Kernel Code Integrity Protection at the Physical Address Level on RISC-V

Abstract

An operating system kernel has the highest privilege in most computer systems, making its code integrity critical to the entire system’s security. Failure to protect the kernel code integrity allows an attacker to modify the kernel code pages directly or trick the kernel into executing instructions stored outside the kernel code pages. Existing prevention mechanisms rely on the memory management unit in which certain memory pages are marked as not-executable in supervisor mode to prevent such attacks. However, an attacker can bypass these existing mechanisms by directly manipulating the page table contents to mark the memory pages with malicious code as supervisor-executable. This paper shows that a small architectural extension enables a physical address-level mechanism to stop this threat without relying on page table integrity. PrivLock lets, at boot time, the kernel specifies the physical address ranges containing its code. At run time, PrivLock ensures that the content within the range is not manipulated and that only the instructions from those pages are executed while the processor runs in supervisor mode. Despite this protection, the kernel can still create new code pages ( <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">e.g</i> ., for loadable kernel modules) and make them executable with the help of PrivLock’s secure loader. The experimental results show that PrivLock incurs low performance (<0.5%), area (0.14–0.3%), and energy/power (0.053–2%) overhead.