, and NRT. Therefore, the quality of data transmission in NRT may degrade as the amount of data transmission in IRT, RT, and NRT increases. In this study, we derived the average data transmission latency in an NRT with data transmission in IRT and RT by applying stochastic processes. This allowed us to maintain the quality of data transmission in the NRT by adjusting the number of devices connected to the network and the number of applications transmitting data in the NRT so that the average latency of data in the NRT does not exceed a certain value.No potential conflict of interest relevant to this article was reported.IEEEActa Medica Okayama2832-13242023Supporting Multiple OS Types on Estimation of System Call Hook Point by Virtual Machine Monitor267273ENMasayaSatoOkayama Prefectural UniversityTakuOmoriOkayama Prefectural UniversityToshihiroYamauchiOkayama UniversityHideoTaniguchiOkayama UniversityMethods to hook system calls issued by a guest operating system (OS) running on a virtual machine using a virtual machine monitor are proposed. The address of the hook point is derived from the guest OS’s source code and established prior to the kernel startup process. Due to changes in system call processing in OS updates and address space layout randomization, the addresses of these hook points cannot always be pre-determined before the kernel startup process. To address this challenge, a method for estimating the system call hook point is proposed in Linux by analyzing the guest OS memory on x86-64 CPUs rather than pre-calculation. Although the method supports Linux, the method can be extended to support other OS types. In this paper, we propose a method to extend the method to support additional OSes. Specifically, we present analysis results and a novel method for estimating hook points on FreeBSD, NetBSD, and OpenBSD. The effectiveness of our proposed method is also demonstrated through evaluation.No potential conflict of interest relevant to this article was reported.Springer Nature SwitzerlandActa Medica Okayama2367-45122025Investigation Towards Detecting Landing Websites for Fake Japanese Shopping Websites107119ENDaigoMichishitaGraduate School of Environmental, Life, Natural Science and Technology, Okayama UniversitySatoruKobayashiFaculty of Environmental, Life, Natural Science and Technology, Okayama UniversityToshihiroYamauchiFaculty of Environmental, Life, Natural Science and Technology, Okayama UniversityRecently, the number of victims of fake shopping websites that imitate legitimate ones to defraud people has been increasing. It has been shown that fake shopping websites use legitimate defaced landing websites as their leading paths. Therefore, if the detection of landing websites for fake shopping websites can be achieved, it can assist in addressing these websites and reduce the opportunities for users to be redirected to fake shopping websites. In this study, we collect and investigate existing landing websites that redirect users to fake Japanese shopping websites and identify effective features for detecting them. We identified effective search terms for collecting landing websites for fake Japanese shopping websites and found that using Google searches with queries of top-level domain and product names was effective. We also investigated the conditions for activating analytical evasion functions in the collected landing websites for fake Japanese shopping websites and clarified the differences in search results between crawlers and users.No potential conflict of interest relevant to this article was reported.Institute of Electrical and Electronics EngineersActa Medica Okayama2169-3536122024Detecting Unintended Redirects to Malicious Websites on Android Devices Based on URL-Switching Interval153285153294ENToshihiroYamauchiFaculty of Environmental, Life, Natural Science and Technology, Okayama UniversityRintaroOritoGraduate School of Natural Science and Technology, Okayama UniversityKojiEbisuGraduate School of Natural Science and Technology, Okayama UniversityMasayaSatoFaculty of Computer Science and Systems Engineering, Okayama Prefectural UniversityWebsite clicks that redirect Android-phone users to malicious websites with fake virus alerts or phishing attacks are increasing exponentially. Although a uniform resource locator (URL) blocklist is considered a suitable countermeasure to such attacks, it is difficult to efficiently identify malicious websites. To the best of our knowledge, no research has focused on detecting attacks that redirect Android-phone users to malicious websites. Therefore, we propose a redirect-detection method that focuses on the URL bar-switching interval of Android-based Google Chrome browser. The proposed method, which can be easily installed as an Android application, uses the Android accessibility service to detect unintended redirects to malicious websites without collecting information about these websites in advance. This paper details the design, implementation, and evaluation results of the proposed application on an actual Android device. We determined the threshold values for the number of times the URL bar switches and the elapsed time to determine redirects to malicious websites for the proposed method. Based on the results, we investigated the causes of false-positive detection of redirects to benign websites and offer solutions on handling them. We also present the threshold values that can minimize the false positive and negative rates, as well as the detection accuracy of the proposed method based on these threshold values. Additionally, we present the evaluations results based on the access logs of actual users participating in the WarpDrive project experiment, which indicate that the proposed method minimizes false positives and successfully detects most redirects to malicious websites.No potential conflict of interest relevant to this article was reported.Springer International PublishingActa Medica Okayama0302-9743128352021(Short