Kernel Code Integrity Protection Based on a Virtualized Memory Architecture
keywords: Kernel rootkit, security, integrity protection, virtualization, Harvard architecture
Kernel rootkits pose significant challenges on defensive techniques as they run at the highest privilege level along with the protection systems. Modern architectural approaches such as the NX protection have been used in mitigating attacks, however determined attackers can still bypass these defenses with specifically crafted payloads. In this paper, we propose a virtualized Harvard memory architecture to address the kernel code integrity problem, which virtually separates the code fetch and data access on the kernel code to prevent kernel from code modifications. We have implemented the proposed mechanism in commodity operating system, and the experimental results show that our approach is effective and incurs very low overhead.
reference: Vol. 32, 2013, No. 2, pp. 295–311