| With the rapid development of network interconnection technology, network security and advanced network application, modern operating systems(OSs) are vulnerable to various types of attacks. In particular, kernel-level rootkits have been a growing threat,due to their stealthy nature and omnipotent residence on a compromised system.In order to cope with these attacks, it is necessary to carry out comprehensive protection for kernel code and data of the operation system. Note that static kernel code and static kernel data are relatively straighforward to protect due to their read-only nature and well-defined locations in kernel memory. Unfortunately, dynamic kernel data is much harder to protect due to its unpredictable memory location and volatile nature. As the important component of kernel data, kernel control data determines the entire control process of the kernel and it usual become target of attacker. By rewriting control data(e.g.,function return address), the attacker is able to change the control flow which the system originally had, and lead control flow to his code or well-designed execution flow.In order to protect kernel control data comprehensively and effectively, we propose a new scheme with compiler. Specially, the index mechanism of operation system kernel is achueved by modifying the compiler at the stage of source compilation, This scheme distributes index to every control data, and this index points to the unit of the sheet which collects all the effective jump addresses in the system; Through instruction conversion, when the program jumps, the corresponding jump table index rather than the control data is applied to look up the jump table so as to acquire the truly effective jump address for indirect execution.Meanwhile, this scheme protect jump table(e.g.,set page which stores the table to read-only) by using the Hypervisor(such as kvm), providiing protection to kernel control data.To validate our approach, we have implemented a proof-of concept prototype based on the open-source GCC compiler. Specifically, we have used our system to recompile a protected version of Linux-3.11.1 /x86-amd64 kernel. The protection is achieved by transforming 35828 direct call instructions,2389 indirect call instructions,14010 ret instructions,1198 mov instructions, which occupy 8.39% of the entire kernel code base.Kernel capacitance become 44.960 M from 44.463 M. After the transformation, our system enforces them to take only legal jump targets allowed by the kernel’s control-flow graph. Our evaluation results indicate that our approach is generic, effective, and can be implemented on commodity hardware with a low performance overhead( 5% based on benchmarks). |
PDF Full Text Request