Paper) Evidence Collection and Preservation System with Virtual Machine Monitoring6473ENToruNakamuraKDDI Research, Inc.HiroshiItoGraduate School of Natural Science and Technology, Okayama UniversityShinsakuKiyomotoKDDI Research, Inc.ToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityIn a system audit and verification, it is important to securely collect and preserve evidence of execution environments, execution processes, and program execution results. Evidence-based verification of program processes ensures their authenticity; for example, the processes include no altered/infected program library. This paper proposes a solution for collection of evidence on program libraries based on Virtual Machine Monitor (VMM). The solution can solve semantic gap by obtaining library file path names. This paper also shows a way to obtain hash values of library files from a guest OS. Furthermore, this paper provides examples of evidence on program xecution and the overhead of the solution.No potential conflict of interest relevant to this article was reported.SpringerActa Medica Okayama3132021Physical Memory Management with Two Page Sizes in Tender OS238248ENKokiKusunokiGraduate School of Natural Science and Technology, Okayama UniversityToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityHideoTaniguchiGraduate School of Natural Science and Technology, Okayama UniversityPhysical memory capacity has increased owing to large-scale integration. In addition, memory footprints have increased in size, as multiple programs are executed on a single computer. Many operating systems manage physical memory by paging a 4 KB page. Therefore, the number of entries in the virtual address translation table for virtual to physical increases along with the size of the memory footprints. This cause a decrease in the translation lookaside buffer (TLB) hit ratio, resulting in the performance degradation of the application. To address this problem, we propose the implementation of physical memory management with two page sizes: 4 KB and 4 MB. This allows us to expand range of addresses to be translated by a single TLB entry, thereby improving the TLB hit rate. This paper describes the design and implementation of the physical memory management mechanism that manages physical memory using two page sizes on The ENduring operating system for Distributed EnviRonment (Tender OS). Our results showed that when the page size is 4 MB, the processing time of the memory allocation can be reduced by as much as approximately 99.7%, and the processing time for process creation can be reduced by as much as approximately 51%, and the processing time of the memory operation could be reduced by as much as 91.9%.No potential conflict of interest relevant to this article was reported.IEEEActa Medica Okayama2021Function for Tracing Diffusion of Classified Information to Support Multiple VMs with KVM352358ENKoheiOtaniGraduate School of Natural Science and Technology, Okayama UniversityToshikiOkazakiGraduate School of Natural Science and Technology, Okayama UniversityToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityHideakiMoriyamaDepartment of Creative Engineering, National Institute of Technology, Ariake CollegeMasayaSatoFaculty of Computer Science and Systems Engineering, Okayama Prefectural UniversityHideoTaniguchiGraduate School of Natural Science and Technology, Okayama UniversityTo handle information leaks caused by administrative errors or mishandling, a function for tracing the diffusion of classified information using a virtual machine monitor (VMM) was proposed. However, the proposed function has not been investigated in cases in which virtual machines (VMs) allocated by multiple virtual central processing units (vCPUs) are to be monitored. In addition, cases in which multiple VMs are monitored have not been examined. In this study, we describe the support of multiple VMs for the proposed VMM-based tracing function. We also show how to deal with VMs allocated by multiple vCPUs. Furthermore, we report the evaluation results from assessing the traceability of the improved proposed method and its overhead for classified information when a VM with multiple vCPUs is monitored.No potential conflict of interest relevant to this article was reported.Institute of Electrical and Electronics Engineers (IEEE)Acta Medica Okayama2169-353692021Mitigation of Kernel Memory Corruption Using Multiple Kernel Memory Mechanism111651111665ENHirokiKuzuno1Intelligent Systems Laboratory, SECOM Company Ltd.ToshihiroYamauchi2Graduate School of Natural Science and Technology, Okayama UniversityOperating systems adopt kernel protection methods (e.g., mandatory access control, kernel address space layout randomization, control flow integrity, and kernel page table isolation) as essential countermeasures to reduce the likelihood of kernel vulnerability attacks. However, kernel memory corruption can still occur via the execution of malicious kernel code at the kernel layer. This is because the vulnerable kernel code and the attack target kernel code or kernel data are located in the same kernel address space. To gain complete control of a host, adversaries focus on kernel code invocations, such as function pointers that rely on the starting points of the kernel protection methods. To mitigate such subversion attacks, this paper presents multiple kernel memory (MKM), which employs an alternative design for kernel address space separation. The MKM mechanism focuses on the isolation granularity of the kernel address space during each execution of the kernel code. MKM provides two kernel address spaces, namely, i) the trampoline kernel address space, which acts as the gateway feature between user and kernel modes and ii) the security kernel address space, which utilizes the localization of the kernel protection methods (i.e., kernel observation). Additionally, MKM achieves the encapsulation of the vulnerable kernel code to prevent access to the