RKPM: Restricted Kernel Page Mechanism to Mitigate Privilege Escalation Attacks

Kernel memory corruption attacks against operating systems exploit kernel vulnerabilities to overwrite kernel data. Kernel address space layout randomization makes it difficult to identify kernel data by randomizing their virtual address space. Control flow integrity (CFI) prevents unauthorized kernel code execution by verifying kernel function calls. However, these countermeasures do not prohibit writing to kernel data. If the virtual address of privileged information is specified and CFI is circumvented, the privileged information can be modified by a kernel memory corruption attack. In this paper, we propose a restricted kernel page mechanism (RKPM) to mitigate kernel memory corruption attacks by introducing restricted kernel pages to protect the kernel data specified in the kernel. The RKPM focuses on the fact that kernel memory corruption attacks attempt to read the virtual addresses around the privileged information. The RKPM adopts page table mapping handling and a memory protection key to control the read and write restrictions of the restricted kernel pages. This allows us to mitigate kernel memory corruption attacks by capturing reads to the restricted kernel page before the privileged information is overwritten. As an evaluation of the RKPM, we confirmed that it can mitigate privilege escalation attacks on the latest Linux kernel. We also measured that there was a certain overhead in the kernel performance. This study enhances kernel security by mitigating privilege escalation attacks through the use of software or hardware based restricted kernel pages.

This is an Accepted Manuscript of a conference paper published by Springer Nature Singapore.

NSS 2024

Lecture Notes in Computer Science, volume 15564

This fulltext file will be available in Mar. 2026.