Securing the IDT and the System Call Table from malicious LKMs

Pietro Stroia

Abstract:
Provided that loadable kernel modules (LKMs) run at ring 0, is it really possible to prevent kernel-level attacks once the evil code has started its execution? Without a hypervisor, or some kind of virtualization technology (e.g. VT-x), results in general have not been proved very successful, as Microsoft’s Patchguard technology has shown in the past years.

My thesis, which provides a patch for the Linux kernel version 3.2.51, aims at providing a security mechanism against synchronous malicious LKMs, or, in other words, LKMs that execute their attack in their initialization phase, without deferring any work. Although the patch code is for an IA-32 compatible Linux system only, there are no major obstacles in porting the code to other operating systems that support LKMs and run at least on the 80386 architecture. The rationale behind this work is that I personally had the “feeling” I could puzzle simple evil LKMs and let them believe they had successfully executed their attack, without using any kind of virtualization technology. The work, named the “YASI patch”, is to be intended as a small “proof-of-concept” running on top of an already secured system.

BibTeX Entry: