Detecting Exploit Code Execution in Loadable Kernel Modules

Tucson, Arizona December 06-December 10

DOI Bookmark:

http://doi.ieeecomputersociety.org/10.1109/CSAC.2004.18

20th Annual Computer Security Applica ...

	This Article
	PURCHASE ARTICLE: $19 PDF HTML IEEE Xplore Subscribers
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Haizhi Xu Articles by Wenliang Du Articles by Steve J. Chapin

	ASCII Text	x
	Haizhi Xu, Wenliang Du, Steve J. Chapin, "Detecting Exploit Code Execution in Loadable Kernel Modules," Computer Security Applications Conference, Annual, pp. 101-110, 20th Annual Computer Security Applications Conference (ACSAC'04), 2004.

	BibTex	x
	@article{ 10.1109/CSAC.2004.18, author = {Haizhi Xu and Wenliang Du and Steve J. Chapin}, title = {Detecting Exploit Code Execution in Loadable Kernel Modules}, journal ={Computer Security Applications Conference, Annual}, volume = {0}, year = {2004}, issn = {1063-9527}, pages = {101-110}, doi = {http://doi.ieeecomputersociety.org/10.1109/CSAC.2004.18}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Computer Security Applications Conference, Annual TI - Detecting Exploit Code Execution in Loadable Kernel Modules SN - 1063-9527 SP101 EP110 A1 - Haizhi Xu, A1 - Wenliang Du, A1 - Steve J. Chapin, PY - 2004 KW - null VL - 0 JA - Computer Security Applications Conference, Annual ER -

Haizhi Xu, Syracuse University, NY

Wenliang Du, Syracuse University, NY

Steve J. Chapin, Syracuse University, NY

In current extensible monolithic operating systems, loadable kernel modules (LKM) have unrestricted access to all portions of kernel memory and I/O space. As a result, kernel-module exploitation can jeopardize the integrity of the entire system. In this paper, we analyze the threat that comes from the implicit trust relationship between the operating system kernel and loadable kernel modules. We then present a specification-directed access monitoring tool-HECK, that detects kernel modules for malicious code execution. Inside the module, HECK prevents code execution on the kernel stack and the data sections; on the boundary, HECK restricts the module's access to only those kernel resources necessary for the module's operation. Our measurements show that our tool incurs 5-23% overhead on some I/O intensive applications using these modules.

Citation:

Haizhi Xu, Wenliang Du, Steve J. Chapin, "Detecting Exploit Code Execution in Loadable Kernel Modules," acsac, pp.101-110, 20th Annual Computer Security Applications Conference (ACSAC'04), 2004

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.