kernel code invocations of the separated kernel address space. The evaluation results demonstrated that MKM can protect the kernel code and kernel data from a proof-of-concept kernel vulnerability that could lead to kernel memory corruption. In addition, the performance results of MKM indicate that the system call overhead latency ranges from 0.020 μs to 0.5445 μs, while the web application benchmark ranges from 196.27 μs to 6, 685.73 μs for each download access of 100,000 Hypertext Transfer Protocol sessions. MKM attained a 97.65% system benchmark score and a 99.76% kernel compilation time.No potential conflict of interest relevant to this article was reported.Springer International PublishingActa Medica Okayama0302-9743125832020Accessibility Service Utilization Rates in Android Applications Shared on TwitterENShuichiIchiokaGraduate School of Natural Science and Technology, Okayama UniversityEstellePougetGraduate School of Natural Science and Technology, Okayama UniversityTakaoMimuraGraduate School of Natural Science and Technology, Okayama UniversityJunNakajimaGraduate School of Natural Science and Technology, Okayama UniversityToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityThe number of malware detected has been increasing annually, and 4.12% of malware reported in 2018 attacked Android phones. Therefore, preventing attacks by Android malware is critically important. Several previous studies have investigated the percentage of apps that utilize accessibility services and are distributed from Google Play, that have been reportedly used by Android malware. However, the Social Networking Services (SNSs) that are used to spread malware have distributed apps not only from Google Play but also from other sources. Therefore, apps distributed from within and outside of Google Play must be investigated to capture malware trends. In this study, we collected apps shared on Twitter in 2018, which is a representative SNS, and created a Twitter shared apps dataset. The dataset consists of 32,068 apps downloaded from the websites of URLs collected on Twitter. We clarified the proportion of apps that contained malware and proportion of apps utilizing accessibility services. We found that both, the percentage of malware and percentage of total apps using accessibility services have been increasing. Notably, the percentages of malware and un-suspicious apps using accessibility services were quite similar. Therefore, this problem cannot be solved by automatically blocking all apps that use accessibility services. Hence, specific countermeasures against malware using accessibility services will be increasingly important for online security in the future. No potential conflict of interest relevant to this article was reported.IEEEActa Medica Okayama2018Mitigating Use-after-Free Attack Using Library Considering Size and Number of Freed Memory398404ENYuyaBanToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityUse-after-free (UAF) vulnerabilities, which are abused by exploiting a dangling pointer that refers to a freed memory, execute an arbitrary code. The vulnerability is caused by bug in a program. In particular, it is contained in a large scale program such as browser. HeapRevolver [1] [2], which prohibits freed memory area from being reused for a certain period, has been proposed. HeapRevolver in Windows uses the number of the freed memory areas for prohibiting as a trigger to release the freed memory area. In other words, HeapRevolver uses the number of the freed memory areas as a threshold for releasing. However, when the size of individual freed memory areas is large, the HeapRevolver on Windows increases the memory overhead. In this paper, we propose improved HeapRevolver for Windows considering the size and number of the freed memory areas. Improved HeapRevolver enables to prohibit the reuse of the certain number of the freed memory areas at any time via the size and number of the freed memory areas as a threshold. The evaluation results show that the improved HeapRevolver can prevent attacks that exploiting UAF vulnerabilities. In particular,
when the size of individual freed memory areas is small in the programs, it is effective to decrease the attack success rate. No potential conflict of interest relevant to this article was reported.ACMActa Medica Okayama2018Web access monitoring mechanism for Android webview1ENYutaImamuraOkayama University, Okayama, JapanHiroyukiUekawaOkayama University, Okayama, JapanYasuhiroIshiharaOkayama University, Okayama, JapanMasayaSatoOkayama University, Okayama, JapanToshihiroYamauchiOkayama University Okayama, JapanIn addition to conventional web browsers, WebView is used to display web content on Android. WebView is a component that enables the display of web content in mobile applications, and is extensively used. As WebView displays web content without having to redirect the user to web browsers, there is the possibility that unauthorized web access may be performed secretly via Web-View, and information in Android may be stolen or tampered with. Therefore, it is necessary to monitor and analyze web access via WebView, particularly because attacks exploiting WebView have been reported. However, there is no mechanism for monitoring web access viaWebView. In this work, the goals are to monitor web access via WebView and to analyze mobile applications using Web-View. To achieve these goals, we propose a web access monitoring mechanism for Android WebView. In this paper, the design and implementation of a mechanism that does not require any modifications to the Android Framework and Linux kernel are presented for the Chromium Android System WebView app. In addition, this paper presents evaluation results for the proposed mechanism.No potential conflict of interest relevant to this article was reported.Information Processing Society of JapanActa Medica Okayama1882-6652262018Access Control Mechanism to Mitigate Cordova Plugin Attacks in Hybrid