Detecting Exploit Code Execution in Loadable Kernel Modules

Haizhi Xu
Syracuse University

Steve Chapin
Syracuse University

Wenliang Du
Syracuse University

In current extensible monolithic operating systems, loadable kernel
modules (LKM) have unrestricted access to all portions of kernel
memory and I/O space. As a result, kernel module exploitation can
jeopardize the integrity of the entire system. This paper analyzes the threat that comes from the implicit trust relationship between the
operating system kernel and loadable kernel modules and presents a
specification-directed access monitoring tool--HECK, that
detects kernel modules for malicious code execution. Inside the
module, HECK prevents code execution on the kernel stack and the data
sections; on the boundary, HECK restricts the module's access only to
those kernel resources necessary for the module's operation. Our
measurements show that our tool incurs 5--23% overhead on some I/O
intensive applications using these modules.

Keywords: Loadable kernel module, isolation, exploit code, code instrumentation

Read Paper Read Paper (in PDF)