| ID | 69010 |
| Author |
Kuzuno, Hiroki
Graduate School of Engineering, Kobe University
Yamauchi, Toshihiro
Okayama University,Faculty of Environmental, Life, Natural Science and Technology
ORCID
Kaken ID
publons
researchmap
|
| Abstract | Privilege escalation attacks through memory corruption via kernel vulnerabilities pose significant threats to operating systems. Although the extended Berkley Packet Filter has been employed to trace kernel code execution by inserting interrupts before and after kernel code invocations, it does not track operations before and after kernel data writes, thus hindering effective kernel data monitoring. In this study, we introduce a kernel data monitor (kdMonitor), which is a novel security mechanism designed to detect unauthorized alterations in the monitored kernel data of a dedicated kernel page. The kdMonitor incorporates two distinct methods. The first is periodic monitoring which regularly outputs the monitored kernel data of the dedicated kernel pages. The second is dynamic monitoring, which restricts write access to a dedicated kernel page, supplements any write operations with page faults, and outputs the monitored kernel data of dedicated kernel pages. kdMonitor enables real-time tracking of specified kernel data of the dedicated kernel page residing in the kernel's virtual memory space from the separated machine. Using kdMonitor, we demonstrated its capability to pinpoint tampering with user process privileged information stemming from privilege escalation attacks on the kernel. Through an empirical evaluation, we validated the effectiveness of kdMonitor in detecting privilege escalation attacks by user processes on Linux. Performance assessments revealed that kdMonitor achieved an attack detection time of 0.83 seconds with an overhead of 0.726 %.
|
| Keywords | Vulnerability countermeasure
Operating system security
System security
|
| Note | © 2024 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
This fulltext file will be available in Nov. 2026.
|
| Published Date | 2024-11-06
|
| Publication Title |
2024 IEEE Conference on Dependable and Secure Computing (DSC)
|
| Publisher | IEEE
|
| Start Page | 66
|
| End Page | 73
|
| ISBN | 979-8-3315-4028-9
|
| Content Type |
Conference Paper
|
| Related Url | isVersionOf https://doi.org/10.1109/dsc63325.2024.00022
|
| language |
English
|
| OAI-PMH Set |
岡山大学
|
| Copyright Holders | © 2024 IEEE.
|
| File Version | author
|
| DOI | |
| 助成情報 |
23K24848:
機器毎のソフトウェア構成変更による攻撃難化と攻撃耐性を持つ基盤ソフトウェアの研究
( 独立行政法人日本学術振興会 / Japan Society for the Promotion of Science )
23K16882:
攻撃実行防止と攻撃対象保護による高セキュア基盤ソフトウェアの研究
( 独立行政法人日本学術振興会 / Japan Society for the Promotion of Science )
( 公益財団法人電気通信普及財団 / Telecommunications Advancement Foundation )
|