Applications396405ENNaokiKudoGraduate School of Natural Science and Technology, Okayama UniversityToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityThomas H.AustinSan Jose State UniversityHybrid application frameworks such as Cordova are more and more popular to create platform-independent applications (apps) because they provide special APIs to access device resources in a platform-agonistic way. By using these APIs, hybrid apps can access device resources through JavaScript. In this paper, we present a novel app-repackaging attack that repackages hybrid apps with malicious code; this code can exploit Cordova's plugin interface to steal and tamper with device resources. We address this attack and cross-site scripting attacks against hybrid apps. Since these attacks need to use plugins to access device resources, we refer to both of these attacks as Cordova plugin attacks. We further demonstrate a defense against Cordova plugin attacks through the use of a novel runtime access control mechanism that restricts access based on the mobile user's judgement. Our mechanism is easy to introduce to existing Cordova apps, and allows developers to produce apps that are resistant to Cordova plugin attacks. Moreover, we evaluate the effectiveness and performance of our mechanism.No potential conflict of interest relevant to this article was reported.IEEEActa Medica Okayama1550-445X2017Access Control for Plugins in Cordova-Based Hybrid Applications10631069ENNaokiKudoGraduate School of Natural Science and Technology, Okayama UniversityToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityThomas H.AustinSan Jose State UniversityHybrid application frameworks such as Cordova allow mobile application (app) developers to create platformindependent apps. The code is written in JavaScript, with special APIs to access device resources in a platform-agnostic way. In this paper, we present a novel app-repackaging attack that repackages hybrid apps with malicious code; this code can exploit Cordova’s plugin interface to tamper with device resources. We further demonstrate a defense against this attack through the use of a novel runtime access control mechanism that restricts access based on the mobile user’s judgement. Our mechanism is easy to introduce to existing Cordova apps, and allows developers to produce apps that are resistant to app-repackaging attacks.No potential conflict of interest relevant to this article was reported.Institute of Electronics, Information and Communications Engineers (IEICE)Acta Medica Okayama0916-8532E100.D102017Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features23772381ENToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityYoheiAkaoGraduate School of Natural Science and Technology, Okayama UniversityAn operating system is an essential piece of software that manages hardware and software resources. Thus, attacks on an operating system kernel using kernel rootkits pose a particularly serious threat. Detecting an attack is difficult when the operating system kernel is infected with a kernel rootkit. For this reason, handling an attack will be delayed causing an increase in the amount of damage done to a computer system. In this paper, we propose Kernel Rootkits Guard (KRGuard), which is a new method to detect kernel rootkits that monitors branch records in the kernel space. Since many kernel rootkits make branches that differ from the usual branches in the kernel space, KRGuard can detect these differences by using the hardware features of commodity processors. Our evaluation shows that KRGuard can detect kernel rootkits that involve new branches in the system call handler processing with small overhead.No potential conflict of interest relevant to this article was reported.Institute of Electronics, Information and Communications Engineers (IEICE)Acta Medica Okayama0916-8532E100.D102017Mitigating Use-After-Free Attacks Using Memory-Reuse-Prohibited Library22952306ENToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityYutaIkegamiGraduate School of Natural Science and Technology, Okayama UniversityYuyaBanGraduate School of Natural Science and Technology, Okayama UniversityRecently, there has been an increase in use-after-free (UAF) vulnerabilities, which are exploited using a dangling pointer that refers to a freed memory. In particular, large-scale programs such as browsers often include many dangling pointers, and UAF vulnerabilities are frequently exploited by drive-by download attacks. Various methods to prevent UAF attacks have been proposed. However, only a few methods can effectively prevent UAF attacks during runtime with low overhead. In this paper, we propose HeapRevolver, which is a novel UAF attackprevention method that delays and randomizes the timing of release of freed memory area by using a memory-reuse-prohibited library, which prohibits a freed memory area from being reused for a certain period. The first condition for reuse is that the total size of the freed memory area is beyond the designated size. The threshold for the conditions of reuse of the freed memory area can be randomized by HeapRevolver. Furthermore, we add a second condition for reuse in which the freed memory area is merged with an adjacent freed memory area before release. Furthermore, HeapRevolver can be applied without modifying the target programs. In this paper, we describe the design and implementation of HeapRevolver in Linux and Windows, and report its evaluation results. The results show that HeapRevolver can prevent attacks that exploit existing UAF vulnerabilities. In addition, the overhead is small.No potential conflict of interest relevant to this article was reported.IEEEActa Medica Okayama2016KRGuard: Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features2226ENYoheiAkaoGraduate School of Natural Science and Technology, Okayama UniversityToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityAttacks on an operating system kernel using kernel rootkits