A Lightweight Detection and Recovery Infrastructure of Kernel Objects for Embedded Systems

Abstract

The kernel objects consist of critical kernel data structures and system call functions, which are the most important data for a system, should be protected as first-class candidates. In this paper, a lightweight system-level detection and recovery infrastructure is presented for embedded systems. Inside the infrastructure, specific runtime protections have been implemented for different kernel objects, kernel data structures are protected by the periodic detection and recovery, the interception of arguments is used to protect vulnerable system calls. At runtime once any system inconsistency has been detected, predefined recovery actions will be invoked. The consistency detection regulations and corresponding recovery actions can also be flexibly customized by system developers. The infrastructure requires few modifications to kernel source code, thus it is easy to integrate into existing embedded systems. The evaluation experiment results indicate our prototype system can correctly detect the inconsistent kernel data structures caused by security attacks and also prevent kernel from exploits due to vulnerable system calls with acceptable penalty to system performance. Moreover, it is fully software-based without introducing any specific hardware and requires no modifications to system call APIs, therefore legacy commercial-off-the-shelf (COTS) applications can be also easily reused.