{"title":"SelMon","authors":"Jinsoo Jang, Brent Byunghoon Kang","doi":"10.1145/3386901.3389023","DOIUrl":null,"url":null,"abstract":"Higher privileged trust anchors such as thin hypervisors and Trust-Zone have been adopted to protect mobile OSs. For instance, the Samsung Knox security platform implements a kernel integrity monitor based on a hardware-assisted virtualization technique for 64-bit devices. Although it protects the OS kernel integrity, the monitoring platform itself can be a target of attackers if it encompasses exploitable bugs. In this paper, we propose SelMon, a portable way of self-protecting kernel integrity monitors without introducing another higher privileged trust anchor. To this end, we first logically separate the regions of the integrity monitor into two parts: privileged and non-privileged regions. Then, we ensure that only the privileged region code can access the critical data objects that can be exploited to compromise the monitor integrity (e.g., the hypervisor page table). The non-critical operations in terms of preserving the monitor integrity are conducted in the non-privileged region. In addition to the privilege separation, we also illustrate how to utilize the general hardware features, watchpoint and data execution prevention (DEP), to ensure the robustness of the separation. In the evaluation, it was found that our approach imposes a negligible overhead of 2% in the worst case with SPEC CPU2006.","PeriodicalId":345029,"journal":{"name":"Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services","volume":"2 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-06-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"SelMon\",\"authors\":\"Jinsoo Jang, Brent Byunghoon Kang\",\"doi\":\"10.1145/3386901.3389023\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Higher privileged trust anchors such as thin hypervisors and Trust-Zone have been adopted to protect mobile OSs. For instance, the Samsung Knox security platform implements a kernel integrity monitor based on a hardware-assisted virtualization technique for 64-bit devices. Although it protects the OS kernel integrity, the monitoring platform itself can be a target of attackers if it encompasses exploitable bugs. In this paper, we propose SelMon, a portable way of self-protecting kernel integrity monitors without introducing another higher privileged trust anchor. To this end, we first logically separate the regions of the integrity monitor into two parts: privileged and non-privileged regions. Then, we ensure that only the privileged region code can access the critical data objects that can be exploited to compromise the monitor integrity (e.g., the hypervisor page table). The non-critical operations in terms of preserving the monitor integrity are conducted in the non-privileged region. In addition to the privilege separation, we also illustrate how to utilize the general hardware features, watchpoint and data execution prevention (DEP), to ensure the robustness of the separation. In the evaluation, it was found that our approach imposes a negligible overhead of 2% in the worst case with SPEC CPU2006.\",\"PeriodicalId\":345029,\"journal\":{\"name\":\"Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services\",\"volume\":\"2 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-06-15\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3386901.3389023\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3386901.3389023","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Higher privileged trust anchors such as thin hypervisors and Trust-Zone have been adopted to protect mobile OSs. For instance, the Samsung Knox security platform implements a kernel integrity monitor based on a hardware-assisted virtualization technique for 64-bit devices. Although it protects the OS kernel integrity, the monitoring platform itself can be a target of attackers if it encompasses exploitable bugs. In this paper, we propose SelMon, a portable way of self-protecting kernel integrity monitors without introducing another higher privileged trust anchor. To this end, we first logically separate the regions of the integrity monitor into two parts: privileged and non-privileged regions. Then, we ensure that only the privileged region code can access the critical data objects that can be exploited to compromise the monitor integrity (e.g., the hypervisor page table). The non-critical operations in terms of preserving the monitor integrity are conducted in the non-privileged region. In addition to the privilege separation, we also illustrate how to utilize the general hardware features, watchpoint and data execution prevention (DEP), to ensure the robustness of the separation. In the evaluation, it was found that our approach imposes a negligible overhead of 2% in the worst case with SPEC CPU2006.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