pose a particularly serious threat. Detecting an attack is difficult when the operating system kernel is infected with a kernel rootkit. For this reason, handling an attack will be delayed causing an increase in the amount of damage done to a computer system. In this paper, we discuss KRGuard (Kernel Rootkits Guard), which is a new method to detect kernel rootkits that monitors branch records in the kernel space. Since many kernel rootkits make branches that differ from the usual branches in the kernel space, KRGuard can detect these differences by using hardware features of commodity processors. Our evaluation shows that KRGuard can detect kernel rootkits with small overhead.No potential conflict of interest relevant to this article was reported.IEEEActa Medica Okayama2379-18882016Memory Access Monitoring and Disguising of Process Information to Avoid Attacks to Essential Services635641ENMasayaSatoGraduate School of Natural Science and Technology, Okayama UniversityToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityHideoTaniguchiGraduate School of Natural Science and Technology, Okayama UniversityTo prevent attacks on essential software and to mitigate damage, an attack avoiding method that complicates process identification from attackers is proposed. This method complicates the identification of essential services by replacing process information with dummy information. However, this method allows attackers to identify essential processes by detecting changes in process information. To address this problems and provide more complexity to process identification, this paper proposes a memory access monitoring by using a virtual machine monitor. By manipulating the page access permission, a virtual machine monitor detects page access, which includes process information, and replaces it with dummy information. This paper presents the design, implementation, and evaluation of the proposed method.No potential conflict of interest relevant to this article was reported.ACMActa Medica Okayama2016Plate : persistent memory management for nonvolatile main memory18851892ENToshihiroYamauchiOkayama University, Okayama, JapanYutaYamamotoOkayama University, Okayama, JapanKengoNagaiOkayama University, Okayama, JapanTsukasaMatonoKyushu University, Fukuoka, JapanShinjiInamotoKyushu University, Fukuoka, JapanMasayaIchikawaKyushu University, Fukuoka, JapanMasatakaGotoKyushu University, Fukuoka, JapanHideoTaniguchiOkayama University, Okayama, JapanOver the past few years, nonvolatile memory has actively been researched and developed. Therefore, studying operating system (OS) designs predicated on the main memory in the form of a nonvolatile memory and studying methods to manage persistent data in a virtual memory are crucial to encourage the widespread use of nonvolatile memory in the future. However, the main memory in most computers today is volatile, and replacing highcapacity main memory with nonvolatile memory is extremely cost-prohibitive.
This paper proposes an OS structure for nonvolatile main memory. The proposed OS structure consists of three functions to study and develop OSs for nonvolatile main memory computers. First, a structure, which is called plate, is proposed whereby persistent data are managed assuming that nonvolatile main memory is present in a computer. Second, we propose a persistent-data mechanism to make a volatile memory function as nonvolatile main memory, which serves as a basis for the development of OSs for computers with nonvolatile main memory. Third, we propose a continuous operation control using the persistent-data mechanism and plates. This paper describes the design and implementation of the OS structure based on the three functions on The ENduring operating system for Distributed EnviRonment and describes the evaluation results of the proposed functions.No potential conflict of interest relevant to this article was reported.Institute of Electronics, Information and Communications Engineers (IEICE)Acta Medica Okayama0916-8532E99.D122016Rule-Based Sensor Data Aggregation System for M2M Gateways29432955ENYuichiNakamuraHitachi, Ltd.AkiraMoriguchiHitachi Solutions, Ltd.MasanoriIrieHitachi Solutions, Ltd.TaizoKinoshitaHitachi, Ltd.ToshihiroYamauchiGraduate School of Natural Science and Technology at Okayama UniversityTo reduce the server load and communication costs of machine-to-machine (M2M) systems, sensor data are aggregated in M2M gateways. Aggregation logic is typically programmed in the C language and embedded into the firmware. However, developing aggregation programs is difficult for M2M service providers because it requires gatewayspecific knowledge and consideration of resource issues, especially RAM usage. In addition, modification of aggregation logic requires the application of firmware updates, which are risky. We propose a rule-based sensor data aggregation system, called the complex sensor data aggregator (CSDA), for M2M gateways. The functions comprising the data aggregation process are subdivided into the categories of filtering, statistical calculation, and concatenation. The proposed CSDA supports this aggregation process in three steps: the input, periodic data processing, and output steps. The behaviors of these steps are configured by an XML-based rule. The rule is stored in the data area of flash ROM and is updatable through the Internet without the need for a firmware update. In addition, in order to keep within the memory limit specified by the M2M gateway’s manufacturer, the number of threads and the size of the working memory are static after startup, and the size of the working memory can be adjusted by configuring the sampling setting of a buffer for sensor data input. The proposed system is evaluated in an M2M gateway experimental environment. Results show that developing CSDA configurations is much easier than using C because the configuration decreases by 10%. In addition, the performance evaluation demonstrates the proposed system’s