A practical online approach to protecting kernel heap buffers in kernel modules

Abstract

Heap overflow attack is one of the major memory corruption attacks that have become prevalent for decades. To defeat this attack, many protection methods are proposed in recent years. However, most of these existing methods focus on user-level heap overflow detection. Only a few methods are proposed for kernel heap protection. Moreover, all these kernel protection methods need modifying the existing OS kernel so that they may not be adopted in practice. To address this problem, we propose a lightweight virtualization-based solution that can protect the kernel heap buffers allocated for the target kernel modules. The key idea of our approach is to combine the static binary analysis and virtualization technology to trap a memory allocation operation of the target kernel module, and then add one secure canary word to the end of the allocated buffer. After that, a monitor process is launched to check the integrity of the canaries. The evaluations show that our system can detect kernel heap overflow attacks effectively with minimal performance cost.