A System To Detect Kernel Code-reuse Attacks With QEMU

As a new attack type, it doesn’t need to use any added code on the system. It uses the existing(legal) code from the function library of system to implement a complete attack. And it is harmful greatly. In this way, the code-reuse attack makes the attack successful bypass a variety of safety inspection mechanism(such as code integrity protection). It can tamper with the jump instruction’s address by buffer overflow attack and other technical means. It can easily control the system’s instruction process. At the same time, a variety of jump instructions make a variety of attacks. Researchers have developed some methods which can detect this kind of attack. However, due to the diversification of means of attacks and compatibility problems, it still can’t meet the need of system security.This technology uses QEMU virtual machine manager as the platform. It ensures the safety of kernel system. Through the research of QEMU, I mastered the QEMU dynamic binary translation technology principle and the TCG(Tiny Code Generator) intermediate code of professional technology, and these give a lot help to design and implement a code-reuse attack detection system. The kernel code-reuse attack method is mainly aimed at the jump instruction’s return address. In this way, it controls the instruction’s execution process in the system. So it needs to monitor and test the jump instruction of kernel. The kind of instruction which includes return instruction, call instruction and interrupt instruction in the Linux kernel security. The QEMU virtual machine manager starts and runs the Linux kernel. Because QEMU virtual machine manager bases on the binary translation technology, the instructions of system run on the QEMU virtual machine manager. We modify the functional modules based on the QEMU virtual machine manager, and test each instruction of the operating system kernel to identify the return instruction, call instruction and interrupt instruction. Then we record the instruction’s jump target. Through comparing the record information with legal information, it can realize the code-reuse attack detection.Finally, the technology implements the prototype system based on the QEMU and Linux operating system. And the prototype system is output testing and performance testing. The test results show that the prototype system can effectively record the jump instruction which tampered by code-reuse attack. It can test the attacked system in contrast to the prototype system. And the performance of the system overhead is very small.