ability to operate on M2M gateways.No potential conflict of interest relevant to this article was reported.Springer Science and Business Media LLCActa Medica Okayama0920-85427252016Evaluation and design of function for tracing diffusion of classified information for file operations with KVM18411861ENShotaFujiiGraduate School of Natural Science and Technology, Okayama UniversityMasayaSatoGraduate School of Natural Science and Technology, Okayama UniversityToshihiroYamauchiHideoTaniguchiGraduate School of Natural Science and Technology, Okayama UniversityCases of classified information leakage have become increasingly common. To address this problem, we have developed a function for tracing the diffusion of classified information within an operating system. However, this function suffers from the following two problems: first, in order to introduce the function, the operating system's source code must be modified. Second, there is a risk that the function will be disabled when the operating system is attacked. Thus, we have designed a function for tracing the diffusion of classified information in a guest operating system by using a virtual machine monitor. By using a virtual machine monitor, we can introduce the proposed function in various environments without modifying the operating system's source code. In addition, attacks aimed at the proposed function are made more difficult, because the virtual machine monitor is isolated from the operating system. In this paper, we describe the implementation of the proposed function for file operations and child process creation in the guest operating system with a kernel-based virtual machine. Further, we demonstrate the traceability of diffusing classified information by file operations and child process creation. We also report the logical lines of code required to introduce the proposed function and performance overheads.No potential conflict of interest relevant to this article was reported.Conference Publishing Services, IEEE Computer SocietyActa Medica Okayama2021Analysis of commands of Telnet logs illegally connected to IoT devices913915ENToshihiroYamauchiGraduate School of Natural Science and Technology Okayama UniversityRyotaYoshimotoGraduate School of Natural Science and Technology Okayama UniversityTakahiroBabaGraduate School of Natural Science and Technology Okayama UniversityKatsunariYoshiokaGraduate School of Environment and Information Sciences / Institute of Advanced Sciences Yokohama National UniversityMirai is an active malware that targets and poses constant threats to IoT devices. IoT malware penetrates IoT devices illegally, makes them download other malware such as bots, and infects them. Therefore, to improve the security of IoT devices, it is important to analyze the behaviors of IoT malware and take countermeasures. In this study, to analyze the behaviors of IoT malware after entering IoT devices and propose new security functions for operating systems to prevent activities such as IoT malware infection, we analyze Telnet logs collected by a honeypot of IoT devices. Thereafter, we report the analysis results regarding IoT malware input commands. The results show that many commands related to shell execution, file download, changing file permissions, and file transfer, are often executed by IoT malware.No potential conflict of interest relevant to this article was reported.SpringerActa Medica Okayama1615-5262202021Web access monitoring mechanism via Android WebView for threat analysis833847ENYutaImamuraGraduate School of Natural Science and Technology, Okayama UniversityRintaroOritoGraduate School of Natural Science and Technology, Okayama UniversityHiroyukiUekawaGraduate School of Natural Science and Technology, Okayama UniversityKritsanaChaikaewFaculty of Engineering, Kasetsart UniversityPattaraLeelapruteFaculty of Engineering, Kasetsart UniversityMasayaSatoGraduate School of Natural Science and TechnologyToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityMany Android apps employ WebView, a component that enables the display of web content in the apps without redirecting users to web browser apps. However, WebView might also be used for cyberattacks. Moreover, to the best of our knowledge, although some countermeasures based on access control have been reported for attacks exploiting WebView, no mechanism for monitoring web access via WebView has been proposed and no analysis results focusing on web access via WebView are available. In consideration of this limitation, we propose a web access monitoring mechanism for Android WebView to analyze web access via WebView and clarify attacks exploiting WebView. In this paper, we present the design and implementation of this mechanism by modifying Chromium WebView without any modifications to the Android framework or Linux kernel. The evaluation results of the performance achieved on introducing the proposed mechanism are also presented here. Moreover, the result of threat analysis of displaying a fake virus alert while browsing websites on Android is discussed to demonstrate the effectiveness of the proposed mechanism.No potential conflict of interest relevant to this article was reported.USENIX AssociationActa Medica Okayama232009SEEdit: SELinux Security Policy Configuration System with Higher Level Language107117ENYuichiNakamuraHitachi Software Engineering Co., Ltd.YoshikiSameshimaHitachi Software Engineering Co., Ltd.ToshihiroTabataOkayama UniversitySecurity policy for SELinux is usually created by customizing a sample policy called refpolicy. However, describing and verifying security policy configurations is difficult because in refpolicy, there are more than 100,000 lines of configurations, thousands of elements such as permissions, macros and labels. The memory footprint of refpolicy which is around 5MB, is also a problem for resource constrained devices. We propose a security policy configuration system SEEdit which facilitates creating security policy by a higher level language called SPDL and SPDL tools. SPDL reduces the number of permissions by integrated permissions and removes label configurations. SPDL tools generate security policy configurations from access logs and tool user’s knowledge about applications. Experimental results on an embedded system and a PC system show that practical security policies are created by SEEdit, i.e., describing configurations is semiautomated, created security policies are composed of less than 500 lines of configurations, 100 configuration elements, and thememory footprint in the embedded system is less than 500KB.No potential conflict of interest relevant to this article was reported.The Institute of Electronics, Information and Communication EngineersActa Medica Okayama1745-1361E98D42015Access Control to Prevent Malicious JavaScript Code Exploiting Vulnerabilities of WebView in Android OS807811ENJingYuGraduate School of Natural Science and Technology, Okayama UniversityToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityAndroid applications that using WebView can load and display web pages. Interaction with web pages allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose an access control on the security-sensitive APIs at the Java object level. The proposed access control uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages.No potential conflict of interest relevant to this article was reported.SpringerActa Medica Okayama20162016HeapRevolver: Delaying and Randomizing Timing of Release of Freed Memory Area to Prevent Use-After-Free Attacks219234ENToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityYutaIkegamiGraduate School of Natural Science and Technology, Okayama UniversityRecently, there has been an increase in use-after-free (UAF) vulnerabilities, which are exploited using a dangling pointer that refers to a freed memory. Various methods to prevent UAF attacks have been proposed. However, only a few methods can effectively prevent UAF attacks during runtime with low overhead. In this paper, we propose HeapRevolver, which is a novel UAF attack-prevention method that delays and randomizes the timing of release of freed memory area by using a memory-reuse-prohibited library, which prohibits a freed memory area from being reused for a certain period. In this paper, we describe the design and implementation of HeapRevolver in Linux and Windows, and report its evaluation results. The results show that HeapRevolver can prevent attacks that exploit existing UAF vulnerabilities. In addition, the overhead is small.No potential conflict of interest relevant to this article was reported.IEEEActa Medica Okayama2013Access Control to Prevent Attacks Exploiting Vulnerabilities of WebView in Android OS16281633ENJingYuGraduate School of Natural Science and Technology, Okayama UniversityToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityAndroid applications that using WebView can load and display web pages. Furthermore, by using the APIs provided in WebView, Android applications can interact with web pages. The interaction allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose a method that performs access control on the security-sensitive APIs at the Java object level. The proposed method uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages.No potential conflict of interest relevant to this article was reported.IEEEActa Medica Okayama20082008Design and Evaluation of a Bayesian-filter-based Image Spam Filtering Method4651ENMasahiroUemuraGraduate School of Natural Science and Technology, Okayama UniversityToshihiroTabataGraduate School of Natural Science and Technology, Okayama UniversityIn recent years, with the spread of the Internet, the number of spam e-mail has become one of the most serious problems. A recent report reveals that 91% of all e-mail exchanged in 2006 was spam. Using the Bayesian filter is a popular approach to distinguish between spam and legitimate e-mails. It applies the Bayes theory to identify spam. This filter proffers high filtering precision and is capable of detecting spam as per personal preferences. However, the number of image spam, which contains the spam message as an image, has been increasing rapidly. The Bayesian filter is not capable of distinguishing between image spam and legitimate e-mails since it learns from and examines only text data. Therefore, in this study, we propose an anti- image spam technique that uses image information such as file size. This technique can be easily implemented on the existing Bayesian filter. In addition, we report the results of the evaluations of this technique.No potential conflict of interest relevant to this article was reported.SpringerActa Medica Okayama2020MKM: Multiple Kernel Memory for Protecting Page Table Switching Mechanism Against Memory Corruption97116ENHirokiKuzunoGraduate School of Natural Science and Technology, Okayama UniversityToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityCountermeasures against kernel vulnerability attacks on an operating system (OS) are highly important kernel features. Some kernels adopt several kernel protection methods such as mandatory access control, kernel address space layout randomization, control flow integrity, and kernel page table isolation; however, kernel vulnerabilities can still be exploited to execute attack codes and corrupt kernel memory. To accomplish this, adversaries subvert kernel protection methods and invoke these kernel codes to avoid administrator privileges restrictions and gain complete control of the target host. To prevent such subversion, we present Multiple Kernel Memory (MKM), which offers a novel security mechanism using an alternative design for kernel memory separation that was developed to reduce the kernel attack surface and mitigate the effects of illegal data manipulation in the kernel memory. The proposed MKM is capable of isolating kernel memory and dedicates the trampoline page table for a gateway of page