Quantifiable run-time kernel attack surface reduction

Kurmus A, Dechand S, Kapitza R (2014)


Publication Type: Conference contribution

Publication year: 2014

Journal

Publisher: Springer Verlag

Book Volume: 8550 LNCS

Pages Range: 212-234

Conference Proceedings Title: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Event location: GBR

ISBN: 9783319085081

DOI: 10.1007/978-3-319-08509-8_12

Abstract

The sheer size of commodity operating system kernels makes them a prime target for local attackers aiming to escalate privileges. At the same time, as much as 90% of kernel functions are not required for processing system calls originating from a typical network daemon. This results in an unnecessarily high exposure. In this paper, we introduce kRazor, an approach to reduce the kernel's attack surface by limiting the amount of kernel code accessible to an application. kRazor first traces individual kernel functions used by an application. kRazor can then detect and prevent uses of unnecessary kernel functions by a process. This step is implemented as a kernel module that instruments select kernel functions. A heuristic on the kernel function selection allows kRazor to have negligible performance overhead. We evaluate results under real-world workloads for four typical server applications. Results show that the performance overhead and false positives remain low, while the attack surface reduction can be as high as 80%. © 2014 Springer International Publishing.

Authors with CRIS profile

Involved external institutions

How to cite

APA:

Kurmus, A., Dechand, S., & Kapitza, R. (2014). Quantifiable run-time kernel attack surface reduction. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (pp. 212-234). GBR: Springer Verlag.

MLA:

Kurmus, Anil, Sergej Dechand, and Rüdiger Kapitza. "Quantifiable run-time kernel attack surface reduction." Proceedings of the 11th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2014, GBR Springer Verlag, 2014. 212-234.

BibTeX: Download