table switching and the security page table for kernel protection methods. The MKM encloses the vulnerable kernel code in the kernel page table. The MKM mechanism achieves complete separation of the kernel code execution range of the virtual address space on each page table. It ensures that vulnerable kernel code does not interact with different page tables. Thus, the page table switching of the trampoline and the kernel protection methods of the security page tables are protected from vulnerable kernel code in other page tables. An evaluation of MKM indicates that it protects the kernel code and data on the trampoline and security page tables from an actual kernel vulnerabilities that lead to kernel memory corruption. In addition, the performance results show that the overhead is 0.020μs to 0.5445μs, in terms of the system call latency and the application overhead average is 196.27 μs to 6,685.73 μs , for each download access of 100,000 Hypertext Transfer Protocol sessions.No potential conflict of interest relevant to this article was reported.SpringerActa Medica Okayama2020Improvement and Evaluation of a Function for Tracing the Diffusion of Classified Information on KVM338349ENHideakiMoriyamaNational Institute of Technology, Ariake CollegeToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityMasayaSatoGraduate School of Natural Science and Technology, Okayama UniversityHideoTaniguchiGraduate School of Natural Science and Technology, Okayama UniversityThe increasing amount of classified information currently being managed by personal computers has resulted in the leakage of such information to external computers, which is a major problem. To prevent such leakage, we previously proposed a function for tracing the diffusion of classified information in a guest operating system (OS) using a virtual machine monitor (VMM). The tracing function hooks a system call in the guest OS from the VMM, and acquiring the information. By analyzing the information on the VMM side, the tracing function makes it possible to notify the user of the diffusion of classified information. However, this function has a problem in that the administrator of the computer platform cannot grasp the transition of the diffusion of classified processes or file information. In this paper, we present the solution to this problem and report on its evaluation.No potential conflict of interest relevant to this article was reported.SpringerActa Medica Okayama1615-5262202020Additional kernel observer: privilege escalation attack prevention mechanism focusing on system call privilege changes461473ENToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama UniversityYoheiAkaoGraduate School of Natural Science and Technology, Okayama University. NTT Communications CorporationRyotaYoshitaniraduate School of Natural Science and Technology, Okayama UniversityYuichiNakamuraHitachi Ltd.MasakiHashimotoGraduate School of Information Security, Institute of Information SecurityCyberattacks, especially attacks that exploit operating system vulnerabilities, have been increasing in recent years. In particular, if administrator privileges are acquired by an attacker through a privilege escalation attack, the attacker can operate the entire system and cause serious damage. In this paper, we propose an additional kernel observer (AKO) that prevents privilege escalation attacks that exploit operating system vulnerabilities. We focus on the fact that a process privilege can be changed only by specific system calls. AKO monitors privilege information changes during system call processing. If AKO detects a privilege change after system call processing, whereby the invoked system call does not originally change the process privilege, AKO regards the change as a privilege escalation attack and applies countermeasures against it. AKO can therefore prevent privilege escalation attacks. Introducing the proposed method in advance can prevent this type of attack by changing any process privilege that was not originally changed in a system call, regardless of the vulnerability type. In this paper, we describe the design and implementation of AKO for Linux x86 64-bit. Moreover, we show that AKO can be expanded to prevent the falsification of various data in the kernel space. Then, we present an expansion example that prevents the invalidation of Security-Enhanced Linux. Finally, our evaluation results show that AKO is effective against privilege escalation attacks, while maintaining low overhead.No potential conflict of interest relevant to this article was reported.Inderscience EnterprisesActa Medica Okayama20444893912019Design and implementation of hiding method for file manipulation of essential services by system call proxy using virtual machine monitor110ENMasayaSatoGraduate School of Natural Science and Technology, Okayama UniversityHideoTaniguchiGraduate School of Natural Science and Technology, Okayama UniversityToshihiroYamauchiGraduate School of Natural Science and Technology, Okayama University Security or system management software is essential for keeping systems secure. To deter attacks on essential services, hiding information related to essential services is helpful. This paper describes the design, the implementation, and the evaluation of a method to make files invisible to all services except their corresponding essential services and provides access methods to those files in a virtual machine (VM). In the proposed method, the virtual machine monitor (VMM) monitors the system call, which invoked by an essential process to access essential files, and requests proxy execution to the proxy process on another VM. The VMM returns the result and skips the execution of the original system call on the protection target VM. Thus, access to essential files by the essential service is skipped on the protection target VM, but the essential service can access the file content.No potential conflict of interest relevant to this article was reported.